On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: > Rob Crittenden <rcrit...@redhat.com> wrote: > > Add permission and privilege for updating the IPA configuration in > > cn=ipaconfig. > > > > ticket 950 > > > > rob > > I'm not quite sure how does the patch work. In particular, I wonder about > these two blocks: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: Write IPA Configuration > + > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Can't they be specified in one block like: > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:objectClass: ipapermission > +default:cn: Write IPA Configuration > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > Thanks in advance > > Otherwise the patch looks good, so if this is not an issue, I give it ACK. > > Jan
I think this is OK. We are adding 2 objects - one permission called "Write IPA Configuration" (with an underlying ACI) and one priviledge also called "Write IPA Configuration". Therefore they cannot be merged to one LDAP object. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel