summaryrefslogtreecommitdiffstats
path: root/install/share
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2014-01-09 14:19:49 +0100
committerPetr Viktorin <pviktori@redhat.com>2014-01-14 15:22:27 +0100
commit3e1386a57e915a71c87471ee65877f3ab01fc724 (patch)
tree52a09234becf1e42a02d88810898626ba4b0946a /install/share
parent367c1301857f475baa1ed58c06ca0379d42847d5 (diff)
downloadfreeipa-3e1386a57e915a71c87471ee65877f3ab01fc724.tar.gz
freeipa-3e1386a57e915a71c87471ee65877f3ab01fc724.tar.xz
freeipa-3e1386a57e915a71c87471ee65877f3ab01fc724.zip
acl: Remove krbPrincipalExpiration from list of admin's excluded attrs
Since we're exposing the krbPrincipalExpiration attribute for direct editing in the CLI, remove it from the list of attributes that admin cannot edit by default. Part of: https://fedorahosted.org/freeipa/ticket/3306
Diffstat (limited to 'install/share')
-rw-r--r--install/share/default-aci.ldif2
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 510ea3284..9af9ab28c 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -5,7 +5,7 @@ changetype: modify
add: aci
aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)