diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-07-21 15:44:49 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-29 10:50:29 -0400 |
commit | d4adbc8052faf18fb31e7b1865037aa107067d4b (patch) | |
tree | 78bdceb1b3b637be34fbb11ff34d8d17fdf88446 /install/updates/40-delegation.update | |
parent | b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (diff) | |
download | freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.tar.gz freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.tar.xz freeipa-d4adbc8052faf18fb31e7b1865037aa107067d4b.zip |
Add container and initial ACIs for entitlement support
The entitlement entries themselves will be rather simple, consisting
of the objectClasses ipaObject and pkiUser. We will just store
userCertificate in it. The DN will contain the UUID of the entitlement.
ticket #27
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index fa8d2af1a..f63534c8d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -85,6 +85,12 @@ add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment +dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: entitlementadmin +add:description: Entitlement Administrators + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Entitlement management +dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: addentitlements +add:description: Add Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: removeentitlements +add:description: Remove Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: modifyentitlements +add:description: Modify Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' |