Dmitri Pal wrote:
Martin Kosek wrote:
On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote:

I took a quick look.

Rob, I thought that there are different APIs for self and delegation. Is
this is the case?
ipa permission-... functions should never deal with self service or
delegation acis
They are just for the permission ACIs connected to the target groups.
I do not think this is the right approach.
The prefix is need but it should be automatically added if you use this

Well, this patch ensures that permission-* functions will not deal with
selfservice od delegation ACIs. Each of these plugins has its own prefix
(e.g. "permission:" or "delegation:") which is added to the underlying
ACI name.

Because of this, the Permission, Selfservice and Delegation plugins work
only with ACIs with "their" prefix. Prefix is not visible for user, it
is passed to ACI functions automatically by Permission, Delegation and
Selfservice plugins.

   Add an entirely new kind of record to IPA that isn't covered by any of the 
--type options, creating a permission:
-   ipa permission-add  --permissions=add 
--subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange 
Entries" add_orange
+   ipa permission-add  --permissions=add 
--subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange 
Entries" --prefix=none add_orange

This change exposes the prefix on the command line which means you can
manage ACIs with different prefixes.
Do i misread it?

The help changes are unneeded. The prefix is not configurable by the user.


Freeipa-devel mailing list

Reply via email to