diff options
| author | Martin Kosek <mkosek@redhat.com> | 2011-02-22 15:25:43 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-02-22 10:04:19 -0500 |
| commit | 744eb8ea740d9f63a1757cb4d83f63ee4096dea0 (patch) | |
| tree | cf5e24db476d77bad5507f1b6e6bea9401fad072 /install/share | |
| parent | ac68ea3c6c633206a01db5a0b74b994ab0c29093 (diff) | |
| download | freeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.tar.gz freeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.tar.xz freeipa-744eb8ea740d9f63a1757cb4d83f63ee4096dea0.zip | |
Entitlements ACIs not visible to Permission plugin
This patch fixes Entitlements privileges and ACIs. There were
missing descriptions or the ACIs could not be processed by
Permissino plugin because of missing prefix.
https://fedorahosted.org/freeipa/ticket/997
Diffstat (limited to 'install/share')
| -rw-r--r-- | install/share/delegation.ldif | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af..5d4949ae3 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. |