Jan Cholasta wrote:
Don't allow "ipa pwpolicy-del global_policy".
https://fedorahosted.org/freeipa/ticket/1936
Can you add a unit test case for this? Then ack.
Questions:
Is it possible to disallow deletion of specific objects on LDAP level
instead?
Well, that would be ideal in some cases. We'd need to write a plugin to
intercept changes and have it compare it to a list of "no deletes". You
can file an RFE if you want, this might be handy to have.
The default HBAC rule, allow_all, can also be deleted - should it be
disallowed too?
This is one we want to be removable. Before we had this the default HBAC
stance was "nobody can log in" and it was jarring to most folks.
It is possible to install without this rule using the option --no_hbac_allow
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
