[Freeipa-devel] [PATCH] self service aci
Pete Rowley
prowley at redhat.com
Mon Oct 29 23:21:34 UTC 2007
Simo Sorce wrote:
> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>
>> Simo Sorce wrote:
>>
>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>
>>>
>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>> || loginShell || homePhone || mobile || pager ||
>>>> facsimileTelephoneNumber || telephoneNumber || street || roomNumber ||
>>>> l || st || postalCode || manager || description || carLicense ||
>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>
>>>>
>>> Allow users by default to change name (givenName, cn, sn), manager and
>>> loginShell by themselves?
>>>
>>>
>>>
>> loginShell might be a problem, what issue do you have with the others?
>>
>
> Well I am not sure it makes sense to change your own name, why should
> you?
>
Because it changed, or is spelled incorrectly, or you are commonly known
by another name?
> Same for the manager, we might think of ACIs where manager=<something>
> may matter
>
If we do we should remove it from the self service list if there is a
problem with escalation of privilege.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071029/ba886863/attachment.bin>
More information about the Freeipa-devel
mailing list