diff options
| author | Thierry Bordaz <tbordaz@redhat.com> | 2015-05-08 16:12:58 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2015-05-18 09:37:21 +0200 |
| commit | 0ebcc5b9222efcd4b9814a2948f266abbf71fdfc (patch) | |
| tree | 2ac7cf53c69749711ad7a0f2922372bb060544f6 /install/updates | |
| parent | f2e986e01f973a95e95608e1853dca35dcffeb58 (diff) | |
| download | freeipa-0ebcc5b9222efcd4b9814a2948f266abbf71fdfc.tar.gz freeipa-0ebcc5b9222efcd4b9814a2948f266abbf71fdfc.tar.xz freeipa-0ebcc5b9222efcd4b9814a2948f266abbf71fdfc.zip | |
User life cycle: new stageuser commands activate
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/updates')
| -rw-r--r-- | install/updates/30-provisioning.update | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update index a32312b71..f1666ff3a 100644 --- a/install/updates/30-provisioning.update +++ b/install/updates/30-provisioning.update @@ -18,9 +18,31 @@ default: cn: staged users dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX default: objectclass: top default: objectclass: nsContainer -default: cn: staged users +default: cn: deleted users # This is used for the admin to know if credential are set for stage users -# We can do a query on a DN to see if an attribute exists. +# We can do a query on a DN to see if an attribute exists or retrieve the value dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) + +# This is used for the admin to reset the delete users credential +dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";) + +dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX +default: objectClass: top +default: objectClass: cosSuperDefinition +default: objectClass: cosPointerDefinition +default: objectClass: ldapSubEntry +default: costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX +default: cosAttribute: nsaccountlock operational +default: cn: provisioning accounts lock + +dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX +default: objectClass: top +default: objectClass: extensibleObject +default: objectClass: cosTemplate +default: cosPriority: 1 +default: cn: Inactivation cos template +default: nsAccountLock: true |