diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-07-21 15:44:49 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-29 10:50:29 -0400 |
commit | d4adbc8052faf18fb31e7b1865037aa107067d4b (patch) | |
tree | 78bdceb1b3b637be34fbb11ff34d8d17fdf88446 | |
parent | b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (diff) | |
download | freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.tar.gz freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.tar.xz freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.zip |
Add container and initial ACIs for entitlement support
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.
ticket #27
-rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 37 |
2 files changed, 43 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 0d16d1dfd..f1f36a64d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,6 +64,12 @@ objectClass: nsContainer objectClass: top cn: sysaccounts +dn: cn=entitlements,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: entitlements + dn: cn=ipa,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index fa8d2af1a..f63534c8d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -85,6 +85,12 @@ add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment +dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: entitlementadmin +add:description: Entitlement Administrators + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Entitlement management +dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: addentitlements +add:description: Add Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: removeentitlements +add:description: Remove Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: modifyentitlements +add:description: Modify Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' |