diff options
author | Thierry Bordaz <tbordaz@redhat.com> | 2015-04-23 18:43:48 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-05-18 09:37:21 +0200 |
commit | 273fd057a3be797a05d6c7f34fd619d3dfa09c37 (patch) | |
tree | e731f1e78d472348cdbfdac7c341503c0ba96ed2 | |
parent | 51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b (diff) | |
download | freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.gz freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.xz freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.zip |
User life cycle: Add 'Stage User Provisioning' permission/priviledge
Add the ability for 'Stage user provisioning' priviledge to add
stage users.
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | ACI.txt | 4 | ||||
-rw-r--r-- | install/share/delegation.ldif | 8 | ||||
-rw-r--r-- | ipalib/plugins/stageuser.py | 17 |
3 files changed, 25 insertions, 4 deletions
@@ -213,7 +213,9 @@ aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprin dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example -aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add delete modify Stage Users by administrators";allow (add,delete,write) groupdn = "ldap:///cn=System: Add delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example +aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 76e726fb9..bacd9e68a 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -137,6 +137,14 @@ objectClass: nestedgroup cn: Stage User Administrators description: Stage User Administrators +dn: cn=Stage User Provisioning,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: Stage User Provisioning +description: Stage User Provisioning + ############################################ # Default permissions. ############################################ diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py index c4d9bb687..c8c92f41b 100644 --- a/ipalib/plugins/stageuser.py +++ b/ipalib/plugins/stageuser.py @@ -115,6 +115,17 @@ class stageuser(baseuser): # # Stage container # + # Stage user provisioning and Stage user Administrators, + # allowed to create stage users + 'System: Add Stage Users by Provisioning and Administrators': { + 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), + 'ipapermtargetfilter': {'(objectclass=*)'}, + 'ipapermright': {'add'}, + 'ipapermdefaultattr': {'*'}, + 'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'}, + }, # Stage user administrators allowed to read kerberos/password # when the user is activated (to copy them in the active entry) 'System: Read Stage User kerberos principal key and password': { @@ -128,14 +139,14 @@ class stageuser(baseuser): }, 'default_privileges': {'Stage User Administrators'}, }, - # Stage user administrator allowed to create/delete stage users and + # Stage user administrator allowed to delete stage users and # to update them - 'System: Add delete modify Stage Users by administrators': { + 'System: Delete modify Stage Users by administrators': { 'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn), 'ipapermbindruletype': 'permission', 'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn), 'ipapermtargetfilter': {'(objectclass=*)'}, - 'ipapermright': {'add','delete','write'}, + 'ipapermright': {'delete','write'}, 'ipapermdefaultattr': {'*'}, 'default_privileges': {'Stage User Administrators'}, }, |