diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-10-02 09:27:08 -0400 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-10-05 13:27:34 -0600 |
commit | 48785a5af1a2dbabd6da4cfaee000d3100260f4d (patch) | |
tree | b93f8fb56e1543fa88c1977490249a63723902eb | |
parent | 8de6dc00dc3fc7e7a20ea6fcb6b8817224a974d7 (diff) | |
download | freeipa-48785a5af1a2dbabd6da4cfaee000d3100260f4d.tar.gz freeipa-48785a5af1a2dbabd6da4cfaee000d3100260f4d.tar.xz freeipa-48785a5af1a2dbabd6da4cfaee000d3100260f4d.zip |
Loosen the ACI for the KDC to allow adds/deletes
Password policy entries must be a child of the entry protected by this
ACI.
Also change the format of this because in DS it was stored as:
\n(target)\n so was base64-encoded when it was retrieved.
-rw-r--r-- | ipaserver/install/krbinstance.py | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index a6caa81eb..f45075cf2 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -44,9 +44,7 @@ import pyasn1.codec.ber.encoder import pyasn1.codec.ber.decoder import struct -KRBMKEY_DENY_ACI = """ -(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -""" +KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)' def update_key_val_in_file(filename, key, val): if os.path.exists(filename): |