diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-07-10 15:27:37 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-07-10 20:41:14 -0400 |
commit | 4760c15cb2c8692b0e258ef62234aa18ab5fc193 (patch) | |
tree | a93e0e92648ce60254cd057929967c1b51d50f04 /install/updates/40-delegation.update | |
parent | 14ac2193fec38b6f87dcf04b0c365d01805b0cae (diff) | |
download | freeipa-4760c15cb2c8692b0e258ef62234aa18ab5fc193.tar.gz freeipa-4760c15cb2c8692b0e258ef62234aa18ab5fc193.tar.xz freeipa-4760c15cb2c8692b0e258ef62234aa18ab5fc193.zip |
Add automount map/key update permissions
Add missing permissions that can be used to delegate write access
to existing automount maps or keys.
Since automount key RDN has been changed in the past from "automountkey"
to "description" and there can be LDAP entries with both RDNs,
structure of relevant ACI need to be changed to different scheme. Now,
it rather targets a DN of parent automount map object and uses
targetfilter to limit the target to automount key objects only.
https://fedorahosted.org/freeipa/ticket/2687
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 09b805687..de112d99d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -306,6 +306,27 @@ add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(versio dn: $SUFFIX add:aci:'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)' +# Automount maps and keys +dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Modify Automount maps +default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Modify Automount keys +default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: $SUFFIX +add:aci:'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)' +add:aci:'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)' + # SSH public keys dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX default:objectClass: top |