On 09/18/2014 04:06 PM, David Kupka wrote: > On 09/18/2014 03:44 PM, Rob Crittenden wrote: >> David Kupka wrote: >>> https://fedorahosted.org/freeipa/ticket/4421 >> >> You are removing an ACI in this patch. It is always possible it is no >> longer needed. Did you test all the client enrollment scenarios? >> >> rob >> > > As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is > possible to add krbPrincipalName to host even when there is already one (or > more). And adding one ACI to allow writing krbCanonicalName to host. > But I'm still not really familiar with ACI so please correct me if I'm wrong. >
What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: - 'ipapermtargetfilter': [ - '(objectclass=ipahost)', - '(!(krbprincipalname=*))', - ], ? Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel