summaryrefslogtreecommitdiffstats
path: root/install/share/default-aci.ldif
diff options
context:
space:
mode:
Diffstat (limited to 'install/share/default-aci.ldif')
-rw-r--r--install/share/default-aci.ldif3
1 files changed, 2 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ecdf98dd..a18245fe 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -46,8 +46,9 @@ add: aci
aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; aci "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
# Allow hosts to update their own certificate in host/
+# krbLastPwdChange lets a host unenroll itself
dn: cn=computers,cn=accounts,$SUFFIX
changetype: modify
add: aci
-aci: (targetattr="userCertificate")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)
generated by cgit (git 2.34.1) at 2024-05-01 09:14:46 +0000