The default delegation target objetcs under cn=s4u2proxy,cn=etc,$SUFFIX are created without a necessary structural objectclass. They should include the nsContainer objectclass in bootstrap-template.ldif and related update file.
cn=s4u2proxy,cn=etc,$SUFFIX
nsContainer
bootstrap-template.ldif
Should be done together with #3644.
I forget to move this one in previous update - moving to the same milestone as #3644.
Moving to same milestone as #3644.
Martin can look at that together with #3644.
What is the reason to add nsContainer objectclass to entries under cn=s4u2proxy,cn=etc,$SUFFIX?
A: objectClass: groupOfPrincipals is auxiliary we need one structural objectclass in entry
Do we really need to add nsContainer? It will be then difficult change visibility for s4u2proxy objects as nsContainer visibility is globally allowed. Please consider other structural objectclass, even our own.
This is the ACI I am talking about:
install/updates/20-aci.update:add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
Moving out together with #3644.
Free for take, see #3644.
With #3644 closed, this work was apparently either done or not needed.
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.