On 2015-05-28 13:30, Jan Cholasta wrote: > Dne 28.5.2015 v 12:53 Christian Heimes napsal(a): >> On 2015-05-28 12:46, Martin Kosek wrote: >>> I am fine with this too. So if there is not another major >>> disagreement, let us >>> start with enabling KDCPROXY by default during upgrade/install, the >>> new ACI and >>> the per-replica standard configuration. >>> >>> API CLI/UI can come later (4.2.x or 4.3). >> >> LGTM, too. >> >> How should the new ACI work? I see two possible ways: >> >> 1) Allow compare/search for ipaConfigString=enabledService for everybody: >> >> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version >> >> 3.0; acl "Compare enabledService access to masters"; allow(search, >> compare) userdn = "ldap:///all";) >> >> 2) Create a new permission, assign it to all HTTP principals and allow >> read, compare and search for all ipaConfigString attributes. >> >> For the second way I need somebody to walk me through the permission and >> role system of FreeIPA. >> >> Christian > > So, will it be a separate component with its own freeipa-server-kdcproxy > subpackage and installer or will it be a sub-component of KDC (as Martin > suggested) and part of the core freeipa-server package?
For now I'm in favor of a sub-component as part of the freeipa-server package. Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code