Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 05:11 PM, Petr Viktorin wrote: > On 06/19/2014 04:50 PM, Martin Kosek wrote: >> On 06/19/2014 03:59 PM, Petr Viktorin wrote: >>> On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: > See commit message. > > This was found in the re

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
On 06/19/2014 04:50 PM, Martin Kosek wrote: On 06/19/2014 03:59 PM, Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 03:59 PM, Petr Viktorin wrote: > On 06/19/2014 02:19 PM, Martin Kosek wrote: >> On 06/19/2014 01:39 PM, Petr Viktorin wrote: >>> See commit message. >>> >>> This was found in the review of host write permissions (my patches >>> 0578-0579). >> >> Wouldn't it be better to filter based

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 04:03 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/19/2014 02:19 PM, Martin Kosek wrote: >>> On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). >>> >>> Wouldn'

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Rob Crittenden
Petr Viktorin wrote: > On 06/19/2014 02:19 PM, Martin Kosek wrote: >> On 06/19/2014 01:39 PM, Petr Viktorin wrote: >>> See commit message. >>> >>> This was found in the review of host write permissions (my patches >>> 0578-0579). >> >> Wouldn't it be better to filter based on objectclass? I.e.: >>

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObjec

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 01:39 PM, Petr Viktorin wrote: > See commit message. > > This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObject))" instead of DN based target filter? I

[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
See commit message. This was found in the review of host write permissions (my patches 0578-0579). -- PetrĀ³ From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: [PATCH] Allow read access to masters, but not