[Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce
ssorce at redhat.com
Wed Nov 24 14:37:49 UTC 2010
On Wed, 17 Nov 2010 15:07:03 -0500
Rob Crittenden <rcritten at redhat.com> wrote:
> aci: (targetattr != "userPassword || krbPrincipalKey ||
> sambaLMPassword || sambaNTPassword || passwordHistory ||
> krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read,
> search, compare) userdn = "ldap:///anyone";) -aci: (targetattr !=
> "userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword || passwordHistory || krbMKey || memberOf ||
> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
> entry"; allow (all) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci:
> (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName ||
> krbCanonicalName || krbUPEnabled || krbMKey ||
> krbTicketPolicyReference || krbPrincipalExpiration ||
> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
> serverHostName || enrolledBy")(versi
Nack.
Some attributes are repeated multiple times in this chunk. (krbMKey for
example).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list