On Wed, 17 Nov 2010 15:07:03 -0500
Rob Crittenden <rcrit...@redhat.com> wrote:

> +aci: (targetattr != "userPassword || krbPrincipalKey ||
> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey ||
> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey ||
> krbTicketPolicyReference || krbPrincipalExpiration ||
> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
> entry"; allow (all) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

Ah also forgot to say that I am not sure we want admin to be able to
change krbPwdHistory and krbLastPwdChange.
Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while
we might let admin write krbLoginFailedCount in order to unlock an
automatically locked account that failed preauth too many times.

We also probably do not want admin to be able to change ipaUniqueId.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to