On 04/23/2014 02:48 PM, Simo Sorce wrote: > On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: >> This adds managed read permissions to cn=etc. Since these permissions >> are not bound to objects, the first patch adds support for those. >> They're defined in the update plugin. >> >> The second patch adds permissions for various subtrees/entries in >> cn=etc, according to the [discussion thread]. >> >> I wonder if we should limit the attributes in cn=replication; are all >> nsds5replica attrs needed? > > Nope, IIRC we use this object exclusively to set the next available > replica id. > >> For cn=ad,cn=etc I put the permission in cn=etc and used a target, >> since >> cn=ad is not present by default. >> > ok.
534 - ACK. 535: System: Read IPA Masters - ACK System: Read DNA Configuration - ACK System: Read CA Renewal Information - ACK - I tested with "getcert resubmit -i $ID_OF_AUDITCERT" System: Read CA Certificate - should be OK - currently we need just cn,objectclass,cACertificate, but we may allow others for future use System: Read Replication Information - changes needed? - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot - I am thinking we may be fine with allowing just those. Simo, what's your take on this? System: Read AD Domains - ACK Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel