[Freeipa-devel] [PATCH] 566 disallow writes on some attributes
Rob Crittenden
rcritten at redhat.com
Fri Oct 8 19:07:53 UTC 2010
Rob Crittenden wrote:
> Disallow writes on serverHostName, enrolledBy and memberOf
>
> Regular users already can't write these, it just affects admins.
>
> serverHostName because this is tied to the FQDN so should only be
> changed on a host rename (which we don't do).
>
> enrolledBy because this should reflect relality.
>
> memberOf because the plugin should do this. Directly manging this
> attribute would be pretty dangerous and confusing.
>
> Also remove a redundant aci granting the admins group write access to
> users and groups. They have it with through the "admins can modify any
> entry" aci.
>
> tickets 300, 302, 304
>
> rob
Updated patch. We need to allow writing enrolledBy so we can actually
enroll a host! I'll have to prevent writes to this by other means or
through a more specific aci.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-566-write.patch
Type: application/mbox
Size: 4685 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101008/53391d57/attachment.mbox>
More information about the Freeipa-devel
mailing list