Allow IPA master hosts to read and update IPA master information.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-06-12 08:37:40 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-07-30 16:04:21 +0200
commit: 1778f0ebc95bf53c2746ce5461f76458c40560cd (patch)
tree: e6e1048eee4e105405aeecbcb587de1274910eb7 /install/updates/40-delegation.update
parent: 61159b7ff2b92d40bad3a6084a249f5c51b07a48 (diff)
download: freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.gz
freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.xz
freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 10579b759..39129b8e4 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -177,3 +177,7 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: IPA Masters Readers
 default:description: Read list of IPA masters
+
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
+add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
author	Jan Cholasta <jcholast@redhat.com>	2014-06-12 08:37:40 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-07-30 16:04:21 +0200
commit	1778f0ebc95bf53c2746ce5461f76458c40560cd (patch)
tree	e6e1048eee4e105405aeecbcb587de1274910eb7 /install/updates/40-delegation.update
parent	61159b7ff2b92d40bad3a6084a249f5c51b07a48 (diff)
download	freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.gz freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.tar.xz freeipa-1778f0ebc95bf53c2746ce5461f76458c40560cd.zip