On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
> Hello,
> 
> The first patch adds default read permissions to krbtpolicy. Since the 
> plugin manages entries in two trees, there are two permissions. Since 
> two permissions are needed to cover krbtpolicy, it can't be used as a 
> permission's --type.
> The permissions are added to a new privilege, 'Kerberos Ticket Policy 
> Readers'.
> 
> The second patch adds an ACI for reading the Kerberos realm name. Since 
> client enrollment won't work without this, I don't see a reason for 
> having it managed by a permission.
> 

LGTM

Simo.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to