summaryrefslogtreecommitdiffstats
path: root/install/updates/20-aci.update
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-08-22 16:24:07 -0400
committerMartin Kosek <mkosek@redhat.com>2011-08-24 14:12:01 +0200
commit109b79a7acf871b28e5b4cce2fd3b119f0fdd249 (patch)
treed16109dea1c28daa16d74442bc404767f64cd323 /install/updates/20-aci.update
parent0147ef5b73c5b5345dd9bdb5d273ffcf8cb20cab (diff)
downloadfreeipa-109b79a7acf871b28e5b4cce2fd3b119f0fdd249.tar.gz
freeipa-109b79a7acf871b28e5b4cce2fd3b119f0fdd249.tar.xz
freeipa-109b79a7acf871b28e5b4cce2fd3b119f0fdd249.zip
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
Diffstat (limited to 'install/updates/20-aci.update')
-rw-r--r--install/updates/20-aci.update4
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 42f1e9fe6..41d35da35 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -2,3 +2,7 @@
dn: cn=ng,cn=alt,$SUFFIX
add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)