On 04/24/2014 02:24 PM, Simo Sorce wrote:
> On Thu, 2014-04-24 at 13:53 +0200, Martin Kosek wrote:
>> On 04/23/2014 02:48 PM, Simo Sorce wrote:
>>> On Wed, 2014-04-23 at 13:42 +0200, Petr Viktorin wrote:
>>>> This adds managed read permissions to cn=etc. Since these permissions 
>>>> are not bound to objects, the first patch adds support for those. 
>>>> They're defined in the update plugin.
>>>>
>>>> The second patch adds permissions for various subtrees/entries in 
>>>> cn=etc, according to the [discussion thread].
>>>>
>>>> I wonder if we should limit the attributes in cn=replication; are all 
>>>> nsds5replica attrs needed?
>>>
>>> Nope, IIRC we use this object exclusively to set the next available
>>> replica id.
>>>
>>>> For cn=ad,cn=etc I put the permission in cn=etc and used a target,
>>>> since 
>>>> cn=ad is not present by default.
>>>>
>>> ok.
>>
>> 534 - ACK.
>>
>> 535:
>>
>> System: Read IPA Masters - ACK
>>
>> System: Read DNA Configuration - ACK
>>
>> System: Read CA Renewal Information - ACK
>> - I tested with "getcert resubmit -i $ID_OF_AUDITCERT"
>>
>> System: Read CA Certificate - should be OK
>> - currently we need just cn,objectclass,cACertificate, but we may allow 
>> others
>> for future use
>>
>> System: Read Replication Information - changes needed?
>> - currently, we need/use just cn,objectclass,nsds5replicaid,nsds5replicaroot
>> - I am thinking we may be fine with allowing just those. Simo, what's your 
>> take
>> on this?
> 
> Should be fine, hopefully we will soon overhaul the replication stuff to
> expose the topology and all, so I am not overly concerned.
> 
>> System: Read AD Domains - ACK
> 
> Simo.

Ok, thanks. It is an ACK as the "System: Read Replication Information" was the
only one I was concerned about.

Pushed to master: d893b77fb69ef2e0aedf823e7cd82ca86a2971af

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to