Rob Crittenden wrote:
Disallow writes on serverHostName, enrolledBy and memberOfRegular users already can't write these, it just affects admins. serverHostName because this is tied to the FQDN so should only be changed on a host rename (which we don't do). enrolledBy because this should reflect relality. memberOf because the plugin should do this. Directly manging this attribute would be pretty dangerous and confusing. Also remove a redundant aci granting the admins group write access to users and groups. They have it with through the "admins can modify any entry" aci. tickets 300, 302, 304 rob
Updated patch. We need to allow writing enrolledBy so we can actually enroll a host! I'll have to prevent writes to this by other means or through a more specific aci.
rob
freeipa-566-write.patch
Description: application/mbox
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel