On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote: > Hello, > This adds managed read permissions to the compat tree. > > For users it grants anonymous access; authenticated users can read > groups, hosts and netgroups. > > I'm unsure if this is what we want to do for groups, but "Read Group > Membership" is only granted to authenticated users by default, and the > compat tree exposes memberuid.
The reason we restrict member is because it exposes also hbac, sudo and other sensible groupings. memberuid does not have those groups in, so I think it is safe (and necessary for legacy clients) to allow anonymous to read it, just like for users. Simo. > https://fedorahosted.org/freeipa/ticket/4521 > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
