diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-03-29 13:15:22 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-30 10:03:44 -0400 |
| commit | 87193366526e645475792cde2450cc7cc48802ad (patch) | |
| tree | 6e8cff5481b867e95386061d774889c6a05cebc0 | |
| parent | 6fbe0e86e94d475ae13e99f1444b9ede6887a98d (diff) | |
| download | freeipa-87193366526e645475792cde2450cc7cc48802ad.tar.gz freeipa-87193366526e645475792cde2450cc7cc48802ad.tar.xz freeipa-87193366526e645475792cde2450cc7cc48802ad.zip | |
Allow a client to enroll using principal when the host has a OTP
If the host has a one-time password but krbPrincipalName wasn't set yet
then the enrollment would fail because writing the principal is not
allowed. This creates an ACI that only lets it be written if it is not
already set.
ticket 1075
| -rw-r--r-- | install/updates/40-delegation.update | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index aa431e7b7..96cc59e74 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -240,3 +240,21 @@ add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' + +# Allow an admin to enroll a host that has a one-time password. +# When a host is created with a password no krbPrincipalName is set. +# This will let it be added if the client ends up enrolling with +# an administrator instead. +dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Add krbPrincipalName to a host +default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX +default:member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX + +dn: $SUFFIX +add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX +add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX' |