diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-08-22 14:24:33 +0300 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2012-08-22 17:21:27 +0300 |
commit | 155d1efd488a25ff6c5847423c6a2f9d40410cbf (patch) | |
tree | fb8aedff1b7f7dd5a0f5f0d7617f4dfc76b046cb /install | |
parent | 6171d0a01b0b71ebee5bbc82f5a9da2b0abdc34c (diff) | |
download | freeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.tar.gz freeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.tar.xz freeipa-155d1efd488a25ff6c5847423c6a2f9d40410cbf.zip |
Add ACI to allow regenerating ipaNTHash from ipasam
ACI was lacking to allow actually writing MagicRegen into ipaNTHash attribute,
Part 2 of https://fedorahosted.org/freeipa/ticket/3016
Diffstat (limited to 'install')
-rw-r--r-- | install/updates/60-trusts.update | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 0e40ca4d1..cc9a771df 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -60,7 +60,8 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || # Samba user should be able to read NT passwords to authenticate # Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule dn: $SUFFIX -add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' +add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' +remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)' replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' |