diff options
author | Martin Kosek <mkosek@redhat.com> | 2013-10-25 15:22:58 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-10-25 15:26:51 +0200 |
commit | cdd2e9caffb568c0915fb335e46c464404b21e26 (patch) | |
tree | ddfcd5aa5c845b8d8ba01687fe89cc2d1944c216 /install/updates | |
parent | 9a368b6358e77607214a33bedd3f906641bea4e4 (diff) | |
download | freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.tar.gz freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.tar.xz freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.zip |
Do not add kadmin/changepw ACIs on new installs
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/60-trusts.update | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 46de01a5c..21356b3c5 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -68,7 +68,6 @@ remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword | remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' -replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)' # Add the default PAC type to configuration dn: cn=ipaConfig,cn=etc,$SUFFIX |