[Freeipa-devel] [PATCH] 386 replica management

[Rob Crittenden]

Rob Crittenden wrote:
> ipa-replica-manage used to require the DM password for every operation. 
> This adds a couple of ACIs so a privileged user can use the 'list' and 
> 'del' commands. Doing add is possible but tricky since we use the same 
> replication password for all replicas (currently the DM password). We'd 
> probably want to create a separate user for each replica if this were 
> the case and prompt for a password to use.
> 
> This also has a problem where it can't distinguish between "there are no 
> replication agreements" and "you aren't allowed to see them" because 
> queries to cn=config don't return an error if you are not authorized. 
> Pavel is in the process of switching to using ldap2 for all LDAP access 
> and this module already has Get Effective Rights support. Once the 
> switch is done we can improve the logic here.
> 
> rob

I got an ack from Rich Megginson from the 389-ds team who ok'd the aci 
work I did. He mentioned that we're using LDAPv2-style dn escaping and 
should switch this but I'm going to take that up as a separate task.

pushed to master.

David, this provides a new way to do an old thing.

rob