From e31d5fb1cfc7b7b2ed47202e0ef1c462f01a046b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Jul 2009 16:40:39 -0400
Subject: Implement support for non-LDAP-based actions that use the LDAP ACI
 subsystem.

There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
---
 ipalib/constants.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'ipalib/constants.py')

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 60d2510b6..e9216be07 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -96,6 +96,7 @@ DEFAULT_CONFIG = (
     ('container_netgroup', 'cn=ng,cn=alt'),
     ('container_hbac', 'cn=hbac'),
     ('container_dns', 'cn=dns'),
+    ('container_virtual', 'cn=virtual operations'),
 
     # Ports, hosts, and URIs:
     ('lite_xmlrpc_port', 8888),
-- 
cgit