On Wed, 2015-11-25 at 10:25 +0100, Jan Cholasta wrote:
> On 20.11.2015 16:49, Jan Cholasta wrote:
> > On 19.11.2015 17:43, Simo Sorce wrote:
> >> 510:
> >> - We should probably tightenup the ACI to allos host X to only add
> >> memberPrincipal = X and no other value, also the host should not be
> >> allowed to change the memberPrincipal attribute only the keys.
> >> If we can't express this in ACIs we can live with the ones you propose
> >> though.
> >
> > I think this can be done.
> 
> Turns out this can be done only if member (or some other DN attribute) 
> is used instead of memberPrincipal.
> 
> So, to reiterate:
> 
> >>> 2) Why is 'memberPrincipal' used in cn=custodia instead of 'member'?
> >>>
> >>> If 'member' was used instead, we would gain referential integrity and
> >>> the ability to add ACIs based on the attribute (think
> >>> userattr="member#USERDN").
> >>
> >> To avoid referential integrity and mixup with other group objects, it
> >> was intentional.
> 
> Why is referential integrity a problem?

Because it will remove the member if the object it references goes away,
and I do not want an "orphaned" entry for custodia.

> Mixup with other group objects can be solved by using a different attribute.

There is also the fact in future we may want to use this with "external"
principals (like in IPA-IPA trusts or similar) so I didn't want to have
to come up with bogus DNs in that case.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to