On 23.11.2015 06:54, Fraser Tweedale wrote:
Hi all,
The attached patches fix #5459[1]: Default CA ACL rule is not
created during ipa-replica-install.
These patches apply on branch ipa-4-2. There is a (trivial)
conflict in imports when applying to master.
When a patch does not apply cleanly on all the target branches, you
should attach a rebased patch as well.
I strongly recommend review / testing of these patches with patches
0042-0043[2] due to the prevalence of the other issue.
[1] https://fedorahosted.org/freeipa/ticket/5459
[2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html
Patch 0044: ACK
Patch 0045:
1) The check in caacl_del could be better, please take a look at how the
admins group is handled in ipalib/plugins/group.py for an example. You
should at least raise ProtectedEntryError rather than ValidationError.
2) _add_default_caacl() should be located in
ipaserver/install/cainstance.py.
3) Rather than calling the cainstance functions in
replicainstall.install(), they should be called from
CAInstance.configure_instance() to make them effective in ipa-ca-install
and replica promotion as well.
Honza
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
