On Tue, Jun 28, 2016 at 01:47:23PM -0000, freeipa wrote:
> #6002: Default CA can be used without an ACL
> 
> Comment (by ftweedal):
> 
>  This is expected behaviour; if a CA ACL does not reference any CAs,
>  and does not have cacat=all, then it is assumed to refer to the
>  default CA.  This is for backwards compatibility with existing
>  CA ACLs, which do not reference any CAs but did (and still do)
>  allow access to IPA CA.
> 
>  Leaving open for discussion about whether to break compatibility
>  for a more consistent behaviour.
> 
Didn't get any feedback in the ticket yet so raising on list for
visibility.  If people agree with current behaviour I can add a
clarification to caacl plugin help text and close out this ticket.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to