On 2015-05-28 12:46, Martin Kosek wrote:
> I am fine with this too. So if there is not another major disagreement, let us
> start with enabling KDCPROXY by default during upgrade/install, the new ACI 
> and
> the per-replica standard configuration.
> 
> API CLI/UI can come later (4.2.x or 4.3).

LGTM, too.

How should the new ACI work? I see two possible ways:

1) Allow compare/search for ipaConfigString=enabledService for everybody:

(targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
3.0; acl "Compare enabledService access to masters"; allow(search,
compare) userdn = "ldap:///all";;)

2) Create a new permission, assign it to all HTTP principals and allow
read, compare and search for all ipaConfigString attributes.

For the second way I need somebody to walk me through the permission and
role system of FreeIPA.

Christian

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to