summaryrefslogtreecommitdiffstats
path: root/install/updates/40-delegation.update
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-08-09 16:40:51 -0400
committerRob Crittenden <rcritten@redhat.com>2010-08-10 16:41:47 -0400
commit5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8 (patch)
tree61c0cb31c211500320d420c0b456ecaa4b4d16b9 /install/updates/40-delegation.update
parent719592a209a1d3d41565284ebfc79fc76e9f5164 (diff)
downloadfreeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.tar.gz
freeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.tar.xz
freeipa-5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8.zip
Allow decoupling of user-private groups.
To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r--install/updates/40-delegation.update16
1 files changed, 8 insertions, 8 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index f63534c8d..451919b51 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -154,10 +154,10 @@ add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initia
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
manager || secretary || description || carLicense || labeledURI || inetUserHT
- TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
- //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
- s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,
- $SUFFIX";)'
+ TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry
+ || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
+ (version 3.0;acl "Modify Users";allow (write) groupdn =
+ "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for group administration
@@ -204,10 +204,10 @@ add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
askgroups,cn=accounts,$SUFFIX";)'
# we need objectclass and gidnumber in modify so a non-posix group can be
# promoted
-add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target
- = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group
- s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,
- $SUFFIX";)'
+add:aci: '(targetattr = "cn || description || gidnumber || objectclass ||
+ mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")
+ (version 3.0;acl "Modify Groups";allow (write) groupdn =
+ "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for host administration