The aci "Admin read-only attributes" grants, for the complete
suffix, read access to 'admin' users for the following attributes.
"ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"
"userPassword" and "krbPrincipalKey" are not "read-only" attributes
so I guess it is the reason why they are not part of this list.
For User life cycle, I would need admin users to be granted read
access on "userPassword" and "krbPrincipalKey".
The scope could be limited to Stage container but I was wondering if
there is a security reason to not grant read access on the full suffix ?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code