On Fri, 10 Oct 2014 17:38:46 +0200 Ludwig Krispenz <lkris...@redhat.com> wrote:
> > > https://fedorahosted.org/389/ticket/47924 > > > >> is it possible to reproduce without IPA ? > > Perhaps. You'd need the OTP schema and ACIs from FreeIPA, unless > > you can find another way to reproduce it. > well, did think about it again, we probaly also would need all the > plugins, so could be difficult Just a wild guess, for some reason the post-read evaluation is using some cached evaluation of the add. I think the key part here is that we *change* the DN which is key part in determining the access control. I wounder if you can reproduce in 389ds using the DNA plugin ? Use the magic value to generate a number and use the value in the add and read ACIs so that the ADD works only with the magic value. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
