[Freeipa-devel] Handling of krbPrincpalExpiration in default ACI
Simo Sorce
simo at redhat.com
Wed Jan 8 14:19:40 UTC 2014
On Wed, 2014-01-08 at 13:42 +0100, Tomas Babej wrote:
> Hi,
>
> I'm working on exposing the krbPrincipalExpiration attribute in the CLI
> (https://fedorahosted.org/freeipa/ticket/3306). However, this attribute
> is exempted from the default ACL "Admin can manage any entry"
> (install/share/default-aci.ldif +8).
>
> Now, we have several options:
> 1.) remove it from blacklisted options in "Admin can manage any entry" ACL
Nope, it was excluded on purpose, to prevent admins from playing with
it.
> 2.) create a new permission that allows writing to this attribute (i.e.
> Modify Kerberos principal expiration)
Yep, this sounds right.
> 3.) add this attribute to a existing permission (Modify users seems like
> the best candidate, however, the attribute does not really fit even there)
Nope, needs to be explicit for auditing purposes that admins are able to
violate the password policies of users by changing their expiration
date.
> I see that the the approach 1.) was taken with the krbTicketFlags
> attribute in the past (install/updates/60-trusts.update +38).
Yes, however I think this too should be probably explicit and have its
own permission with the new permission framework.
> What would be the best approach here?
I say 2.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list