diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-06-09 15:26:32 +0000 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-06-29 13:41:52 +0200 |
| commit | ce50630d5ece036e35d8e11db8383e4e7e9159ae (patch) | |
| tree | 8258277aa87c737fa333c05c260df66908a43575 /install/updates | |
| parent | 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 (diff) | |
| download | freeipa-ce50630d5ece036e35d8e11db8383e4e7e9159ae.tar.gz freeipa-ce50630d5ece036e35d8e11db8383e4e7e9159ae.tar.xz freeipa-ce50630d5ece036e35d8e11db8383e4e7e9159ae.zip | |
Add ACI to allow hosts to add their own services
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.
Set required version of 389-ds-base to 1.3.4.0 GA.
https://fedorahosted.org/freeipa/ticket/4567
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/updates')
| -rw-r--r-- | install/updates/20-aci.update | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 4a8b67c65..0bdeeb6ac 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -83,3 +83,7 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe # User certificates dn: $SUFFIX add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) + +# Hosts can add their own services +dn: cn=services,cn=accounts,$SUFFIX +add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) |