Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Petr Viktorin
On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin access to read-only attributes such as ipaUniqueId, memberOf, krbPrincipalName is provided by the anonymous read ACI, which will go away. This patch adds a blanket read ACI for these. I also

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Martin Kosek
On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin access to read-only attributes such as ipaUniqueId, memberOf, krbPrincipalName is provided by the anonymous read ACI, which will go away. This

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Simo Sorce
On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin access to read-only attributes such as ipaUniqueId, memberOf, krbPrincipalName is

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Martin Kosek
On 04/24/2014 02:28 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin access to read-only attributes such as

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Petr Viktorin
On 04/24/2014 03:18 PM, Martin Kosek wrote: On 04/24/2014 02:28 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Simo Sorce
On Thu, 2014-04-24 at 15:18 +0200, Martin Kosek wrote: On 04/24/2014 02:28 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Martin Kosek
On 04/24/2014 03:42 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 15:18 +0200, Martin Kosek wrote: On 04/24/2014 02:28 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin wrote: On 04/23/2014 08:56 PM, Simo Sorce wrote: On Wed,

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-24 Thread Simo Sorce
On Thu, 2014-04-24 at 16:47 +0200, Martin Kosek wrote: On 04/24/2014 03:42 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 15:18 +0200, Martin Kosek wrote: On 04/24/2014 02:28 PM, Simo Sorce wrote: On Thu, 2014-04-24 at 14:17 +0200, Martin Kosek wrote: On 04/24/2014 09:41 AM, Petr Viktorin

[Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-23 Thread Petr Viktorin
Admin access to read-only attributes such as ipaUniqueId, memberOf, krbPrincipalName is provided by the anonymous read ACI, which will go away. This patch adds a blanket read ACI for these. I also moved some related ACIs to 20-aci.update. Previously krbPwdHistory was also readable by admins. I

Re: [Freeipa-devel] [PATCHES] 0536-0537 Add ACI for read-only admin attributes

2014-04-23 Thread Simo Sorce
On Wed, 2014-04-23 at 20:37 +0200, Petr Viktorin wrote: Admin access to read-only attributes such as ipaUniqueId, memberOf, krbPrincipalName is provided by the anonymous read ACI, which will go away. This patch adds a blanket read ACI for these. I also moved some related ACIs to