On 10/13/2014 08:19 AM, Martin Kosek wrote:
On 10/10/2014 06:44 PM, Simo Sorce wrote:
On Fri, 10 Oct 2014 18:38:36 +0200
Ludwig Krispenz <lkris...@redhat.com> wrote:

On 10/10/2014 06:30 PM, James wrote:
On 10 October 2014 12:21, Simo Sorce <s...@redhat.com> wrote:


First thing, I do not think we want a new command here.
If we need commands outside of the ipa framework they should be
integrated in the ipa-replica-manage tool.
But really one of the reasons to move data in the shared tree was
that we could grow native framework command to handle the topology
so we can manage the topology directly from the UI.
So I am not happy with ipa-tology-manage
I agree here... I think the current interface of ipa-replica-manage
is fine, however the need to copy the credentials around and the
need for a password are the problem. In fact, I particularly like
the current interface, and puppet-ipa has already wrapped this
successfully. In other words, the design checks out. Good job IPA
team.

All management should happen in the shared tree, moving to be able
to avoid directly touching cn=config and avoid the need for DM
password is one of the main reasons to do this work ...
I'll comment later on Simmo's other comments, but I need access to
cn=config for two reasons,
- I need to know if the plugin is deployed and enabled
Let's expose something in rootDSE then, that's the "standard" way to
do this (though it is unnecessary, if the shared tree is present you
already know it is available).
+1,
ok for me, I was just straightforward reading cn=config to get cn=config info, but I like the idea to do it via rootdse. we have to expose the suffix(es) controlled by the topology plugin and the entry point for the shared config info.
  for the plugin enabled/disabled status. However, in case you really need to
let admin or other privileged person to look in specified part of cn=config,
this can be done with standard permissions. We already have for example
permission for reading replication agreements:

dn: cn=config
aci: (targetattr = "cn || createtimestamp || description || entryusn ||
modifytimestamp || nsds50ruv ||  nsds5beginreplicarefresh ||
nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv ||       ...
winsyncsubtreepair || winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version
3.0;acl "permission:System: Read Replication Agreements"; allow
(compare,read,search) groupdn = "ldap:///cn=System: Read Replication
Agreements,cn=permissions,    cn=pbac,dc=ipa,dc=example";)

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to