Hello,
The aci "Admin read-only attributes" grants, for the complete
suffix, read access to 'admin' users for the following attributes.
"ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"
"userPassword" and "krbPrincipalKey" are not "read-only" attributes
so I guess it is the reason why they are not part of this list.
For User life cycle, I would need admin users to be granted read
access on "userPassword" and "krbPrincipalKey".
The scope could be limited to Stage container but I was wondering if
there is a security reason to not grant read access on the full suffix ?
thanks
thierry
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
