I'm splitting up ACI work into several designs to make it more manageable.

This one is about
- Moving ACIs out of $SUFFIX
- Storing all ACI data in the permission entry
- Permission flag system for ensuring backwards compatibility

Summary of the backcompat story:
- Attributes, rights, etc. of new permissions may not be modified or read on old servers (not possible since the ACIs aren't in $SUFFIX)
- Old permissions convert to new ones when they're modified on a new server
- Any server can assign (or remove) both old and new permissions to privileges

There is a bit of shuffling in API/CLI option names, since the API option name needs to match the LDAP attributeTypes.

The WIP design document is here:


Freeipa-devel mailing list

Reply via email to