Petr Viktorin wrote:
> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>> See commit message.
>>> This was found in the review of host write permissions (my patches
>>> 0578-0579).
>> Wouldn't it be better to filter based on objectclass? I.e.:
>> (targetfilter="(!(objectclass=ipaConfigObject))"
>> instead of DN based target filter? It seems to me that it is more
>> resilient to
>> changes in LDAP structure, in case we change RDN or make one more
>> level like
>> (just example):
>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
> Sure, fixed patch attached.

Are you sure you need read access and not just search/compare? The
purpose is to see "is that thing there" and not "what is in that thing"
right? Sure someone could fish for masters if they really wanted to.


Freeipa-devel mailing list

Reply via email to