On Thu, 2015-11-26 at 07:47 +0100, Jan Cholasta wrote:
> On 25.11.2015 18:46, Simo Sorce wrote:
> > On Wed, 2015-11-25 at 10:25 +0100, Jan Cholasta wrote:
> >> On 20.11.2015 16:49, Jan Cholasta wrote:
> >>> On 19.11.2015 17:43, Simo Sorce wrote:
> >>>> 510:
> >>>> - We should probably tightenup the ACI to allos host X to only add
> >>>> memberPrincipal = X and no other value, also the host should not be
> >>>> allowed to change the memberPrincipal attribute only the keys.
> >>>> If we can't express this in ACIs we can live with the ones you propose
> >>>> though.
> >>> I think this can be done.
> >> Turns out this can be done only if member (or some other DN attribute)
> >> is used instead of memberPrincipal.
> >> So, to reiterate:
> >>>>> 2) Why is 'memberPrincipal' used in cn=custodia instead of 'member'?
> >>>>> If 'member' was used instead, we would gain referential integrity and
> >>>>> the ability to add ACIs based on the attribute (think
> >>>>> userattr="member#USERDN").
> >>>> To avoid referential integrity and mixup with other group objects, it
> >>>> was intentional.
> >> Why is referential integrity a problem?
> > Because it will remove the member if the object it references goes away,
> > and I do not want an "orphaned" entry for custodia.
> But without referential integrity you get an orphaned entry too, except
> with an extra dangling reference. IMHO that's even worse than "plain"
> orhpaned entry, because you can't spot it just by looking at the
> attribute value.
> >> Mixup with other group objects can be solved by using a different
> >> attribute.
> > There is also the fact in future we may want to use this with "external"
> > principals (like in IPA-IPA trusts or similar) so I didn't want to have
> > to come up with bogus DNs in that case.
> IIRC Alexander was working on something like exposing external
> principals in LDAP using the compat plugin, in order to allow external
> users to run IPA commands.
We do not want to depend on the compat tree in such a core feature.
> Alternatively, it could do what groups do - use DN for internal
> references and string (be it principal or something else) for external
Same as above.
> Anyway, either memberPrincipal is replaced with a member-like attribute,
> or the ACI stays as it is. I would prefer a member-like attribute,
> because I feel that's the way LDAP entries should reference each other,
> but I will leave the decision to you.
Let's keep it as it is for now, I'll think more about it.
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code