Martin Kosek wrote:
On Wed, 2011-01-26 at 10:56 -0500, Rob Crittenden wrote:
Dmitri Pal wrote:
Martin Kosek wrote:
On Wed, 2011-01-26 at 10:20 -0500, Dmitri Pal wrote:
I took a quick look.
Rob, I thought that there are different APIs for self and delegation. Is
this is the case?
ipa permission-... functions should never deal with self service or
delegation acis
They are just for the permission ACIs connected to the target groups.
I do not think this is the right approach.
The prefix is need but it should be automatically added if you use this
interface.
Well, this patch ensures that permission-* functions will not deal with
selfservice od delegation ACIs. Each of these plugins has its own prefix
(e.g. "permission:" or "delegation:") which is added to the underlying
ACI name.
Because of this, the Permission, Selfservice and Delegation plugins work
only with ACIs with "their" prefix. Prefix is not visible for user, it
is passed to ACI functions automatically by Permission, Delegation and
Selfservice plugins.
Add an entirely new kind of record to IPA that isn't covered by any of the
--type options, creating a permission:
- ipa permission-add --permissions=add
--subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange
Entries" add_orange
+ ipa permission-add --permissions=add
--subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange
Entries" --prefix=none add_orange
This change exposes the prefix on the command line which means you can
manage ACIs with different prefixes.
Do i misread it?
The help changes are unneeded. The prefix is not configurable by the user.
rob
Ah, now I see the source of confusion. My bad. I fixed help in ACI
plugin (even though this plugin is not visible for CLI). There were
examples for using aci-add command and I wanted to add a new mandatory
parameter here, so that user is not prompted for it.
Unfortunately, I didn't notice there was one permission-add example -
--prefix attribute is not valid for this command. A patch #2 with fixed
permission-add example + rebase to current master is attached.
Martin
ack, pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
