On 28.5.2015 12:53, Christian Heimes wrote: > On 2015-05-28 12:46, Martin Kosek wrote: >> I am fine with this too. So if there is not another major disagreement, >> let us start with enabling KDCPROXY by default during upgrade/install, >> the new ACI and the per-replica standard configuration. >> >> API CLI/UI can come later (4.2.x or 4.3). > > LGTM, too. > > How should the new ACI work? I see two possible ways: > > 1) Allow compare/search for ipaConfigString=enabledService for > everybody: > > (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version > > 3.0; acl "Compare enabledService access to masters"; allow(search, > compare) userdn = "ldap:///all";) > > 2) Create a new permission, assign it to all HTTP principals and allow > read, compare and search for all ipaConfigString attributes.
I like option 2 - a new permission like "Read configuration of IPA services". > For the second way I need somebody to walk me through the permission and > role system of FreeIPA. Unfortunately I did not use the new system myself so I do not have particular steps to share. Please see design pages here: http://www.freeipa.org/page/V3/Permissions_V2 http://www.freeipa.org/page/V3/Permissions_V2/tests ... and contact Petr Viktorin <pvikt...@redhat.com>. The new permission system is his child :-) I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code