Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.

Simo Sorce Wed, 24 Nov 2010 06:39:09 -0800

On Wed, 17 Nov 2010 15:07:03 -0500
Rob Crittenden <[email protected]> wrote:


>  aci: (targetattr != "userPassword || krbPrincipalKey ||
> sambaLMPassword || sambaNTPassword || passwordHistory ||
> krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read,
> search, compare) userdn = "ldap:///anyone";;) -aci: (targetattr !=
> "userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword || passwordHistory || krbMKey || memberOf ||
> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any
> entry"; allow (all) groupdn =
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) +aci:
> (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName ||
> krbCanonicalName || krbUPEnabled || krbMKey ||
> krbTicketPolicyReference || krbPrincipalExpiration ||
> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
> krbPwdHistory || krbLastPwdChange || krbPrincipalAliases ||
> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf ||
> serverHostName || enrolledBy")(versi

Nack.

Some attributes are repeated multiple times in this chunk. (krbMKey for
example).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.

Reply via email to