The enrolledBy attribute should be removed when we unenroll a host.
remove enrolledBy freeipa-581-unenroll.patch
updated patch freeipa-581-2-unenroll.patch
Use a targattrfilters to allow deleting the enrolledBy attribute when it is not empty and krblastpwdchange is empty. We clear out the principal before enrolledby during unenrollment.
This means that as long as a host is enrolled the enrolledBy cannot be changed. When the host is not enrolled enrolledBy can only be removed.
I talked to the team about this in one of our dev meetings. In order to remove this we have to rely on the existence of krbprincipalkey which we can't read/compare/etc.
It doesn't seem like a show-stopper to leave this after a host is unenrolled. We can still see that the host has been unenrolled, it may have some historical value to show the last enroller.
In any case we'd like to defer this for now.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Tickets Deferred
The team has evaluated this request and has determined that due to lack of time it will not be implemented.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.