[Freeipa-devel] [PATCH] editors can update objectclass
Simo Sorce
ssorce at redhat.com
Mon Mar 24 20:45:03 UTC 2008
On Mon, 2008-03-24 at 15:47 -0400, Rob Crittenden wrote:
> We have a set of default objectclasses for users and groups. When a
> user/group is updated their current set of OC's is compared against
> the
> one stored in ipaconfig and if different it is updated.
>
> The problem is that delegated users may be requesting the change
> which
> will fail due to insufficient permissions on the objectclass
> attribute.
> This ACI will let them write.
This is exactly the problem I anticipated when we discussed this
"auto-update" feature.
I'd like to NACK this way of solving the problem because it will solve
it only for a subset of all possible situations. In fact if the missing
objectclass has a MUST attribute the delegated user do not have access
to (say a special password or something like that), we are back to the
same problem.
Personally I think we should not "auto-update" user entries, as I see
legitimate cases when someone may want to have "exceptions", and
auto-updates are very bad in this case as they do not understand what an
exception is.
I see that it might be useful to have the option of being able to update
a user entry with new default objectclasses but I think this should be
intentional, and can be done by adding a checkbox or something like that
an editor can select.
If the editor has enough rights it will be able to add the new stuff
otherwise it's not in his rights anyway.
Maybe we can check if the specific user has access to the objectclass
using GRE and show/not show the checkbox depending on that.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list