On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote:
> Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a):
> > Dne 10.7.2015 v 10:43 Martin Basti napsal(a):
> >> On 10/07/15 07:29, Jan Cholasta wrote:
> >>> Hi,
> >>>
> >>> Dne 9.7.2015 v 17:21 Martin Basti napsal(a):
> >>>> https://fedorahosted.org/freeipa/ticket/5074
> >>>>
> >>>> Patch attached.
> >>>
> >>> NACK, you should remove the --rename option from certprofile-mod. You
> >>> can do it by removing "rdn_is_primary_key = True" from certprofile.
> >>>
> >>> Honza
> >>>
> >> Updated patch attached.
> >>
> >
> > What I meant was remove --rename *and* do the check from your previous
> > patch.
> >
> > Anyway, I didn't realize we already released IPA with certprofile and
> > removing --rename would be a backward incompatible change, so I think
> > it's better to just keep it.
> >
> > So ACK on the original patch.
> >
> 
> Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15

I see no LDAP ACI that prevents a rename though, without that an admin
can simply issue a modrdn operation. If it is critical for us to not
allow renames we should rather have an ACI that prohibits them.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to