Hello, The aci "Admin read-only attributes" grants, for the complete suffix, read access to 'admin' users for the following attributes.
"ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth" "userPassword" and "krbPrincipalKey" are not "read-only" attributes so I guess it is the reason why they are not part of this list. For User life cycle, I would need admin users to be granted read access on "userPassword" and "krbPrincipalKey". The scope could be limited to Stage container but I was wondering if there is a security reason to not grant read access on the full suffix ? thanks thierry
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code