[Freeipa-devel] User life cycle: Question about ACI "Admin read-only attributes"
thierry bordaz
tbordaz at redhat.com
Mon Mar 30 09:50:36 UTC 2015
Hello,
The aci "Admin read-only attributes" grants, for the complete
suffix, read access to 'admin' users for the following attributes.
"ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"
"userPassword" and "krbPrincipalKey" are not "read-only" attributes
so I guess it is the reason why they are not part of this list.
For User life cycle, I would need admin users to be granted read
access on "userPassword" and "krbPrincipalKey".
The scope could be limited to Stage container but I was wondering if
there is a security reason to not grant read access on the full suffix ?
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150330/cd351696/attachment.htm>
More information about the Freeipa-devel
mailing list