On 20.11.2015 16:49, Jan Cholasta wrote:
On 19.11.2015 17:43, Simo Sorce wrote:
510:
- We should probably tightenup the ACI to allos host X to only add
memberPrincipal = X and no other value, also the host should not be
allowed to change the memberPrincipal attribute only the keys.
If we can't express this in ACIs we can live with the ones you propose
though.


I think this can be done.

Turns out this can be done only if member (or some other DN attribute) is used instead of memberPrincipal.

So, to reiterate:

2) Why is 'memberPrincipal' used in cn=custodia instead of 'member'?

If 'member' was used instead, we would gain referential integrity and
the ability to add ACIs based on the attribute (think
userattr="member#USERDN").

To avoid referential integrity and mixup with other group objects, it
was intentional.

Why is referential integrity a problem?

Mixup with other group objects can be solved by using a different attribute.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to