Jan Cholasta wrote:
Don't allow "ipa pwpolicy-del global_policy".
Can you add a unit test case for this? Then ack.
Is it possible to disallow deletion of specific objects on LDAP level
Well, that would be ideal in some cases. We'd need to write a plugin to
intercept changes and have it compare it to a list of "no deletes". You
can file an RFE if you want, this might be handy to have.
The default HBAC rule, allow_all, can also be deleted - should it be
This is one we want to be removable. Before we had this the default HBAC
stance was "nobody can log in" and it was jarring to most folks.
It is possible to install without this rule using the option --no_hbac_allow
Freeipa-devel mailing list