Hi. I took a look at this in preparation for the 1.14.2 update. Unfortunately, I can't really do what you ask and ship kadm5.acl as a conffile.
to be a conffile, in the usual case, the file needs to not be modified from what the package ships. However, by default we currently ship a version with all entries commented out. :So, it's fairly likely that sysadmins have modified the file at least to uncomment the entry. I'd appreciate your input on what we want the behavior to be. do you think it would be reasonable to ship a kadm5.acl that had */admin uncommented by default? If so, then I could convert either the default we ship in jessie or the version with that uncommented into a conffile. however, if it becomes a conffile, neither freeipa setup scripts nor package scripts can touch it. Will that be okay for you? --Sam
