diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-02-21 10:21:03 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-02-23 11:05:52 +0100 |
commit | 960baaebf4a1305a38f7cec099f51607e2427d24 (patch) | |
tree | 95b044a9e6e33641431cbade9632afafe9b75d5c /install/share/delegation.ldif | |
parent | ce7b66ebfbe52e5efb3a7cf28e61954baf78982e (diff) | |
download | freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.tar.gz freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.tar.xz freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.zip |
Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
Diffstat (limited to 'install/share/delegation.ldif')
-rw-r--r-- | install/share/delegation.ldif | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index f46589eb8..c61240841 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -578,7 +578,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. |