Dne 10.7.2015 v 12:52 Simo Sorce napsal(a):
On Fri, 2015-07-10 at 11:28 +0200, Jan Cholasta wrote:
Dne 10.7.2015 v 11:10 Simo Sorce napsal(a):
On Fri, 2015-07-10 at 11:01 +0200, Jan Cholasta wrote:
Dne 10.7.2015 v 10:59 Jan Cholasta napsal(a):
Dne 10.7.2015 v 10:43 Martin Basti napsal(a):
On 10/07/15 07:29, Jan Cholasta wrote:

Dne 9.7.2015 v 17:21 Martin Basti napsal(a):

Patch attached.

NACK, you should remove the --rename option from certprofile-mod. You
can do it by removing "rdn_is_primary_key = True" from certprofile.


Updated patch attached.

What I meant was remove --rename *and* do the check from your previous

Anyway, I didn't realize we already released IPA with certprofile and
removing --rename would be a backward incompatible change, so I think
it's better to just keep it.

So ACK on the original patch.

Pushed to master: 67b2b3408579814f7ff307cfd20bc4250edbea15

I see no LDAP ACI that prevents a rename though, without that an admin
can simply issue a modrdn operation. If it is critical for us to not
allow renames we should rather have an ACI that prohibits them.

AFAIK there is no ACI to prevent renaming hosts (the check in this patch
is copied from the host plugin) or users either and so far nobody
complained. I'm not saying this is right, but the patch is consistent
with existing code.

Renaming users is explicitly allowed, renaming hosts is something we may
want to prevent too. Maybe we should add a ticket to take care of these
things ?


Forgot to push this patch to ipa-4-2:

Pushed to ipa-4-2: 62e30d007275a3051370006a7546a5b3158f9686

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to