diff options
| author | Martin Kosek <mkosek@redhat.com> | 2015-01-13 18:09:17 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2015-01-19 16:49:27 +0100 |
| commit | 6652c4eb2ebece71b6d60001246bd0fee5909099 (patch) | |
| tree | 4bd5a7e2753ddf721b7bb785582c7ca8b946463b /ipalib/plugins/user.py | |
| parent | 5672eb14def7b2010f1d08825eec58ff1444073f (diff) | |
| download | freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.gz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.xz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.zip | |
Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipalib/plugins/user.py')
| -rw-r--r-- | ipalib/plugins/user.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e20628924..56585b9f8 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -373,10 +373,12 @@ class user(LDAPObject): 'replaces': [ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)', '(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX";)', ], 'default_privileges': { 'User Administrators', 'Modify Users and Reset passwords', + 'PassSync Service', }, }, 'System: Manage User SSH Public Keys': { @@ -446,6 +448,16 @@ class user(LDAPObject): 'homedirectory', 'loginshell', }, }, + 'System: Read User NT Attributes': { + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires', + 'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff', + 'ntuserlastlogon', + }, + 'default_privileges': {'PassSync Service'}, + }, } label = _('Users') |