Simo Sorce wrote:
On Wed, 17 Nov 2010 15:07:03 -0500
Rob Crittenden<rcrit...@redhat.com>  wrote:

+aci: (targetattr != "userPassword || krbPrincipalKey ||
sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey ||
krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey ||
krbTicketPolicyReference || krbPrincipalExpiration ||
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
entry"; allow (all) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

Ah also forgot to say that I am not sure we want admin to be able to
change krbPwdHistory and krbLastPwdChange.
Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while
we might let admin write krbLoginFailedCount in order to unlock an
automatically locked account that failed preauth too many times.

We also probably do not want admin to be able to change ipaUniqueId.

Simo.


I was going to tackle krbLoginFailedCount when we finally got a way to unlock users across replicas.

You're right on the other two, we want admins to reset passwords :-)

ipaUniqueId needs to be writable so a UPG group can be detached. The write is "autogenerate", the plugin handles the rest of the access control.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to