Reduce the number of attributes a host is allowed to write.

The list of attributes that a host bound as itself could write was
overly broad.

A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.

ticket 416

1 files changed, 2 insertions, 2 deletions

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 085cd1f81..7dc12d8c9 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -241,7 +241,7 @@ add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
 add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
   3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
  taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description || l || nshostlocation ||
+add:aci: '(targetattr = "description || l || nshostlocation ||
  nshardwareplatform || nsosversion")
  (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
  acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
@@ -501,7 +501,7 @@ add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
 # set the krbPrincipalName, add krbPrincipalAux to objectClass and
 # set enrolledBy to whoever ran join.
 dn: $SUFFIX
-add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass")
+add:aci: '(targetattr = "enrolledBy || objectClass")
   (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
   (version 3.0;acl "Enroll a host";
   allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,