On 09/18/2014 04:28 PM, Martin Kosek wrote:
On 09/18/2014 04:06 PM, David Kupka wrote:
On 09/18/2014 03:44 PM, Rob Crittenden wrote:
David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it is no
longer needed. Did you test all the client enrollment scenarios?

rob


As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is
possible to add krbPrincipalName to host even when there is already one (or
more). And adding one ACI to allow writing krbCanonicalName to host.
But I'm still not really familiar with ACI so please correct me if I'm wrong.


What refers to is probably the update in ACI.txt - the ACI alternative to
API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-            'ipapermtargetfilter': [
-                '(objectclass=ipahost)',
-                '(!(krbprincipalname=*))',
-            ],

?

To allow additional krbPrincipalNames. This behavior is requested by the ticket.


Martin


--
David Kupka

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to