[Freeipa-devel] Handling of krbPrincpalExpiration in default ACI
Tomas Babej
tbabej at redhat.com
Wed Jan 8 12:42:32 UTC 2014
Hi,
I'm working on exposing the krbPrincipalExpiration attribute in the CLI
(https://fedorahosted.org/freeipa/ticket/3306). However, this attribute
is exempted from the default ACL "Admin can manage any entry"
(install/share/default-aci.ldif +8).
Now, we have several options:
1.) remove it from blacklisted options in "Admin can manage any entry" ACL
2.) create a new permission that allows writing to this attribute (i.e.
Modify Kerberos principal expiration)
3.) add this attribute to a existing permission (Modify users seems like
the best candidate, however, the attribute does not really fit even there)
I see that the the approach 1.) was taken with the krbTicketFlags
attribute in the past (install/updates/60-trusts.update +38).
What would be the best approach here?
Tomas
More information about the Freeipa-devel
mailing list