[Freeipa-devel] [PATCH] 52 Disallow deletion of global password policy
Martin Kosek
mkosek at redhat.com
Wed Oct 12 08:16:00 UTC 2011
On Wed, 2011-10-12 at 09:28 +0200, Jan Cholasta wrote:
> Dne 11.10.2011 15:19, Rob Crittenden napsal(a):
> > Jan Cholasta wrote:
> >> Don't allow "ipa pwpolicy-del global_policy".
> >>
> >> https://fedorahosted.org/freeipa/ticket/1936
> >
> > Can you add a unit test case for this? Then ack.
> >
> >>
> >> Questions:
> >>
> >> Is it possible to disallow deletion of specific objects on LDAP level
> >> instead?
> >
> > Well, that would be ideal in some cases. We'd need to write a plugin to
> > intercept changes and have it compare it to a list of "no deletes". You
> > can file an RFE if you want, this might be handy to have.
> >
> >>
> >> The default HBAC rule, allow_all, can also be deleted - should it be
> >> disallowed too?
> >
> > This is one we want to be removable. Before we had this the default HBAC
> > stance was "nobody can log in" and it was jarring to most folks.
> >
> > It is possible to install without this rule using the option
> > --no_hbac_allow
> >
> > rob
>
> Unit test added.
>
> Honza
Second ACK and pushed to master, ipa-2-1.
Martin
More information about the Freeipa-devel
mailing list