On Mon, 15 Apr 2013, Petr Spacek wrote:
On 15.4.2013 15:39, Rob Crittenden wrote:
There is no easy way to do this. We start with granting all authenticated
users read access to the tree with the exception of certain attributes (like
passwords).
You'd have to start by removing that, then one by one granting read access to
the various containers based on, well, something.
Would it be possible to create a new role to allow current 'read-all
access' and add this role to all users by default?
It could be much simpler to change the behaviour with this role, or not? :-)
It would affect service accounts (include host/fqdn@REALM) since roles
cannot be applied to them, if I remember correctly. We would need to
make an exclusive ACI that allows all services to gain read only access...
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
