> Finn Fysj via FreeIPA-users wrote: > > It has to do with where ACIs live in the tree. If all ACIs live in the > basedn then for every single operation, all ACIs will be evaluated. This > is slow. > > We try to locate ACIs within the "container" for each object instead of > globally (e.g. cn=users,cn=accounts). This applies the user-specific > ACIs only when user objects are managed. > > I don't know about old and new with subtree and type. From what I > remember this has always been available on the cli from my initial > implementation. The type (user,group,host,etc) is shorthand for where > the ACI will be placed so that user's don't need to understand the tree > layout. Subtree is a more manual approach to this to provide flexibility. > > As I said, I can't believe that a global aci granting access to > member/memberof would affect HBAC evaluation. HBAC doesn't bind as > anonymous so these shouldn't even apply. > > rob
Hmm... Alright. I appreciate your time and effort, Rob. /Cheers _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
