[Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Jan Cholasta
jcholast at redhat.com
Fri Jul 10 09:28:11 UTC 2015
Dne 10.7.2015 v 11:10 Simo Sorce napsal(a):
> On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote:
>> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a):
>>> Dne 10.7.2015 v 10:43 Martin Basti napsal(a):
>>>> On 10/07/15 07:29, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a):
>>>>>> https://fedorahosted.org/freeipa/ticket/5074
>>>>>>
>>>>>> Patch attached.
>>>>>
>>>>> NACK, you should remove the --rename option from certprofile-mod. You
>>>>> can do it by removing "rdn_is_primary_key = True" from certprofile.
>>>>>
>>>>> Honza
>>>>>
>>>> Updated patch attached.
>>>>
>>>
>>> What I meant was remove --rename *and* do the check from your previous
>>> patch.
>>>
>>> Anyway, I didn't realize we already released IPA with certprofile and
>>> removing --rename would be a backward incompatible change, so I think
>>> it's better to just keep it.
>>>
>>> So ACK on the original patch.
>>>
>>
>> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15
>
> I see no LDAP ACI that prevents a rename though, without that an admin
> can simply issue a modrdn operation. If it is critical for us to not
> allow renames we should rather have an ACI that prohibits them.
AFAIK there is no ACI to prevent renaming hosts (the check in this patch
is copied from the host plugin) or users either and so far nobody
complained. I'm not saying this is right, but the patch is consistent
with existing code.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list