diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-07-19 20:04:46 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-08-26 08:24:50 -0400 |
| commit | 8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a (patch) | |
| tree | 752225c103fa54f4bbc48190e875f54094a2bcbf /install/share | |
| parent | 195a65d5c2b2f2a318225a94e734ec41cdc34b1d (diff) | |
| download | freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.gz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.xz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.zip | |
install: Remove uid=kdc user
The ipadb DAL driver gets access to the ldap server as Directory Manager now so
this user is not needed anymore.
Diffstat (limited to 'install/share')
| -rw-r--r-- | install/share/default-aci.ldif | 4 | ||||
| -rw-r--r-- | install/share/kerberos.ldif | 11 |
2 files changed, 0 insertions, 15 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 586ec61fc..e02b1c2c9 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -9,9 +9,6 @@ aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || samba aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) @@ -39,7 +36,6 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow dn: cn=services,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) # Define which hosts can edit services diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index a40b63aa0..4778a6b4d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -1,20 +1,9 @@ -#kerberos user -dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX -changetype: add -objectclass: account -objectclass: simplesecurityobject -uid: kdc -userPassword: $PASSWORD -passwordExpirationTime: 20380119031407Z -nsIdleTimeout: 0 - #kerberos base object dn: cn=kerberos,$SUFFIX changetype: add objectClass: krbContainer objectClass: top cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) #Realm base object dn: cn=$REALM,cn=kerberos,$SUFFIX |