diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-28 14:23:19 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-21 09:57:16 +0200 |
commit | 86f943ca180a72c4cfa3a8a03226f2471a97981b (patch) | |
tree | 1e387b2e671e58900a0175fc20a05aaaef65fa04 /install | |
parent | 98102832789412f567a96693dfe27b0e00cc98e5 (diff) | |
download | freeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.tar.gz freeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.tar.xz freeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.zip |
Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/share/replica-acis.ldif | 5 | ||||
-rw-r--r-- | install/updates/20-aci.update | 5 |
2 files changed, 5 insertions, 5 deletions
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index f4e96139f..8c0bc8ec3 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,10 +1,5 @@ # Replica administration -dn: cn=config -changetype: modify -add: aci -aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index d9dcad2e5..f31c20177 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -46,3 +46,8 @@ add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sa add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' # Read-only add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' + +# Removal of obsolete ACIs +dn: cn=config +# Replaced by 'System: Read Replication Agreements' +remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)' |