The aci "Admin read-only attributes" grants, for the complete
   suffix, read access to 'admin' users for the following attributes.

       "ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
       krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
       krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"

   "userPassword" and "krbPrincipalKey" are not "read-only" attributes
   so I guess it is the reason why they are not part of this list.

   For User life cycle, I would need admin users to be granted read
   access on "userPassword" and "krbPrincipalKey".
   The scope could be limited to Stage container but I was wondering if
   there is a security reason to not grant read access on the full suffix ?


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to