On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote: > #6002: Default CA can be used without an ACL > > Comment (by ftweedal): > > This is expected behaviour; if a CA ACL does not reference any CAs, > and does not have cacat=all, then it is assumed to refer to the > default CA. This is for backwards compatibility with existing > CA ACLs, which do not reference any CAs but did (and still do) > allow access to IPA CA. > > Leaving open for discussion about whether to break compatibility > for a more consistent behaviour. > Didn't get any feedback in the ticket yet so raising on list for visibility. If people agree with current behaviour I can add a clarification to caacl plugin help text and close out this ticket.
Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code