Jan Zelený wrote:
Rob Crittenden<[email protected]> wrote:
Add permission and privilege for updating the IPA configuration in
cn=ipaconfig.
ticket 950
rob
I'm not quite sure how does the patch work. In particular, I wonder about
these two blocks:
+dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Write IPA Configuration
+
+dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Write IPA Configuration
+default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
Can't they be specified in one block like:
+dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:objectClass: ipapermission
+default:cn: Write IPA Configuration
+default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
Thanks in advance
Otherwise the patch looks good, so if this is not an issue, I give it ACK.
Jan
Yeah, I know it's redundant looking but these need to be 2 separate records.
Privileges are for the most part a 1-1 relationship to permissions but
not always. We wanted to have this intermediate object to make things
easier for the end-user when assigning them to roles.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
