diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-17 16:57:28 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-12-17 18:04:37 -0500 |
commit | 34534a026f39e5c5c139d23ab70db72009789e5b (patch) | |
tree | 7e64d9a94bd2a6c5ac54e54f46e600b539727212 /install/share/default-aci.ldif | |
parent | 7035ffe49ca8456a1efc155c9cb22ec01a881ba2 (diff) | |
download | freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.tar.gz freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.tar.xz freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.zip |
Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
Diffstat (limited to 'install/share/default-aci.ldif')
-rw-r--r-- | install/share/default-aci.ldif | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index d725cd5c1..d0dfa23d7 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -5,7 +5,7 @@ changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) +aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) @@ -16,7 +16,7 @@ aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife | dn: cn=users,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeeType || businesscategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify @@ -54,7 +54,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) +aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) # Define which hosts can edit other hosts # The managedby attribute stores the DN of hosts that are allowed to manage |