Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Martin Kosek mko...@redhat.com wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittenden rcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called Write IPA Configuration (with an underlying ACI) and one priviledge also called Write IPA Configuration. Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan Yeah, I know it's redundant looking but these need to be 2 separate records. Privileges are for the most part a 1-1 relationship to permissions but not always. We wanted to have this intermediate object to make things easier for the end-user when assigning them to roles. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Jan Zelený wrote: Martin Kosekmko...@redhat.com wrote: On Mon, 2011-02-14 at 14:37 +0100, Jan Zelený wrote: Rob Crittendenrcrit...@redhat.com wrote: Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob I'm not quite sure how does the patch work. In particular, I wonder about these two blocks: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: Write IPA Configuration + +dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Can't they be specified in one block like: +dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: ipapermission +default:cn: Write IPA Configuration +default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX Thanks in advance Otherwise the patch looks good, so if this is not an issue, I give it ACK. Jan I think this is OK. We are adding 2 objects - one permission called Write IPA Configuration (with an underlying ACI) and one priviledge also called Write IPA Configuration. Therefore they cannot be merged to one LDAP object. Oh, sorry, I didn't see that one object is privilege and another one is permission. Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 719 permission for cn=ipaconfig
Add permission and privilege for updating the IPA configuration in cn=ipaconfig. ticket 950 rob freeipa-rcrit-719-permission.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
