[yi@works4me ipa-config]$ ipa config-show --all dn: cn=ipaconfig,cn=etc,dc=sjc,dc=redhat,dc=com Max username length: 8 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: sjc.redhat.com Search time limit: 2 Search size limit: 0 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Migration mode: FALSE Certificate Subject base: O=IPA aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=sjc,dc=redhat,dc=com";) cn: ipaConfig ipagroupobjectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject ipapwdexpadvnotify: 4 ipauserobjectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, radiusprofile, ipaobject objectclass: nsContainer, top, ipaGuiConfig
The output is confusing and needs to be cleaned up.
Rob suggested: We should add labels for cn, ipagroupobjectclasses, ipapwdexpadvnotify and ipauserobjectclasses.
We should probably relocate the aci to cn=etc so it doesn't show in the --all output. I don't want to suppress it because --all means everything, but it could be confusing for that enterprising user that is hunting around.
add labels freeipa-rcrit-624-config.patch
I'm dropping making subject base configurable. It just makes it seem like this is actually possible when it isn't (at least not this trivially).
Moved the aci one level higher.
I'm leaving cn as it is. there is nothing to show for it. --all is very close to an LDAP query, it is what it is.
master: 1a20d75
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/12 (FC)
Login to comment on this ticket.