[Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes
Simo Sorce
ssorce at redhat.com
Wed Apr 23 18:56:05 UTC 2014
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
> Admin access to read-only attributes such as ipaUniqueId, memberOf,
> krbPrincipalName is provided by the anonymous read ACI, which will go
> away. This patch adds a blanket read ACI for these.
> I also moved some related ACIs to 20-aci.update.
>
> Previously krbPwdHistory was also readable by admins. I don't think we
> want to include that.
> Simo, should admins be allowed to read krbExtraData?
Probably not necessary but there is nothing secret in it either.
Simo.
More information about the Freeipa-devel
mailing list