On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
> The first patch adds default read permissions to krbtpolicy. Since the
> plugin manages entries in two trees, there are two permissions. Since
> two permissions are needed to cover krbtpolicy, it can't be used as a
> permission's --type.
> The permissions are added to a new privilege, 'Kerberos Ticket Policy
> The second patch adds an ACI for reading the Kerberos realm name. Since
> client enrollment won't work without this, I don't see a reason for
> having it managed by a permission.
Freeipa-devel mailing list