diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-02-20 19:36:21 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-02-20 19:38:49 +0100 |
| commit | ffd39503c1e4c1b7a309953e232d4727551a58c3 (patch) | |
| tree | 0b2f5ed17a6bf66041d7314a308fc0a045928792 | |
| parent | efb37739ab1b3a7c9d87af7a2d8ed57a1d0d5abe (diff) | |
| download | freeipa-ffd39503c1e4c1b7a309953e232d4727551a58c3.tar.gz freeipa-ffd39503c1e4c1b7a309953e232d4727551a58c3.tar.xz freeipa-ffd39503c1e4c1b7a309953e232d4727551a58c3.zip | |
Limit the change password permission so it can't change admin passwords
We don't want those in the helpdesk role to be able to reset
administrators passwords.
https://fedorahosted.org/freeipa/ticket/2271
| -rw-r--r-- | install/share/delegation.ldif | 2 | ||||
| -rw-r--r-- | install/updates/40-delegation.update | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 0fe447466..f46589eb8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -565,7 +565,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 6384f8eb7..74d882bd3 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -326,3 +326,8 @@ add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accou dn: $SUFFIX add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)' + +# Limit the change password permission so it can't change the passwords +# of administrators +dn: $SUFFIX +replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)' |