On 04/23/2014 01:42 PM, Jan Cholasta wrote:
On 23.4.2014 13:13, Martin Kosek wrote:
On 04/23/2014 01:03 PM, Petr Viktorin wrote:
On 04/14/2014 12:55 PM, Martin Kosek wrote:
[...]
dn: cn=masters,cn=ipa,cn=etc,SUFFIX
- ADD aci allowing reading hosts (to have it separate from global
cn=etc one so
that we can once assign it only to ipamasters hostgroup for example)
We don't have an ipamasters hostgroup. Should we?
We do not have it currently, but AFAIK Honza planned (or even had
patches?) to
add it in his CA management utility effort. Honza, is that correct?
It would certainly make things prettier. I don't have any patches, but
there is a ticket for that: <https://fedorahosted.org/freeipa/ticket/3416>.
Sounds like the best way to do this. I've moved the ticket to Needs triage.
Until this hostgroup is ready (and managed), I think we can have an
ACI to
allow read access to all authenticated users.
OR, we may chose not have an ACI at all given that utilities (ipactl,
ipa-replica-manage, ipa-replica-install) operating with cn=masters
bind as DM
(either via password or with External bind) and i.e. should not need
the ACI.
Renewal scripts need access to cn=masters and bind as host.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
