On Tue, 30 Nov 2010 10:28:41 -0500 Rob Crittenden <rcrit...@redhat.com> wrote:
> Simo Sorce wrote: > > On Wed, 17 Nov 2010 15:07:03 -0500 > > Rob Crittenden<rcrit...@redhat.com> wrote: > > > >> +aci: (targetattr != "userPassword || krbPrincipalKey || > >> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || > >> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || > >> krbTicketPolicyReference || krbPrincipalExpiration || > >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType > >> || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage > >> any entry"; allow (all) groupdn = > >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) > > > > Ah also forgot to say that I am not sure we want admin to be able to > > change krbPwdHistory and krbLastPwdChange. > > Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, > > while we might let admin write krbLoginFailedCount in order to > > unlock an automatically locked account that failed preauth too many > > times. > > > > We also probably do not want admin to be able to change ipaUniqueId. > > > > Simo. > > > > These are already attributes that the admin cannot write. Can I just > remove the duplicate krbMKey? I guess so. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel