Petr Viktorin wrote:
> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>> See commit message.
>>>
>>> This was found in the review of host write permissions (my patches
>>> 0578-0579).
>>
>> Wouldn't it be better to filter based on objectclass? I.e.:
>>
>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>
>> instead of DN based target filter? It seems to me that it is more
>> resilient to
>> changes in LDAP structure, in case we change RDN or make one more
>> level like
>> (just example):
>>
>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
> 
> Sure, fixed patch attached.

Are you sure you need read access and not just search/compare? The
purpose is to see "is that thing there" and not "what is in that thing"
right? Sure someone could fish for masters if they really wanted to.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to