On 04/24/2014 02:24 PM, Simo Sorce wrote: > On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote: >> On 04/23/2014 02:48 PM, Simo Sorce wrote: >>> On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote: >>>> This adds managed read permissions to cn=etc. Since these permissions >>>> are not bound to objects, the first patch adds support for those. >>>> They're defined in the update plugin. >>>> >>>> The second patch adds permissions for various subtrees/entries in >>>> cn=etc, according to the [discussion thread]. >>>> >>>> I wonder if we should limit the attributes in cn=replication; are all >>>> nsds5replica attrs needed? >>> >>> Nope, IIRC we use this object exclusively to set the next available >>> replica id. >>> >>>> For cn=ad,cn=etc I put the permission in cn=etc and used a target, >>>> since >>>> cn=ad is not present by default. >>>> >>> ok. >> >> 534 - ACK. >> >> 535: >> >> System: Read IPA Masters - ACK >> >> System: Read DNA Configuration - ACK >> >> System: Read CA Renewal Information - ACK >> - I tested with "getcert resubmit -i $ID_OF_AUDITCERT" >> >> System: Read CA Certificate - should be OK >> - currently we need just cn,objectclass,cACertificate, but we may allow >> others >> for future use >> >> System: Read Replication Information - changes needed? >> - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot >> - I am thinking we may be fine with allowing just those. Simo, what's your >> take >> on this? > > Should be fine, hopefully we will soon overhaul the replication stuff to > expose the topology and all, so I am not overly concerned. > >> System: Read AD Domains - ACK > > Simo.
Ok, thanks. It is an ACK as the "System: Read Replication Information" was the only one I was concerned about. Pushed to master: d893b77fb69ef2e0aedf823e7cd82ca86a2971af Martin _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel