[Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Simo Sorce
simo at redhat.com
Fri Jul 10 09:10:47 UTC 2015
On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote:
> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a):
> > Dne 10.7.2015 v 10:43 Martin Basti napsal(a):
> >> On 10/07/15 07:29, Jan Cholasta wrote:
> >>> Hi,
> >>>
> >>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a):
> >>>> https://fedorahosted.org/freeipa/ticket/5074
> >>>>
> >>>> Patch attached.
> >>>
> >>> NACK, you should remove the --rename option from certprofile-mod. You
> >>> can do it by removing "rdn_is_primary_key = True" from certprofile.
> >>>
> >>> Honza
> >>>
> >> Updated patch attached.
> >>
> >
> > What I meant was remove --rename *and* do the check from your previous
> > patch.
> >
> > Anyway, I didn't realize we already released IPA with certprofile and
> > removing --rename would be a backward incompatible change, so I think
> > it's better to just keep it.
> >
> > So ACK on the original patch.
> >
>
> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15
I see no LDAP ACI that prevents a rename though, without that an admin
can simply issue a modrdn operation. If it is critical for us to not
allow renames we should rather have an ACI that prohibits them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list