[Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený
jzeleny at redhat.com
Mon Feb 14 13:50:59 UTC 2011
Martin Kosek <mkosek at redhat.com> wrote:
> On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote:
> > Rob Crittenden <rcritten at redhat.com> wrote:
> > > Add permission and privilege for updating the IPA configuration in
> > > cn=ipaconfig.
> > >
> > > ticket 950
> > >
> > > rob
> >
> > I'm not quite sure how does the patch work. In particular, I wonder about
> > these two blocks:
> >
> > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> > +default:objectClass: top
> > +default:objectClass: groupofnames
> > +default:objectClass: nestedgroup
> > +default:cn: Write IPA Configuration
> > +
> > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
> > +default:objectClass: top
> > +default:objectClass: groupofnames
> > +default:objectClass: ipapermission
> > +default:cn: Write IPA Configuration
> > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> >
> > Can't they be specified in one block like:
> >
> > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> > +default:objectClass: top
> > +default:objectClass: groupofnames
> > +default:objectClass: nestedgroup
> > +default:objectClass: ipapermission
> > +default:cn: Write IPA Configuration
> > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
> >
> > Thanks in advance
> >
> > Otherwise the patch looks good, so if this is not an issue, I give it
> > ACK.
> >
> > Jan
>
> I think this is OK. We are adding 2 objects - one permission called
> "Write IPA Configuration" (with an underlying ACI) and one priviledge
> also called "Write IPA Configuration". Therefore they cannot be merged
> to one LDAP object.
Oh, sorry, I didn't see that one object is privilege and another one is
permission.
Jan
More information about the Freeipa-devel
mailing list