[Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 12 07:48:09 UTC 2014
On Fri, 12 Sep 2014, Martin Kosek wrote:
>>>>>Operational Attributes)
>>
>>Removing a default ACI is difficult (read: new code that could go wrong) if we
>>want to handle 4.0.2 properly, since installing/upgrading to 4.0.2 will always
>>add it back.
>>Perhaps we should just say in the release notes that people should remove it
>>manually if they're upgrading from 4.0.2?
>
>Well, I am not convinced that everyone reads the release notes, so I
>would rather delete this permission in 4.0.3. Hopefully, there won't
>be many 4.0.2 users. It seems as a lesser evil to me than having SSSD
>clients broken.
If we are going to replace other ACIs by adding to them a right to read
these attributes, then removing a separate default ACI is not a problem,
isn't it?
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list