diff options
author | Endi S. Dewata <edewata@redhat.com> | 2014-10-17 12:05:34 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-08 06:30:23 +0000 |
commit | bf6df3df9b388753a52a0040d9c15b1eabce41ca (patch) | |
tree | 9fa7083c38dc5b0a80ffda26cbb36c7463a18163 /install | |
parent | 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 (diff) | |
download | freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.gz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.xz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.zip |
Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/share/60basev3.ldif | 3 | ||||
-rw-r--r-- | install/share/vault.update | 15 |
2 files changed, 13 insertions, 5 deletions
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5491f99f5..16d7c21d9 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -82,4 +82,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/vault.update b/install/share/vault.update index dcd1e2a15..61a8940b5 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -5,20 +5,27 @@ default: cn: kra dn: cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: vaults +default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) dn: cn=services,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: services dn: cn=shared,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: shared dn: cn=users,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: users |