summaryrefslogtreecommitdiffstats
path: root/install/share/default-aci.ldif
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-09-17 21:37:32 -0400
committerRob Crittenden <rcritten@redhat.com>2010-09-20 16:07:42 -0400
commit6de0834fca74b89990e4acc82753544614a1a129 (patch)
tree244d3087cdef45898cba2a71e14c3f3a6561f5c4 /install/share/default-aci.ldif
parent74e5d8c2af66a90d5cf85d80f7bafd6a21a724d5 (diff)
downloadfreeipa-6de0834fca74b89990e4acc82753544614a1a129.tar.gz
freeipa-6de0834fca74b89990e4acc82753544614a1a129.tar.xz
freeipa-6de0834fca74b89990e4acc82753544614a1a129.zip
Unenroll the client from the IPA server on uninstall.
Unenrollment means that the host keytab is disabled on the server making it possible to re-install on the client. This host principal is how we distinguish an enrolled vs an unenrolled client machine on the server. I added a --unroll option to ipa-join that binds using the host credentials and disables its own keytab. I fixed a couple of other unrelated problems in ipa-join at the same time. I also documented all the possible return values of ipa-getkeytab and ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab and it returns whatever value ipa-getkeytab returned on failure. ticket 242
Diffstat (limited to 'install/share/default-aci.ldif')
-rw-r--r--install/share/default-aci.ldif3
1 files changed, 2 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ecdf98dd6..a18245fee 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -46,8 +46,9 @@ add: aci
aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; aci "Hosts can manage service Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
# Allow hosts to update their own certificate in host/
+# krbLastPwdChange lets a host unenroll itself
dn: cn=computers,cn=accounts,$SUFFIX
changetype: modify
add: aci
-aci: (targetattr="userCertificate")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; aci "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";)