[Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce
ssorce at redhat.com
Wed Nov 24 14:45:28 UTC 2010
On Wed, 17 Nov 2010 15:07:03 -0500
Rob Crittenden <rcritten at redhat.com> wrote:
> +aci: (targetattr != "userPassword || krbPrincipalKey ||
> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey ||
> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey ||
> krbTicketPolicyReference || krbPrincipalExpiration ||
> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
> entry"; allow (all) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
Ah also forgot to say that I am not sure we want admin to be able to
change krbPwdHistory and krbLastPwdChange.
Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while
we might let admin write krbLoginFailedCount in order to unlock an
automatically locked account that failed preauth too many times.
We also probably do not want admin to be able to change ipaUniqueId.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list