Right now we allow by default "self" to change way too much stuff. For example we allow a host to bind as itself and change its cn or managedBy entries. We need to trim this list way down to the bare minimum necessary by default, and let admins relax access if they so desire. Principle of least surprise!
Closed ticket https://fedorahosted.org/freeipa/ticket/332 as duplicate
See also bug https://bugzilla.redhat.com/show_bug.cgi?id=640723
reduce list of writable attrs freeipa-rcrit-609-aci.patch
master: d644d17
Metadata Update from @simo: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.