Disallow writes on serverHostName, enrolledBy and memberOf

Regular users already can't write these, it just affects admins.

serverHostName because this is tied to the FQDN so should only be changed on a host rename (which we don't do).

enrolledBy because this should reflect relality.

memberOf because the plugin should do this. Directly manging this attribute would be pretty dangerous and confusing.

Also remove a redundant aci granting the admins group write access to users and groups. They have it with through the "admins can modify any entry" aci.

tickets 300, 302, 304


Attachment: freeipa-566-write.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to