[Freeipa-devel] [PATCH] 386 replica management
Rob Crittenden
rcritten at redhat.com
Fri Mar 19 21:18:15 UTC 2010
Rob Crittenden wrote:
> ipa-replica-manage used to require the DM password for every operation.
> This adds a couple of ACIs so a privileged user can use the 'list' and
> 'del' commands. Doing add is possible but tricky since we use the same
> replication password for all replicas (currently the DM password). We'd
> probably want to create a separate user for each replica if this were
> the case and prompt for a password to use.
>
> This also has a problem where it can't distinguish between "there are no
> replication agreements" and "you aren't allowed to see them" because
> queries to cn=config don't return an error if you are not authorized.
> Pavel is in the process of switching to using ldap2 for all LDAP access
> and this module already has Get Effective Rights support. Once the
> switch is done we can improve the logic here.
>
> rob
I got an ack from Rich Megginson from the 389-ds team who ok'd the aci
work I did. He mentioned that we're using LDAPv2-style dn escaping and
should switch this but I'm going to take that up as a separate task.
pushed to master.
David, this provides a new way to do an old thing.
rob
More information about the Freeipa-devel
mailing list