Hello,
At Devconf, we decided what most of the default read permissions should look like, but we did not get to user.
Here is a draft of 4 read permissions. Please comment.


Basic info (anonymous):
[top]
    objectclass
[person]
    cn, sn, description
[organizationalPerson]
    title
[inetOrgPerson]
    uid
    displayName, givenName, initials
    manager
[inetUser]
    memberOf
[ipaObject]
    ipaUniqueID
[ipaSshUser]
    ipaSshPubKey
[ipaUserAuthTypeClass]
    ipaUserAuthType
[posixAccount]
    gecos, gidNumber, homeDirectory, loginShell, uidNumber


Details (all authenticated):
[person]
    seeAlso, telephoneNumber
[organizationalPerson]
    fax, l, ou, st, postalCode, street
destinationIndicator, internationalISDNNumber, physicalDeliveryOfficeName,
        postalAddress, postOfficeBox, preferredDeliveryMethod,
registeredAddress, teletexTerminalIdentifier, telexNumber, x121Address
[inetOrgPerson]
    carLicense, departmentNumber, employeeNumber, employeeType,
        preferredLanguage, mail, mobile, pager
    audio, businessCategory, homePhone, homePostalAddress, jpegPhoto,
        labeledURI, o, photo, roomNumber, secretary, userCertificate,
        userPKCS12, userSMIMECertificate, x500UniqueIdentifier
[inetUser]
    inetUserHttpURL, inetUserStatus
[ipaUser]
    userClass


Kerberos/login-related (all authenticated):
[krbPrincipalAux]
    krbPrincipalName, krbCanonicalName, krbPrincipalAliases,
    krbPrincipalExpiration, krbPasswordExpiration, krbLastPwdChange
[+]
    nsAccountLock


Kerberos-related (user admins only):
[krbPrincipalAux]
    krbLastSuccessfulAuth, krbLastFailedAuth, krbLastPwdChange


No read permission:
[person]
    userPassword
[krbPrincipalAux]
    krbPrincipalKey, krbExtraData, krbPwdHistory
    krbLastAdminUnlock,
    krbLoginFailedCount, krbPrincipalType, krbPwdPolicyReference,
        krbTicketPolicyReference, krbUPEnabled
[krbTicketPolicyAux]
    krbMaxRenewableAge, krbMaxTicketLife, krbTicketFlags
[mepOriginEntry]
    mepManagedEntry


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to