Jan Cholasta wrote:
Don't allow "ipa pwpolicy-del global_policy".


Can you add a unit test case for this? Then ack.


Is it possible to disallow deletion of specific objects on LDAP level

Well, that would be ideal in some cases. We'd need to write a plugin to intercept changes and have it compare it to a list of "no deletes". You can file an RFE if you want, this might be handy to have.

The default HBAC rule, allow_all, can also be deleted - should it be
disallowed too?

This is one we want to be removable. Before we had this the default HBAC stance was "nobody can log in" and it was jarring to most folks.

It is possible to install without this rule using the option --no_hbac_allow


Freeipa-devel mailing list

Reply via email to