Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote: On Fri, 18 Apr 2014, Petr Viktorin wrote: From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs These attributes contain secrets for the trusts and should not be returned by default. --- ipalib/plugins/trust.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -306,12 +306,11 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', -'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', +'ipanttrustpartner', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] + 'ipanttrusteddomainsid', 'ipanttrusttype'] label = _('Trusts') label_singular = _('Trust') ACK. This all looks fine, I only have one question -- SID blacklists now became invisible by default to anyone. Even admins can't see them other than with --all. I'm not sure they are really that important to deny access to, but it makes sense to reduce their visibility to normal users. I think we should differentiate 2 aspects of trust plugin patches: 1) SID blacklist access: with current patches, only admin, trust admins and people with appropriate permission/privilege will have access to SID blacklists. Normal users will only see basic trust attributes (see patch 529.2). If this is not OK, and everyone should be able to see them, please yell. 2) SID blacklist visibility: with proposed patches, SID blacklist will be hidden unless --all option is passed. I think this is rather a UX question than functional question. Whether SID blacklist should be printed with each trust-find or trust-show. I would personally not show them to make the display simpler and would remove search_display_attributes entirely (or make blacklist shown in trust-show, but not with trust-find) but I do not insist. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Mon, 28 Apr 2014, Martin Kosek wrote: On 04/28/2014 11:14 AM, Alexander Bokovoy wrote: On Fri, 18 Apr 2014, Petr Viktorin wrote: From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs These attributes contain secrets for the trusts and should not be returned by default. --- ipalib/plugins/trust.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -306,12 +306,11 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', -'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', +'ipanttrustpartner', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] + 'ipanttrusteddomainsid', 'ipanttrusttype'] label = _('Trusts') label_singular = _('Trust') ACK. This all looks fine, I only have one question -- SID blacklists now became invisible by default to anyone. Even admins can't see them other than with --all. I'm not sure they are really that important to deny access to, but it makes sense to reduce their visibility to normal users. I think we should differentiate 2 aspects of trust plugin patches: 1) SID blacklist access: with current patches, only admin, trust admins and people with appropriate permission/privilege will have access to SID blacklists. Normal users will only see basic trust attributes (see patch 529.2). If this is not OK, and everyone should be able to see them, please yell. I'm OK with this state. 2) SID blacklist visibility: with proposed patches, SID blacklist will be hidden unless --all option is passed. I think this is rather a UX question than functional question. Whether SID blacklist should be printed with each trust-find or trust-show. I would personally not show them to make the display simpler and would remove search_display_attributes entirely (or make blacklist shown in trust-show, but not with trust-find) but I do not insist. The only potential issue in not showing them is that this breaks whatever QE tests expected in past. I.e. if they were expecting SID blacklist to be shown, that would be broken. To my knowledge there is no real dependency on such data in the QE scripts yet. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 12:38 PM, Alexander Bokovoy wrote: On Mon, 28 Apr 2014, Martin Kosek wrote: On 04/28/2014 11:14 AM, Alexander Bokovoy wrote: On Fri, 18 Apr 2014, Petr Viktorin wrote: From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs These attributes contain secrets for the trusts and should not be returned by default. --- ipalib/plugins/trust.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -306,12 +306,11 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', -'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', +'ipanttrustpartner', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] + 'ipanttrusteddomainsid', 'ipanttrusttype'] label = _('Trusts') label_singular = _('Trust') ACK. This all looks fine, I only have one question -- SID blacklists now became invisible by default to anyone. Even admins can't see them other than with --all. I'm not sure they are really that important to deny access to, but it makes sense to reduce their visibility to normal users. I think we should differentiate 2 aspects of trust plugin patches: 1) SID blacklist access: with current patches, only admin, trust admins and people with appropriate permission/privilege will have access to SID blacklists. Normal users will only see basic trust attributes (see patch 529.2). If this is not OK, and everyone should be able to see them, please yell. I'm OK with this state. 2) SID blacklist visibility: with proposed patches, SID blacklist will be hidden unless --all option is passed. I think this is rather a UX question than functional question. Whether SID blacklist should be printed with each trust-find or trust-show. I would personally not show them to make the display simpler and would remove search_display_attributes entirely (or make blacklist shown in trust-show, but not with trust-find) but I do not insist. The only potential issue in not showing them is that this breaks whatever QE tests expected in past. I.e. if they were expecting SID blacklist to be shown, that would be broken. To my knowledge there is no real dependency on such data in the QE scripts yet. I would personally drive FreeIPA development by what we see as the right behavior, not by state of a potentially old QE scripts. Tests should reflect such changes in the code and adhere to them, not vice versa, IMO. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote: On Fri, 18 Apr 2014, Petr Viktorin wrote: From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs These attributes contain secrets for the trusts and should not be returned by default. --- ipalib/plugins/trust.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -306,12 +306,11 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', -'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', +'ipanttrustpartner', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] + 'ipanttrusteddomainsid', 'ipanttrusttype'] label = _('Trusts') label_singular = _('Trust') ACK. Thanks, pushed to master: e31688909cbc5f7ab6c8d03bb28786a2dd29efe4 This all looks fine, I only have one question -- SID blacklists now became invisible by default to anyone. Even admins can't see them other than with --all. I'm not sure they are really that important to deny access to, but it makes sense to reduce their visibility to normal users. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/18/2014 03:40 PM, Martin Kosek wrote: On 04/18/2014 01:55 PM, Petr Viktorin wrote: On 04/17/2014 10:12 PM, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Simo Sorce wrote: On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Yep, should not be returned by default to any command line utility. Agreed. I wanted to remove it too the other day but forgot to file a ticket. I see. Here is a patch to remove them. Why did you remove SID blacklists from search_display_attributes? Is this what we want? Oops, a mistake on my part. It changes trust-find behavior from: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust type: Active Directory domain Number of entries returned 1 to # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Trust type: Active Directory domain Number of entries returned 1 I am not saying it is necessarily a bad thing to do. It IMO actually makes find output consistent with trust-show and better to read. I would personally remove search_display_attributes all together since we are poking in this part and let trust return default attributes in the trust-find command. Martin Alexander, would you be okay with that? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Simo Sorce wrote: On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Yep, should not be returned by default to any command line utility. Agreed. I wanted to remove it too the other day but forgot to file a ticket. I see. Here is a patch to remove them. -- Petr³ From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs These attributes contain secrets for the trusts and should not be returned by default. --- ipalib/plugins/trust.py | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -306,12 +306,11 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', -'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', +'ipanttrustpartner', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ] + 'ipanttrusteddomainsid', 'ipanttrusttype'] label = _('Trusts') label_singular = _('Trust') -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/18/2014 01:55 PM, Petr Viktorin wrote: On 04/17/2014 10:12 PM, Alexander Bokovoy wrote: On Thu, 17 Apr 2014, Simo Sorce wrote: On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Yep, should not be returned by default to any command line utility. Agreed. I wanted to remove it too the other day but forgot to file a ticket. I see. Here is a patch to remove them. Why did you remove SID blacklists from search_display_attributes? Is this what we want? It changes trust-find behavior from: # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust type: Active Directory domain Number of entries returned 1 to # ipa trust-find --- 1 trust matched --- Realm name: tbad.example.com Domain NetBIOS name: TBAD Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726 Trust type: Active Directory domain Number of entries returned 1 I am not saying it is necessarily a bad thing to do. It IMO actually makes find output consistent with trust-show and better to read. I would personally remove search_display_attributes all together since we are poking in this part and let trust return default attributes in the trust-find command. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. -- Petr³ From ef98055a524dffbe98098def896f40592a3fdac4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Fix typo in attribute name --- ipalib/plugins/trust.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..428d6463de092f378458f837fe7ea9ad002a4480 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -307,7 +307,7 @@ class trust(LDAPObject): object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrustauthoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Yep, should not be returned by default to any command line utility. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Thu, 17 Apr 2014, Simo Sorce wrote: On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote: On 04/17/2014 07:11 PM, Petr Viktorin wrote: Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. I think the right question to ask - do we want to have ipanttrustauth{incoming,outgoing} in default attributes? I do not think so. It is supposed to hold a secret for the trust, I do not think you want it displayed on your terminal by default - even if you have a right to display it. Yep, should not be returned by default to any command line utility. Agreed. I wanted to remove it too the other day but forgot to file a ticket. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel