Add LDAP ACIs for SSH public key schema.

https://fedorahosted.org/freeipa/ticket/754
author: Jan Cholasta <jcholast@redhat.com> 2011-12-07 02:47:29 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2012-02-13 22:20:23 -0500
commit: 9b6baf9beeb733d77883f4ed32e553265ee15543 (patch)
tree: 6a7879c423daf647641bf76f3244e79f36d9a953 /install
parent: 63ea0a304ec734a64d28e7c9b0f2b172224155d6 (diff)
download: freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.tar.gz
freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.tar.xz
freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.zip
4 files changed, 52 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e02b1c2c9..add712d46 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -16,6 +16,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype  || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)
+aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
 
 dn: cn=etc,$SUFFIX
 changetype: modify
@@ -52,6 +53,7 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
 
 # Define which hosts can edit other hosts
 # The managedby attribute stores the DN of hosts that are allowed to manage
@@ -60,6 +62,7 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
+aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
 
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index a3c6bd110..68b205e8e 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -221,6 +221,14 @@ objectClass: ipapermission
 cn: Modify Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
+dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: ipapermission
+cn: Manage User SSH Public Keys
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
+
 # Group administration
 
 dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
@@ -281,6 +289,14 @@ objectClass: ipapermission
 cn: Modify Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
+dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: ipapermission
+cn: Manage Host SSH Public Keys
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+
 # Hostgroup administration
 
 dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
@@ -554,6 +570,7 @@ aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:/
 aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Group administration
 
@@ -575,6 +592,7 @@ add: aci
 aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Hostgroup administration
 
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 41d35da35..3f27eb844 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -6,3 +6,13 @@ add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(ver
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX
 add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+
+# SSH public keys
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)'
+
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'
+
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index cd5b498a8..6384f8eb7 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -305,3 +305,24 @@ add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(versio
 
 dn: $SUFFIX
 add:aci:'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
+
+# SSH public keys
+dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage User SSH Public Keys
+default:member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage Host SSH Public Keys
+default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
author	Jan Cholasta <jcholast@redhat.com>	2011-12-07 02:47:29 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2012-02-13 22:20:23 -0500
commit	9b6baf9beeb733d77883f4ed32e553265ee15543 (patch)
tree	6a7879c423daf647641bf76f3244e79f36d9a953 /install
parent	63ea0a304ec734a64d28e7c9b0f2b172224155d6 (diff)
download	freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.tar.gz freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.tar.xz freeipa-9b6baf9beeb733d77883f4ed32e553265ee15543.zip