summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2008-05-22 17:55:27 -0400
committerSimo Sorce <ssorce@redhat.com>2008-05-23 15:07:37 -0400
commit3931d1d753289630d0a4199b6100302ddca2bd47 (patch)
tree7745305ed9b96d728d8c8c2f01740d1f5ecaf2be
parent0695649926781f0eb34ffd26557d09683d888cfa (diff)
downloadfreeipa-3931d1d753289630d0a4199b6100302ddca2bd47.tar.gz
freeipa-3931d1d753289630d0a4199b6100302ddca2bd47.tar.xz
freeipa-3931d1d753289630d0a4199b6100302ddca2bd47.zip
Move admin into cn=users,cn=accounts
After some deep thinking I think the advantages of keeping all posix enabled user accounts under cn=users,cn=accounts overweight a perceived better protection of the admin account by keeping it in a separate tree.
-rw-r--r--ipa-server/ipa-install/share/bootstrap-template.ldif4
-rw-r--r--ipa-server/ipa-install/share/default-aci.ldif4
-rw-r--r--ipa-server/ipaserver/dsinstance.py2
3 files changed, 5 insertions, 5 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 014f9d61d..eb69ae4d0 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -58,7 +58,7 @@ objectClass: nsContainer
objectClass: top
cn: masters
-dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: person
@@ -108,7 +108,7 @@ objectClass: posixGroup
cn: admins
description: Account administrators group
gidNumber: 1001
-member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+member: uid=admin,cn=users,cn=accounts,$SUFFIX
nsAccountLock: False
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index b268ad199..9cb5d831b 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
@@ -29,7 +29,7 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
dn: cn=radius,$SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=services,cn=accounts,$SUFFIX
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index f0ff2da7b..540ff686f 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -375,7 +375,7 @@ class DsInstance(service.Service):
args = [app,
"-D", "cn=Directory Manager", "-w", self.dm_password,
"-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
- "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
+ "uid=admin,cn=users,cn=accounts,"+self.suffix]
try:
ipautil.run(args)
logging.debug("ldappasswd done")