summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-12-01 11:23:52 -0500
committerSimo Sorce <ssorce@redhat.com>2010-12-01 20:42:31 -0500
commit4ad8055341b9f12c833abdf757755ed95f1b375e (patch)
tree1733fffdfe47574f2c5eb723e52f88cd58a7e0a4 /install
parent85d5bfd1b19b0ed6282a8c6cc056e8e550dde79d (diff)
downloadfreeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.gz
freeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.xz
freeipa-4ad8055341b9f12c833abdf757755ed95f1b375e.zip
Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
Diffstat (limited to 'install')
-rw-r--r--install/share/default-aci.ldif5
-rw-r--r--install/share/delegation.ldif621
-rw-r--r--install/share/dns.ldif27
-rw-r--r--install/updates/30-rolegroup.update6
-rw-r--r--install/updates/30-taskgroup.update5
-rw-r--r--install/updates/40-delegation.update732
-rw-r--r--install/updates/Makefile.am3
7 files changed, 546 insertions, 853 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 11c2f51df..423922754 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -39,6 +39,7 @@ dn: cn=services,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Define which hosts can edit services
# The managedby attribute stores the DN of hosts that are allowed to manage
@@ -63,3 +64,7 @@ changetype: modify
add: aci
aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
+dn: cn=computers,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 1539ae1d5..7881a029d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -1,348 +1,757 @@
-dn: cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Configure the DIT
+############################################
+dn: cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: rolegroups
+cn: roles
-dn: cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: taskgroups
+cn: privileges
+dn: cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: permissions
+
+############################################
# Add the default roles
-dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: helpdesk
description: Helpdesk
-dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Add the default privileges
+############################################
+dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: useradmin
description: User Administrators
-dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: groupadmin
description: Group Administrators
-dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostadmin
description: Host Administrators
-dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostgroupadmin
description: Host Group Administrators
-dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: delegationadmin
description: Role administration
-dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: serviceadmin
description: Service Administrators
-dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: automountadmin
description: Automount Administrators
-dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: netgroupadmin
description: Netgroups Administrators
-dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: certadmin
+description: Certificate Administrators
+
+dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: replicaadmin
+description: Replication Administrators
+member: cn=admins,cn=groups,cn=accounts,$SUFFIX
+
+dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsadmin
-description: DNS Administrators
+objectClass: nestedgroup
+cn: enrollhost
+description: Host Enrollment
-dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsserver
-description: DNS Servers
+objectClass: nestedgroup
+cn: entitlementadmin
+description: Entitlement Administrators
+
+############################################
+# Default permissions.
+############################################
+
+# User administration
-dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for group administration
-dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Group administration
+
+dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Host administration
-# Add the taskgroups referenced by the ACIs for host administration
-dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for hostgroup administration
-dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Hostgroup administration
+
+dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
-description: Add Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Add Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
-description: Remove Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Remove Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
-description: Modify Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
-description: Modify Host Group membership
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroup membership
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Service administration
-# Add the taskgroups referenced by the ACIs for service administration
-dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for delegation administration
-# This just lets one manage taskgroup membership and create and delete roles
-dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhrole
+cn: modifyservices
+description: Modify Services
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Delegation administration
+
+dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addroles
description: Add Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyrolegroupmembership
+cn: modifyrolemembership
description: Modify Role Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nestedgroup
+cn: modifyprivilegemembership
+description: Modify privilege membership
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Automount administration
-dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifytaskgroupmembership
-description: Modify Task Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountmaps
+description: Add Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for automount administration
-dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomount
-description: Add Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: removeautomountmaps
+description: Remove Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomount
-description: Remove Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountkeys
+description: Add Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for netgroup administration
-dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeautomountkeys
+description: Remove Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Netgroup administration
+
+dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Keytab access
-# Taskgroup for retrieving host keytabs
-dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
-# Taskgroup for updating the DNS entries
-dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_host_keytab
-description: Updates DNS
-member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
-member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+cn: manage_service_keytab
+description: Manage service keytab
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=admins,cn=privileges,cn=accounts,$SUFFIX
+
+# DNS administration
+
+# The permission and aci for this is in install/updates/dns.ldif
+
+dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: enroll_host
+description: Enroll a host
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
+
+# Replica administration
+
+dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: managereplica
+description: Manage Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: deletereplica
+description: Delete Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Entitlement management
+
+dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addentitlements
+description: Add Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeentitlements
+description: Remove Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyentitlements
+description: Modify Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+############################################
+# Default permissions (ACIs)
+############################################
+
+# User administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Group administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";)
+# We need objectclass and gidnumber in modify so a non-posix group can be
+# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Hostgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Delegation administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Automount administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Netgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Allow enrolledBy to be removed when a host is not enrolled
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Add the ACI needed to do host enrollment. When this occurs we
+# set the krbPrincipalName, add krbPrincipalAux to objectClass and
+# set enrolledBy to whoever ran join.
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Replica administration
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Entitlement administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Create virtual operations entry. This is used to control access to
+# operations that don't rely on LDAP directly.
+dn: cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: virtual operations
+
+# Retrieve Certificate virtual op
+dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: retrieve certificate
+
+dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: retrieve_certs
+description: Retrieve Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate virtual op
+dn: cn=request certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate
+
+dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_certs
+description: Request Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate from different host virtual op
+dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate different host
+
+dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_cert_different_host
+description: Request Certificates from a different host
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Status virtual op
+dn: cn=certificate status,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate status
+
+dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_status
+description: Get Certificates status from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Revoke Certificate virtual op
+dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: revoke certificate
+
+dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: revoke_certificate
+description: Revoke Certificate
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Remove Hold virtual op
+dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate remove hold
+
+dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_remove_hold
+description: Certificate Remove Hold
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";)
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index cb783b889..da58955f5 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -3,4 +3,29 @@ changetype: add
objectClass: nsContainer
objectClass: top
cn: dns
-aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";)
+aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn=update_dns,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: update_dns
+description: DNS Servers Updates
+member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: dnsadmin
+description: DNS Administrators
+
+dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: dnsserver
+description: DNS Servers
diff --git a/install/updates/30-rolegroup.update b/install/updates/30-rolegroup.update
deleted file mode 100644
index 1417167de..000000000
--- a/install/updates/30-rolegroup.update
+++ /dev/null
@@ -1,6 +0,0 @@
-# Add the rolegroup container
-
-dn: cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:cn: rolegroups
-
diff --git a/install/updates/30-taskgroup.update b/install/updates/30-taskgroup.update
deleted file mode 100644
index a98960657..000000000
--- a/install/updates/30-taskgroup.update
+++ /dev/null
@@ -1,5 +0,0 @@
-# Add the taskgroup container
-
-dn: cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:cn: taskgroups
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
deleted file mode 100644
index 7dc12d8c9..000000000
--- a/install/updates/40-delegation.update
+++ /dev/null
@@ -1,732 +0,0 @@
-# Add the default roles
-
-dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: helpdesk
-add:description: Helpdesk
-
-dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: useradmin
-add:description: User Administrators
-
-dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: groupadmin
-add:description: Group Administrators
-
-dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: hostadmin
-add:description: Host Administrators
-
-dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: hostgroupadmin
-add:description: Host Group Administrators
-
-dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: delegationadmin
-add:description: Role administration
-
-dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: serviceadmin
-add:description: Service Administrators
-
-dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: automountadmin
-add:description: Automount Administrators
-
-dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: netgroupadmin
-add:description: Netgroups Administrators
-
-dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: dnsadmin
-add:description: DNS Administrators
-
-dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: dnsserver
-add:description: DNS Servers
-
-dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certadmin
-add:description: Certificate Administrators
-
-dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: replicaadmin
-add:description: Replication Administrators
-add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX'
-
-dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: enrollhost
-add:description: Host Enrollment
-
-dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: entitlementadmin
-add:description: Entitlement Administrators
-
-# Add the taskgroups referenced by the ACIs for user administration
-
-dn: cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:objectClass: top
-add:cn: taskgroups
-
-dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addusers
-add:description: Add Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: change_password
-add:description: Change a user password
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: add_user_to_default_group
-add:description: Add user to default group
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeusers
-add:description: Remove Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyusers
-add:description: Modify Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for user administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
- aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
- te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
- ";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
- te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
- askgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
- || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
- umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
- manager || secretary || description || carLicense || labeledURI || inetUserHT
- TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry
- || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
- (version 3.0;acl "Modify Users";allow (write) groupdn =
- "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for group administration
-
-dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addgroups
-add:description: Add Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removegroups
-add:description: Remove Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifygroups
-add:description: Modify Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifygroupmembership
-add:description: Modify Group membership
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for group administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
- te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
- askgroups,cn=accounts,$SUFFIX";)'
-# we need objectclass and gidnumber in modify so a non-posix group can be
-# promoted
-add:aci: '(targetattr = "cn || description || gidnumber || objectclass ||
- mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")
- (version 3.0;acl "Modify Groups";allow (write) groupdn =
- "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for host administration
-
-dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhosts
-add:description: Add Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removehosts
-add:description: Remove Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhosts
-add:description: Modify Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for host administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "description || l || nshostlocation ||
- nshardwareplatform || nsosversion")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
- acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for hostgroup administration
-
-dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhostgroups
-add:description: Add Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removehostgroups
-add:description: Remove Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhostgroups
-add:description: Modify Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhostgroupmembership
-add:description: Modify Host Group membership
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for hostgroup administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=
- removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
- hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow
- (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
- te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for service administration
-
-dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addservices
-add:description: Add Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeservices
-add:description: Remove Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyservices
-add:description: Modify Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for service administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
- $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
- =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
- $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
- :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal
- name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services"
- ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco
- unts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for delegation administration
-# This just lets one manage taskgroup membership and create and delete roles
-
-dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhrole
-add:description: Add Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeroles
-add:description: Remove Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyroles
-add:description: Modify Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyrolegroupmembership
-add:description: Modify Role Group membership
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifytaskgroupmembership
-add:description: Modify Task Group membership
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for delegation administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
- ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
- pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
- te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
- te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for automount administration
-
-dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addautomount
-add:description: Add Automount maps/keys
-add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeautomount
-add:description: Remove Automount maps/keys
-add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for service administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for netgroup administration
-
-dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addnetgroups
-add:description: Add netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removenetgroups
-add:description: Remove netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifynetgroups
-add:description: Modify netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifynetgroupmembership
-add:description: Modify netgroup membership
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for netgroup administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
- 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
- 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
- removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
- cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
- = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
- (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
- dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
- pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Taskgroup for retrieving host keytabs
-dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: manage_host_keytab
-add:description: Manage host keytab
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACI needed to do host keytab admin
-dn: $SUFFIX
-add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
- (version 3.0;acl "Manage host keytab";
- allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Taskgroup for enrolling hosts. Note that this also requires
-# manage_host_keytab access
-dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: enroll_host
-add:description: Enroll a host
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACI needed to do host enrollment. When this occurs we
-# set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join.
-dn: $SUFFIX
-add:aci: '(targetattr = "enrolledBy || objectClass")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
- (version 3.0;acl "Enroll a host";
- allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Taskgroup for updating the DNS entries
-dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: update_sn
-add:description: Updates DNS
-add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Create virtual operations entry. This is used to control access to
-# operations that don't rely on LDAP directly.
-dn: cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: virtual operations
-
-# Retrieve Certificate virtual op
-dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: retrieve certificate
-
-# Taskgroup for retrieving certs
-dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: retrieve_certs
-add:description: Retrieve SSL Certificates
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=retrieve certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
- CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Request Certificate virtual op
-dn: cn=request certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: request certificate
-
-# Taskgroup for requesting certs
-dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: request_certs
-add:description: Request a SSL Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=request certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Request Certificates from the
- CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Request Certificate from different host virtual op
-dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: request certificate different host
-
-# Taskgroup for requesting certs from a different host
-dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: request_cert_different_host
-add:description: Request a SSL Certificate from a different host
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=request certificate different host,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Request Certificates from a
- different host" ; allow (write) groupdn = "ldap:///cn=request_cert
- _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Certificate Status virtual op
-dn: cn=certificate status,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: certificate status
-
-# Taskgroup for requesting certs
-dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certificate_status
-add:description: Status of cert request
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=certificate status,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
- CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Revoke Certificate virtual op
-dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: revoke certificate
-
-# Taskgroup for requesting certs
-dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: revoke_certificate
-add:description: Revoke Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=revoke certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
- ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Revoke Certificate virtual op
-dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: revoke certificate
-
-# Taskgroup for requesting certs
-dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: revoke_certificate
-add:description: Revoke Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=revoke certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
- ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Certificate Remove Hold virtual op
-dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: certificate remove hold
-
-# Taskgroup for requesting certs
-dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certificate_remove_hold
-add:description: Certificate Remove Hold
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=certificate remove hold,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
- ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Taskgroup for managing replicas
-dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: managereplica
-add:description: Manage Replication Agreements
-add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Taskgroup for deleting replicas
-dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: deletereplica
-add:description: Delete Replication Agreements
-add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add acis allowing admins to read/write/delete replicas
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
-add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)
- (objectclass=nsds5replicationagreement)(objectclass=
- nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage
- replication agreements"; allow (read, write, search) groupdn =
- "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
-add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
- nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
- ))")(version 3.0;acl "Delete replication agreements";allow (delete)
- groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Entitlement management
-dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addentitlements
-add:description: Add Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeentitlements
-add:description: Remove Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyentitlements
-add:description: Modify Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: $SUFFIX
-add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 72acf7f4a..48f53d21d 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -13,9 +13,6 @@ app_DATA = \
30-hbacsvc.update \
30-groupofhosts.update \
30-netgroups.update \
- 30-rolegroup.update \
- 30-taskgroup.update \
- 40-delegation.update \
$(NULL)
EXTRA_DIST = \
generated by cgit (git 2.34.1) at 2024-04-19 19:43:33 +0000