Add option to limit the attributes allowed in an entry.

Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation.

Add two new LDAPObject values to control this behavior:

limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed

By default both of these lists are empty so are skipped.

ticket 744


Attachment: freeipa-rcrit-784-krbtpolicy.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to