diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-19 13:01:06 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-19 16:46:29 +0200 |
commit | b243da415ecb2c28b5aa9bc563595efe35a40987 (patch) | |
tree | 1326d56f365ad45cd72be1eb73a3312abeb994b4 /install/updates/20-aci.update | |
parent | 8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc (diff) | |
download | freeipa-b243da415ecb2c28b5aa9bc563595efe35a40987.tar.gz freeipa-b243da415ecb2c28b5aa9bc563595efe35a40987.tar.xz freeipa-b243da415ecb2c28b5aa9bc563595efe35a40987.zip |
Allow read access to masters, but not their services, to auth'd users
The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/20-aci.update')
-rw-r--r-- | install/updates/20-aci.update | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 6af800111..a10eb4077 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -28,6 +28,10 @@ add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)) dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)' +# Read access to masters (but not their services) +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)' + # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)' |