summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2012-08-22 14:24:33 +0300
committerAlexander Bokovoy <abokovoy@redhat.com>2012-08-22 17:21:27 +0300
commit155d1efd488a25ff6c5847423c6a2f9d40410cbf (patch)
treefb8aedff1b7f7dd5a0f5f0d7617f4dfc76b046cb /install
parent6171d0a01b0b71ebee5bbc82f5a9da2b0abdc34c (diff)
downloadfreeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.tar.gz
freeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.tar.xz
freeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.zip
Add ACI to allow regenerating ipaNTHash from ipasam
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute, Part 2 of https://fedorahosted.org/freeipa/ticket/3016
Diffstat (limited to 'install')
-rw-r--r--install/updates/60-trusts.update3
1 files changed, 2 insertions, 1 deletions
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 0e40ca4d1..cc9a771df 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -60,7 +60,8 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
# Samba user should be able to read NT passwords to authenticate
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
dn: $SUFFIX
-add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)'
replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'