diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-04-14 12:05:40 +0200 |
commit | f10ec17c03dfe6bdf46903e89f68fa588664fdc0 (patch) | |
tree | 6c34ff0ca78bdbbd04ccce95690be5e49ea48780 | |
parent | c08f8d2f1e61e607a493980880a81120ad01a045 (diff) | |
download | freeipa-f10ec17c03dfe6bdf46903e89f68fa588664fdc0.tar.gz freeipa-f10ec17c03dfe6bdf46903e89f68fa588664fdc0.tar.xz freeipa-f10ec17c03dfe6bdf46903e89f68fa588664fdc0.zip |
Add managed read permissions to pwpolicy and cosentry
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | install/updates/40-delegation.update | 7 | ||||
-rw-r--r-- | ipalib/plugins/pwpolicy.py | 34 |
2 files changed, 41 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index e90819a51..27e605789 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -401,3 +401,10 @@ default:objectClass: groupofnames default:objectClass: top default:cn: RBAC Readers default:description: Read roles, privileges, permissions and ACIs + +dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: Password Policy Readers +default:description: Read password policies diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 46e839a70..1d546ea75 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -78,7 +78,22 @@ class cosentry(LDAPObject): container_dn = DN(('cn', 'costemplates'), api.env.container_accounts) object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer'] + permission_filter_objectclasses = ['costemplate'] default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference'] + managed_permissions = { + 'System: Read Group Password Policy costemplate': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'cospriority', 'krbpwdpolicyreference', 'objectclass', + }, + 'default_privileges': { + 'Password Policy Readers', + 'Password Policy Administrator', + }, + }, + } takes_params = ( Str('cn', primary_key=True), @@ -180,12 +195,31 @@ class pwpolicy(LDAPObject): object_name = _('password policy') object_name_plural = _('password policies') object_class = ['top', 'nscontainer', 'krbpwdpolicy'] + permission_filter_objectclasses = ['krbpwdpolicy'] default_attributes = [ 'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife', 'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength', 'krbpwdmaxfailure', 'krbpwdfailurecountinterval', 'krbpwdlockoutduration', ] + managed_permissions = { + 'System: Read Group Password Policy': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife', + 'krbpwdfailurecountinterval', 'krbpwdhistorylength', + 'krbpwdlockoutduration', 'krbpwdmaxfailure', + 'krbpwdmindiffchars', 'krbpwdminlength', 'objectclass', + }, + 'default_privileges': { + 'Password Policy Readers', + 'Password Policy Administrator', + }, + }, + } + MIN_KRB5KDC_WITH_LOCKOUT = "1.8" has_lockout = False lockout_params = () |