Disallow writes on serverHostName, enrolledBy and memberOf
Regular users already can't write these, it just affects admins.serverHostName because this is tied to the FQDN so should only be changed on a host rename (which we don't do).
enrolledBy because this should reflect relality.memberOf because the plugin should do this. Directly manging this attribute would be pretty dangerous and confusing.
Also remove a redundant aci granting the admins group write access to users and groups. They have it with through the "admins can modify any entry" aci.
tickets 300, 302, 304 rob
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel