On 12/02/2013 02:29 PM, Simo Sorce wrote:
On Fri, 2013-11-29 at 16:51 +0100, Petr Viktorin wrote:
I've updated the design with
- updated schema (this time the OIDs are even reserved properly!)
- longer attribute descriptions with examples
- updated update algorithm based on discussion with Simo
Hi Petr,
thank you for the update.
Additionally, I've updated draft designs this one references [0, 1]. The
CLI/API parts of those aren't finished but the LDAP should be ready for
criticism.
It would be very nice if you can add the resulting LDAP objects in the
example, that will allow me to reason on the correctness of the
translation.
OK, I'll work on that.
For examples, I felt that anything I show as an example should also go
in the test suite, so I added the tests. (If you're into wiki design I'd
appreciate ideas about how to make that section better.)
If you need any more examples, or see some dangerous corner cases, tell
me and I'll add them.
There is still a race condition when the subtree changes, e.g. when
you'd move an ACI from $SUFFIX to cn=users,cn=accounts,$SUFFIX, the
rights are revoked between the times the ACI is removed and re-added.
At this point I'd rather document it and file a bug (and possibly start
working on it right after this) than redo the internals in yet another
way in the same update.
I think that this will be fine, *after* we change the default mode to
deny everything, and rely on permissions to allow. This way the lack of
an ACI will deny (not permit!) access to arbitrary attributes.
Permissions can only allow access. All our deny ACIs are built in, not
controlled by permissions.
[0] http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
[1] http://www.freeipa.org/page/V3/Managed_Read_permissions
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
