[Freeipa-devel] [PATCH] UUID Plugin: add "enforce" option
Simo Sorce
ssorce at redhat.com
Thu Oct 28 12:00:31 UTC 2010
On Wed, 27 Oct 2010 22:26:53 -0400
Rob Crittenden <rcritten at redhat.com> wrote:
> Simo Sorce wrote:
> >
> > When the ipaUuidEnforce option is set to TRUE only the Directory
> > Manager is allowed to set arbitrary values. Any attempt to set
> > values != the ipaUuidGenerate value by non DirMgr users will throw
> > an error.
> >
> > This is useful to enforce UUIDs are always set by the server.
> >
> > At this moment normal users are still allowed to modify the value so
> > that the uuid is regenerated (and therefore changed, although not
> > with arbitrary values). If modifications are unwanted I guess we
> > can easily add an ACI that allow someone to add the attribute but
> > mot modify it afterwards.
> >
> > Currently the install code does not yet set the plugin into
> > enforcing mode as that would break all ipa tools, tomorrow I plan
> > to go through the framework code and rip off the uuid stuff and
> > finally change the default to enforcing for the ipaUniqueID
> > attribute once all client code is converted to always set only "0"
> > on creation.
> >
> > Simo.
> >
>
> Ack.
pushed to master
> I think we still have some acis controlling access to ipauniqueid. I
> think we can remove them and save a few cycles in the DS aci
> subsystem.
Ok I will check what's left and propose a separate patch.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list