On 30.3.2015 11:50, thierry bordaz wrote: > Hello, > > The aci "Admin read-only attributes" grants, for the complete > suffix, read access to 'admin' users for the following attributes. > > "ipaUniqueId || memberOf || enrolledBy || krbExtraData || > krbPrincipalName || krbCanonicalName || krbPasswordExpiration || > krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth" > > > "userPassword" and "krbPrincipalKey" are not "read-only" attributes > so I guess it is the reason why they are not part of this list. > > For User life cycle, I would need admin users to be granted read > access on "userPassword" and "krbPrincipalKey". > The scope could be limited to Stage container but I was wondering if > there is a security reason to not grant read access on the full suffix ?
AFAIK admins were not given read access to keys and passwords on purpose as a security measure. It prevents accidental key disclosure when admin does ldapsearch and posts result somewhere (e.g. while debugging something). I did not follow the whole user life-cycle discussion. Why you need read access to it? Is it because you plan to do add/del instead of modrdn? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code