On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On 04/16/2014 02:14 PM, Petr Viktorin wrote: > >> A single permission granting anonymous read access covers > >> automountlocation, > >> automountmap, and automountkey. > >> > > > > This works fine, I am just wondering about the ACI: > > > > 1) Simo, are you OK with one ACI covering all automount objects? I > > personally > > am, I cannot imagine a situation when somebody allows automount maps but not > > the automount keys. But on the other hand, we also have separate permissions > > for sudo commands, sudo command groups, sudo rules... > > With sudo you may want a different set of users deciding WHAT can be > executed from WHO can execute it. I don't think automount needs that > level of specificity. > > > > > 2) Should we limit the ACI by an objectclass filter? I.e. > > (|(objectclass=automountmap)(objectclass=automount))? > > I think these are the only things living in that container so it may be > overkill. I'm not against adding it if someone feels more strongly about it.
I think Rob summarized my own thought, and I think he has more authority than I have as he's been working on automount stuff more than I have. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
