[Freeipa-devel] [PATCH] 386 replica management
Rob Crittenden
rcritten at redhat.com
Fri Feb 19 18:35:59 UTC 2010
ipa-replica-manage used to require the DM password for every operation.
This adds a couple of ACIs so a privileged user can use the 'list' and
'del' commands. Doing add is possible but tricky since we use the same
replication password for all replicas (currently the DM password). We'd
probably want to create a separate user for each replica if this were
the case and prompt for a password to use.
This also has a problem where it can't distinguish between "there are no
replication agreements" and "you aren't allowed to see them" because
queries to cn=config don't return an error if you are not authorized.
Pavel is in the process of switching to using ldap2 for all LDAP access
and this module already has Get Effective Rights support. Once the
switch is done we can improve the logic here.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-386-replica.patch
Type: application/mbox
Size: 8116 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20100219/6fc05aaf/attachment.mbox>
More information about the Freeipa-devel
mailing list