[Freeipa-devel] [PATCH] 784 limit what attributes may be modified
Rob Crittenden
rcritten at redhat.com
Mon May 16 21:46:50 UTC 2011
Add option to limit the attributes allowed in an entry.
Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.
Add two new LDAPObject values to control this behavior:
limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed
By default both of these lists are empty so are skipped.
ticket 744
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-784-krbtpolicy.patch
Type: application/mbox
Size: 11339 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110516/fe11bd31/attachment.mbox>
More information about the Freeipa-devel
mailing list