Rob Crittenden <rcrit...@redhat.com> wrote: > Jan Zelený wrote: > > Rob Crittenden<rcrit...@redhat.com> wrote: > >> Jan Zelený wrote: > >>> Recent change of DNS module to version caused that dns object type > >>> was replaced by dnszone and dnsrecord. This patch corrects dns types > >>> in permissions class. > >>> > >>> https://fedorahosted.org/freeipa/ticket/646 > >> > >> Nack. These values need to be added as valid types to the aci plugin and > >> the _type_map needs to be updated. > >> > >> rob > > > > I'm sending an updated patch. > > > > Jan > > Since dnszone and dnsrecord point to the same kind of entry what is the > point of having two separate names for them? When we read the entry we > aren't going to be able to differentiate between the two.
I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. > Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. Jan _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
