diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-08-09 16:40:51 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-10 16:41:47 -0400 |
commit | 5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8 (patch) | |
tree | 61c0cb31c211500320d420c0b456ecaa4b4d16b9 /install/updates/40-delegation.update | |
parent | 719592a209a1d3d41565284ebfc79fc76e9f5164 (diff) | |
download | freeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.tar.gz freeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.tar.xz freeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.zip |
Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and
the group.
We also have to verify in advance that the user performing this is allowed
to do both. Otherwise the user could be decoupled but not the group
leaving it in a quasi broken state that only ldapmodify could fix.
ticket 75
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f63534c8d..451919b51 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -154,10 +154,10 @@ add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initia || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN umber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHT - TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/ - //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User - s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts, - $SUFFIX";)' + TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry + || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") + (version 3.0;acl "Modify Users";allow (write) groupdn = + "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for group administration @@ -204,10 +204,10 @@ add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version askgroups,cn=accounts,$SUFFIX";)' # we need objectclass and gidnumber in modify so a non-posix group can be # promoted -add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target - = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group - s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts, - $SUFFIX";)' +add:aci: '(targetattr = "cn || description || gidnumber || objectclass || + mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX") + (version 3.0;acl "Modify Groups";allow (write) groupdn = + "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for host administration |