On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote:
> #6002: Default CA can be used without an ACL
> Comment (by ftweedal):
> This is expected behaviour; if a CA ACL does not reference any CAs,
> and does not have cacat=all, then it is assumed to refer to the
> default CA. This is for backwards compatibility with existing
> CA ACLs, which do not reference any CAs but did (and still do)
> allow access to IPA CA.
> Leaving open for discussion about whether to break compatibility
> for a more consistent behaviour.
Didn't get any feedback in the ticket yet so raising on list for
visibility. If people agree with current behaviour I can add a
clarification to caacl plugin help text and close out this ticket.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code