diff options
author | Martin Kosek <mkosek@redhat.com> | 2014-07-04 09:32:08 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-04 12:17:04 +0200 |
commit | ef83a0c67884274be000f3b4fcc8150e8910bcb7 (patch) | |
tree | d95fea530d786010ec2a2acc325c6ab568ebb4ee /ACI.txt | |
parent | 52bcf5345c9a920db513ed3fc8c2dc029661ecf2 (diff) | |
download | freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.gz freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.xz freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.zip |
Add Modify Realm Domains permission
The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.
https://fedorahosted.org/freeipa/ticket/4423
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ACI.txt')
-rw-r--r-- | ACI.txt | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -154,6 +154,8 @@ dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=exa aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example |