thread "[Freeipa-devel] Read access to container entries" reminds me an idea I
have in mind for a while:
We could check effective ACIs  for interesting objects (Kerberos master
key, trust objects etc.) and make sure that there is nothing like 'read by
Method  has one important limitation: It checks ACI in given sub-tree
against one specified DN.
Realization of my idea would be better with a "reverse" approach: Specify DN
of a single object as "target" and get list of all users with non-null access
rights for the object in question. (This could be refined with filter for
specific rights so we can get "list of DNs allowed to write to this object" etc.)
Does it make sense?
Freeipa-devel mailing list