I'm working on exposing the krbPrincipalExpiration attribute in the CLI
(https://fedorahosted.org/freeipa/ticket/3306). However, this attribute
is exempted from the default ACL "Admin can manage any entry"
(install/share/default-aci.ldif +8).

Now, we have several options:
1.) remove it from blacklisted options in "Admin can manage any entry" ACL
2.) create a new permission that allows writing to this attribute (i.e.
Modify Kerberos principal expiration)
3.) add this attribute to a existing permission (Modify users seems like
the best candidate, however, the attribute does not really fit even there)

I see that the the approach 1.) was taken with the krbTicketFlags
attribute in the past (install/updates/60-trusts.update +38).

What would be the best approach here?


Freeipa-devel mailing list

Reply via email to