summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-03-29 13:15:22 -0400
committerRob Crittenden <rcritten@redhat.com>2011-03-30 10:03:44 -0400
commit87193366526e645475792cde2450cc7cc48802ad (patch)
tree6e8cff5481b867e95386061d774889c6a05cebc0 /install/updates
parent6fbe0e86e94d475ae13e99f1444b9ede6887a98d (diff)
downloadfreeipa-87193366526e645475792cde2450cc7cc48802ad.tar.gz
freeipa-87193366526e645475792cde2450cc7cc48802ad.tar.xz
freeipa-87193366526e645475792cde2450cc7cc48802ad.zip
Allow a client to enroll using principal when the host has a OTP
If the host has a one-time password but krbPrincipalName wasn't set yet then the enrollment would fail because writing the principal is not allowed. This creates an ACI that only lets it be written if it is not already set. ticket 1075
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/40-delegation.update18
1 files changed, 18 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index aa431e7b7..96cc59e74 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -240,3 +240,21 @@ add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
+
+# Allow an admin to enroll a host that has a one-time password.
+# When a host is created with a password no krbPrincipalName is set.
+# This will let it be added if the client ends up enrolling with
+# an administrator instead.
+dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Add krbPrincipalName to a host
+default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
+add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'