summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-02-22 15:25:43 +0100
committerRob Crittenden <rcritten@redhat.com>2011-02-22 10:04:19 -0500
commit744eb8ea740d9f63a1757cb4d83f63ee4096dea0 (patch)
treecf5e24db476d77bad5507f1b6e6bea9401fad072
parentac68ea3c6c633206a01db5a0b74b994ab0c29093 (diff)
downloadfreeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.zip
freeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.tar.gz
freeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.tar.xz
Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997
-rw-r--r--install/share/delegation.ldif9
1 files changed, 6 insertions, 3 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 02dc850..5d4949a 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -152,6 +152,7 @@ objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: Register and Write Entitlements
+description: Register and Write Entitlements
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
@@ -160,6 +161,7 @@ objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: Read Entitlements
+description: Read Entitlements
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
@@ -518,6 +520,7 @@ changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
+cn: Register Entitlements
member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX
@@ -656,17 +659,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.