On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote: > On 04/23/2014 02:48 PM, Simo Sorce wrote: > > On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: > >> This adds managed read permissions to cn=etc. Since these permissions > >> are not bound to objects, the first patch adds support for those. > >> They're defined in the update plugin. > >> > >> The second patch adds permissions for various subtrees/entries in > >> cn=etc, according to the [discussion thread]. > >> > >> I wonder if we should limit the attributes in cn=replication; are all > >> nsds5replica attrs needed? > > > > Nope, IIRC we use this object exclusively to set the next available > > replica id. > > > >> For cn=ad,cn=etc I put the permission in cn=etc and used a target, > >> since > >> cn=ad is not present by default. > >> > > ok. > > 534 - ACK. > > 535: > > System: Read IPA Masters - ACK > > System: Read DNA Configuration - ACK > > System: Read CA Renewal Information - ACK > - I tested with "getcert resubmit -i $ID_OF_AUDITCERT" > > System: Read CA Certificate - should be OK > - currently we need just cn,objectclass,cACertificate, but we may allow others > for future use > > System: Read Replication Information - changes needed? > - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot > - I am thinking we may be fine with allowing just those. Simo, what's your > take > on this?
Should be fine, hopefully we will soon overhaul the replication stuff to expose the topology and all, so I am not overly concerned. > System: Read AD Domains - ACK Simo. _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel