[Freeipa-devel] [PROPOSAL] Kerberos flags
Simo Sorce
simo at redhat.com
Tue Mar 12 17:01:00 UTC 2013
On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote:
> On 12.3.2013 17:24, Simo Sorce wrote:
> > On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote:
> >> Why can't we set the bitfield (krbTicketFlags) directly? (There is an
> >> ACI preventing that, I'm just wondering what is the reason for this.)
> >
> > If you tell me who 'we' is (as in what user would set it) I can tell you
> > why it is/isn't possible.
>
> Why no IPA user (including admins) can set the attribute?
I guess admins should be allowed to.
Users can't, as ticket flags change the behavior of the principal in
ways only admins should allowed to. (preauth required or not, AS
requests disabled or not, etc...)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list