Martin Kosek <mko...@redhat.com> wrote: > On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: > > Rob Crittenden <rcrit...@redhat.com> wrote: > > > Add permission and privilege for updating the IPA configuration in > > > cn=ipaconfig. > > > > > > ticket 950 > > > > > > rob > > > > I'm not quite sure how does the patch work. In particular, I wonder about > > these two blocks: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:cn: Write IPA Configuration > > + > > +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Can't they be specified in one block like: > > > > +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > +default:objectClass: top > > +default:objectClass: groupofnames > > +default:objectClass: nestedgroup > > +default:objectClass: ipapermission > > +default:cn: Write IPA Configuration > > +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX > > > > Thanks in advance > > > > Otherwise the patch looks good, so if this is not an issue, I give it > > ACK. > > > > Jan > > I think this is OK. We are adding 2 objects - one permission called > "Write IPA Configuration" (with an underlying ACI) and one priviledge > also called "Write IPA Configuration". Therefore they cannot be merged > to one LDAP object.
Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel