[Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes
Petr Viktorin
pviktori at redhat.com
Thu Apr 24 07:41:08 UTC 2014
On 04/23/2014 08:56 PM, Simo Sorce wrote:
> On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
>> Admin access to read-only attributes such as ipaUniqueId, memberOf,
>> krbPrincipalName is provided by the anonymous read ACI, which will go
>> away. This patch adds a blanket read ACI for these.
>> I also moved some related ACIs to 20-aci.update.
>>
>> Previously krbPwdHistory was also readable by admins. I don't think we
>> want to include that.
>> Simo, should admins be allowed to read krbExtraData?
>
> Probably not necessary but there is nothing secret in it either.
>
> Simo.
OK. I'm not a fan of hiding things from the admin, so no changes to the
patch are necessary here.
--
Petr³
More information about the Freeipa-devel
mailing list