On 12.3.2013 18:01, Simo Sorce wrote:
On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote:
On 12.3.2013 17:24, Simo Sorce wrote:
On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote:
Why can't we set the bitfield (krbTicketFlags) directly? (There is an
ACI preventing that, I'm just wondering what is the reason for this.)

If you tell me who 'we' is (as in what user would set it) I can tell you
why it is/isn't possible.

Why no IPA user (including admins) can set the attribute?

I guess admins should be allowed to.

Users can't, as ticket flags change the behavior of the principal in
ways only admins should allowed to. (preauth required or not, AS
requests disabled or not, etc...)

Thanks. For normal users it's obvious, but it seemed a little bit strange to disallow admins to set the flags.

So, can the krbTicketFlags attribute be used internally in IPA plugins to set/unset the flags, given that the ACI is changed to allow admins to modify the attribute?


Jan Cholasta

Freeipa-devel mailing list

Reply via email to