On Wed, 2014-01-08 at 13:42 +0100, Tomas Babej wrote:
> Hi,
> I'm working on exposing the krbPrincipalExpiration attribute in the CLI
> (https://fedorahosted.org/freeipa/ticket/3306). However, this attribute
> is exempted from the default ACL "Admin can manage any entry"
> (install/share/default-aci.ldif +8).
> Now, we have several options:
> 1.) remove it from blacklisted options in "Admin can manage any entry" ACL

Nope, it was excluded on purpose, to prevent admins from playing with

> 2.) create a new permission that allows writing to this attribute (i.e.
> Modify Kerberos principal expiration)

Yep, this sounds right.

> 3.) add this attribute to a existing permission (Modify users seems like
> the best candidate, however, the attribute does not really fit even there)

Nope, needs to be explicit for auditing purposes that admins are able to
violate the password policies of users by changing their expiration

> I see that the the approach 1.) was taken with the krbTicketFlags
> attribute in the past (install/updates/60-trusts.update +38).

Yes, however I think this too should be probably explicit and have its
own permission with the new permission framework.

> What would be the best approach here?

I say 2.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to