diff options
| author | Simo Sorce <ssorce@redhat.com> | 2007-08-30 12:23:39 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2007-08-30 12:23:39 -0400 |
| commit | a8fe485065ee7c2bc686bc7a4f673ce2f163ecc5 (patch) | |
| tree | 5aafff7335311cb556459be0519ab0ced926a778 | |
| parent | bebc413366506f4d19d98c8bb33041094beff117 (diff) | |
| download | freeipa-a8fe485065ee7c2bc686bc7a4f673ce2f163ecc5.tar.gz freeipa-a8fe485065ee7c2bc686bc7a4f673ce2f163ecc5.tar.xz freeipa-a8fe485065ee7c2bc686bc7a4f673ce2f163ecc5.zip | |
Integrate corrections pointed out on the list
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 7 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 6 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 8 |
3 files changed, 10 insertions, 11 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index e8e6b9b4a..7416aaece 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -45,12 +45,10 @@ objectClass: top objectClass: account uid: webservice -dn: uid=admin,cn=users,cn=accounts,$SUFFIX +dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectClass: top objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson objectClass: posixAccount objectClass: KrbPrincipalAux uid: admin @@ -68,7 +66,8 @@ changetype: add objectClass: top objectClass: groupofuniquenames objectClass: posixGroup -cn: admins +cn: Account Admins +description: Account administrators group gidNumber: 1001 uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index a942b683e..9ed65a43c 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,9 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) -aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index 0ffc2bba0..d55f39ce4 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -15,20 +15,20 @@ cn: kerberos aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) #sasl mapping -dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config +dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: fullprinc +cn: Full Principal nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) -dn: cn=justname,cn=mapping,cn=sasl,cn=config +dn: cn=Name Only,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: justname +cn: Name Only nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) |