On 09/18/2014 04:40 PM, Simo Sorce wrote:
On Thu, 18 Sep 2014 16:28:19 +0200
Martin Kosek <mko...@redhat.com> wrote:
On 09/18/2014 04:06 PM, David Kupka wrote:
On 09/18/2014 03:44 PM, Rob Crittenden wrote:
David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4421
You are removing an ACI in this patch. It is always possible it is
no longer needed. Did you test all the client enrollment scenarios?
rob
As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.
What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.
On that note, what is the reason for this permission change:
- 'ipapermtargetfilter': [
- '(objectclass=ipahost)',
- '(!(krbprincipalname=*))',
- ],
?
I think also both the code and the tests are missing to ensure that
the krbPrincipalName *also* *always* lists the krbCanonicalName.
I think with the current code you can end up in a situation where you
can have a value in KrbCanonicalName and completely different values in
KrbPrincipalName.
I didn't realize that there is such requirement although it's logical. I
will fix it, thanks.
Simo.
--
David Kupka
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
