[Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

Martin Kosek mkosek at redhat.com
Thu Apr 24 12:17:11 UTC 2014

On 04/24/2014 09:41 AM, Petr Viktorin wrote:
> On 04/23/2014 08:56 PM, Simo Sorce wrote:
>> On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
>>> Admin access to read-only attributes such as ipaUniqueId, memberOf,
>>> krbPrincipalName is provided by the anonymous read ACI, which will go
>>> away. This patch adds a blanket read ACI for these.
>>> I also moved some related ACIs to 20-aci.update.
>>> Previously krbPwdHistory was also readable by admins. I don't think we
>>> want to include that.
>>> Simo, should admins be allowed to read krbExtraData?
>> Probably not necessary but there is nothing secret in it either.
>> Simo.
> OK. I'm not a fan of hiding things from the admin, so no changes to the patch
> are necessary here.

As we are touching these ACIs, may it is a time to see the blacklist of
attributes that admin cannot write and check if this is still wanted:

ipaUniqueId - OK, generated by DS plugin
memberOf - OK, generated by DS plugin
serverHostName - I did not even find a place where we manipulate it, except
host.py -> remove from blacklist?
enrolledBy - OK, generated by DS plugin
krbExtraData - OK, generated by DS plugin
krbPrincipalName - why can't admin change it? It is filled by framework, I
would not personally blacklist it
krbCanonicalName - same as krbPrincipalName
krbPrincipalAliases - same as krbPrincipalName - we need this removed if we
want to set aliases anyway
krbPasswordExpiration - OK, generated by DS plugin
krbLastPwdChange - OK, generated by DS plugin
krbUPEnabled - not used, can we remove it?
krbTicketPolicyReference - why cannot admin set it?
krbPwdPolicyReference - why cannot admin set it?
krbPrincipalType - why cannot admin set it?
krbLastSuccessfulAuth - OK, generated by DS plugin
krbLastFailedAuth - OK, generated by DS plugin
krbLoginFailedCount - OK, generated by DS plugin

It seems to me that some attributes can be indeed removed from the backlist
(and thus from the admin whitelist too).

Besides that, the patch looked OK to me.

537: ACK (tests pass)


More information about the Freeipa-devel mailing list