diff options
author | Martin Kosek <mkosek@redhat.com> | 2015-01-14 16:36:16 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-01-19 16:52:55 +0100 |
commit | 1537ac8138bf4371ae38147e8979904c756b3800 (patch) | |
tree | f17de52962910ded17b9f083fb9694f2174502f3 /install/updates | |
parent | 6652c4eb2ebece71b6d60001246bd0fee5909099 (diff) | |
download | freeipa-1537ac8138bf4371ae38147e8979904c756b3800.tar.gz freeipa-1537ac8138bf4371ae38147e8979904c756b3800.tar.xz freeipa-1537ac8138bf4371ae38147e8979904c756b3800.zip |
Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.
To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.
https://fedorahosted.org/freeipa/ticket/4836
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/20-aci.update | 2 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 23 |
2 files changed, 24 insertions, 1 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 9bbb7e4bb..b920ef83d 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -26,7 +26,7 @@ dn: $SUFFIX add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)' dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX -add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)' +remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)' # Read access to masters and their services dn: cn=masters,cn=ipa,cn=etc,$SUFFIX diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index a79f906ea..32af49819 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -214,3 +214,26 @@ default:ipapermissiontype: SYSTEM dn: cn=config add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)' + +# Replication Administrators +dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: groupofnames +default:objectClass: ipapermission +default:objectClass: top +default:cn: Read LDBM Database Configuration +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +default:ipapermissiontype: SYSTEM + +dn: cn=config +add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: groupofnames +default:objectClass: ipapermission +default:objectClass: top +default:cn: Add Configuration Sub-Entries +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +default:ipapermissiontype: SYSTEM + +dn: cn=config +add:aci: '(version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)' |