On 23.4.2014 13:13, Martin Kosek wrote:
On 04/23/2014 01:03 PM, Petr Viktorin wrote:
On 04/14/2014 12:55 PM, Martin Kosek wrote:
[...]
dn: cn=masters,cn=ipa,cn=etc,SUFFIX
- ADD aci allowing reading hosts (to have it separate from global cn=etc one so
that we can once assign it only to ipamasters hostgroup for example)


We don't have an ipamasters hostgroup. Should we?

We do not have it currently, but AFAIK Honza planned (or even had patches?) to
add it in his CA management utility effort. Honza, is that correct?

It would certainly make things prettier. I don't have any patches, but there is a ticket for that: <https://fedorahosted.org/freeipa/ticket/3416>.


Until this hostgroup is ready (and managed), I think we can have an ACI to
allow read access to all authenticated users.

OR, we may chose not have an ACI at all given that utilities (ipactl,
ipa-replica-manage, ipa-replica-install) operating with cn=masters bind as DM
(either via password or with External bind) and i.e. should not need the ACI.

Renewal scripts need access to cn=masters and bind as host.


Martin



--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to