diff options
| author | Jan Zeleny <jzeleny@redhat.com> | 2011-01-21 03:07:53 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-28 10:23:02 -0500 |
| commit | 884f43f0db6da9243dd4315bdb9b481935be2456 (patch) | |
| tree | 957c693ccedd4b2bb4d4a448fff18fcd7c04e740 /install/share/default-aci.ldif | |
| parent | 7b04b2240b92cc586fc06a8686c3616b020137fe (diff) | |
| download | freeipa-884f43f0db6da9243dd4315bdb9b481935be2456.tar.gz freeipa-884f43f0db6da9243dd4315bdb9b481935be2456.tar.xz freeipa-884f43f0db6da9243dd4315bdb9b481935be2456.zip | |
Add support for account unlocking
This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.
Ticket:
https://fedorahosted.org/freeipa/ticket/344
Diffstat (limited to 'install/share/default-aci.ldif')
| -rw-r--r-- | install/share/default-aci.ldif | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 5a9d6e2fc..e4f767054 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -10,7 +10,7 @@ aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || samban aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) |