[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
See commit message. This was found in the review of host write permissions (my patches 0578-0579). -- PetrĀ³ From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: [PATCH] Allow read access

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter=(!(objectclass=ipaConfigObject)) instead of DN based target filter? It

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.:

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Rob Crittenden
Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.:

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 04:03 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 03:59 PM, Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass?

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Petr Viktorin
On 06/19/2014 04:50 PM, Martin Kosek wrote: On 06/19/2014 03:59 PM, Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it

Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users

2014-06-19 Thread Martin Kosek
On 06/19/2014 05:11 PM, Petr Viktorin wrote: On 06/19/2014 04:50 PM, Martin Kosek wrote: On 06/19/2014 03:59 PM, Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write