[Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id
Simo Sorce
simo at redhat.com
Fri Jul 10 10:52:20 UTC 2015
On Fri, 2015-07-10 at 11:28 +0200, Jan Cholasta wrote:
> Dne 10.7.2015 v 11:10 Simo Sorce napsal(a):
> > On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote:
> >> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a):
> >>> Dne 10.7.2015 v 10:43 Martin Basti napsal(a):
> >>>> On 10/07/15 07:29, Jan Cholasta wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a):
> >>>>>> https://fedorahosted.org/freeipa/ticket/5074
> >>>>>>
> >>>>>> Patch attached.
> >>>>>
> >>>>> NACK, you should remove the --rename option from certprofile-mod. You
> >>>>> can do it by removing "rdn_is_primary_key = True" from certprofile.
> >>>>>
> >>>>> Honza
> >>>>>
> >>>> Updated patch attached.
> >>>>
> >>>
> >>> What I meant was remove --rename *and* do the check from your previous
> >>> patch.
> >>>
> >>> Anyway, I didn't realize we already released IPA with certprofile and
> >>> removing --rename would be a backward incompatible change, so I think
> >>> it's better to just keep it.
> >>>
> >>> So ACK on the original patch.
> >>>
> >>
> >> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15
> >
> > I see no LDAP ACI that prevents a rename though, without that an admin
> > can simply issue a modrdn operation. If it is critical for us to not
> > allow renames we should rather have an ACI that prohibits them.
>
> AFAIK there is no ACI to prevent renaming hosts (the check in this patch
> is copied from the host plugin) or users either and so far nobody
> complained. I'm not saying this is right, but the patch is consistent
> with existing code.
Renaming users is explicitly allowed, renaming hosts is something we may
want to prevent too. Maybe we should add a ticket to take care of these
things ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list