[Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Rob Crittenden
rcritten at redhat.com
Wed Nov 24 14:53:09 UTC 2010
Simo Sorce wrote:
> On Wed, 17 Nov 2010 15:07:03 -0500
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> +aci: (targetattr != "userPassword || krbPrincipalKey ||
>> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey ||
>> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey ||
>> krbTicketPolicyReference || krbPrincipalExpiration ||
>> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
>> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
>> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
>> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
>> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
>> entry"; allow (all) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> Ah also forgot to say that I am not sure we want admin to be able to
> change krbPwdHistory and krbLastPwdChange.
> Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while
> we might let admin write krbLoginFailedCount in order to unlock an
> automatically locked account that failed preauth too many times.
>
> We also probably do not want admin to be able to change ipaUniqueId.
>
> Simo.
>
I was going to tackle krbLoginFailedCount when we finally got a way to
unlock users across replicas.
You're right on the other two, we want admins to reset passwords :-)
ipaUniqueId needs to be writable so a UPG group can be detached. The
write is "autogenerate", the plugin handles the rest of the access control.
rob
More information about the Freeipa-devel
mailing list