[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Petr Viktorin
pviktori at redhat.com
Thu Jun 19 15:11:56 UTC 2014
On 06/19/2014 04:50 PM, Martin Kosek wrote:
> On 06/19/2014 03:59 PM, Petr Viktorin wrote:
>> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>>> See commit message.
>>>>
>>>> This was found in the review of host write permissions (my patches 0578-0579).
>>>
>>> Wouldn't it be better to filter based on objectclass? I.e.:
>>>
>>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>>
>>> instead of DN based target filter? It seems to me that it is more resilient to
>>> changes in LDAP structure, in case we change RDN or make one more level like
>>> (just example):
>>>
>>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
>>
>> Sure, fixed patch attached.
>
> /me sighs. I took the information for granted and I did not read the ACI
> carefully and did not notice you sent wrong patch which I pushed... Could we
> please fix the filter and remove the target part now?
>
> Thanks,
> Martin
Sorry for that :(
Here is a fix patch.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0590.fix-Allow-read-access-to-masters-but-not-their-servi.patch
Type: text/x-patch
Size: 1493 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140619/bac0cd44/attachment.bin>
More information about the Freeipa-devel
mailing list