On 04/23/2014 08:56 PM, Simo Sorce wrote:
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote:
Admin access to read-only attributes such as ipaUniqueId, memberOf,
krbPrincipalName is provided by the anonymous read ACI, which will go
away. This patch adds a blanket read ACI for these.
I also moved some related ACIs to 20-aci.update.

Previously krbPwdHistory was also readable by admins. I don't think we
want to include that.
Simo, should admins be allowed to read krbExtraData?

Probably not necessary but there is nothing secret in it either.


OK. I'm not a fan of hiding things from the admin, so no changes to the patch are necessary here.


Freeipa-devel mailing list

Reply via email to