On 04/07/2014 01:34 PM, Petr Viktorin wrote: > On 04/07/2014 01:28 PM, Martin Kosek wrote: >> On 04/03/2014 12:09 PM, Petr Viktorin wrote: >>> Hello, >>> This adds read permissions to read HBAC rules, services, and service groups. >>> >>> Read access is given to all authenticated users. >> >> So far looked OK in my tests. What about the ACIs like the following one? >> >> (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny >> (read,search,compare) userdn != "ldap:///all";) >> >> Do we want to remove them together with this patch to have the change grouped >> together with allow ACIs or do you plan to remove all similar deny ACIs at >> once? (together with the master read ACI) >> >> Martin >> > > I want to remove them after removing the global read ACI, so that in the mean > time we're not allowing more access than we should.
Ok, makes sense. I tested the patch again and it worked fine (after I removed the deny rule). ACK. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel