diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-03-23 15:20:43 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-03-25 11:03:07 -0400 |
commit | c00281a9f9c3f79fb88ff8537d941394fee09ca2 (patch) | |
tree | 019c8f72200e78b58699afe327f8f212898d659a /install/updates/40-delegation.update | |
parent | d6814f3aae1e3af371eaf9d10ae37bfee464015a (diff) | |
download | freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.gz freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.xz freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.zip |
Name update files so they can be easily sorted.
We want to process some updates in a particular order (schema, structural).
Using an init-inspired ordering mechanism.
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update new file mode 100644 index 000000000..307fb8cd9 --- /dev/null +++ b/install/updates/40-delegation.update @@ -0,0 +1,124 @@ +# Add the default roles + +dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: helpdesk +add:description: Helpdesk + +dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: useradmin +add:description: User Administrators + +dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: groupadmin +add:description: Group Administrators + +dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: hostadmin +add:description: Host Administrators + +dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: delegationadmin +add:description: Role administration + +dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: serviceadmin +add:description: Service Administrators + +dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: automountadmin +add:description: Automount Administrators + +dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: netgroupadmin +add:description: Netgroups Administrators + +dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:objectClass: nestedgroup +add:cn: useradmins +add:description: User Administrators + +# Add the taskgroups referenced by the ACIs for user administration + +dn: cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: nsContainer +add:objectClass: top +add:cn: taskgroups + +dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: addusers +add:description: Add Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: change_password +add:description: Change a user password +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: add_user_to_default_group +add:description: Add user to default group +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: removeusers +add:description: Remove Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: modifyusers +add:description: Modify Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +# Add the ACIs that grant these permissions for user administration + +dn: $SUFFIX +add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version + 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups + ,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb + aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri + te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX + ";) +add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun + ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri + te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts + ,$SUFFIX";) +add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version + 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t + askgroups,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials + || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN + umber || telephoneNumber || street || roomNumber || l || st || postalCode || + manager || secretary || description || carLicense || labeledURI || inetUserHT + TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/ + //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User + s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";) + |