diff options
-rw-r--r-- | install/updates/10-RFC4876.update | 36 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 189 |
2 files changed, 113 insertions, 112 deletions
diff --git a/install/updates/10-RFC4876.update b/install/updates/10-RFC4876.update index c743b4bc6..4ec6f8391 100644 --- a/install/updates/10-RFC4876.update +++ b/install/updates/10-RFC4876.update @@ -52,7 +52,7 @@ add:attributeTypes: SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'RFC4876' ) -add:attributeTypes: +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'Identifies the types of authentication methods either used, required, or provided by a service or peer' @@ -60,8 +60,8 @@ add:attributeTypes: SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a profile is considered stale' @@ -69,29 +69,29 @@ add:attributeTypes: ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used, required, or supported by an agent or service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials either used, required, or supported by an agent or service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Object class mappings used, required, or supported by an agent or service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) + X-ORIGIN 'RFC4876' )" add:attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default scope used when performing a search' @@ -99,37 +99,37 @@ add:attributeTypes: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC4876' ) -add:attributeTypes: +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Specifies the type of credentials either used, required, or supported by a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'Specifies search descriptors required, used, or supported by a particular service or agent' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Specifies types authentication methods either used, required, or supported by a particular service' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: + X-ORIGIN 'RFC4876' )" +add:attributeTypes:" ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' DESC 'Specifies if a service or agent either requires, supports, or uses dereferencing of aliases.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE - X-ORIGIN 'RFC4876' ) + X-ORIGIN 'RFC4876' )" add:objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' SUP top STRUCTURAL diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index da4cde8fc..78de12f7b 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -66,61 +66,61 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addusers add:description: Add Users -add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: change_password add:description: Change a user password -add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: add_user_to_default_group add:description: Add user to default group -add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removeusers add:description: Remove Users -add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyusers add:description: Modify Users -add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for user administration dn: $SUFFIX -add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version +add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups - ,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb + ,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX - ";) -add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun + ";)' +add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts - ,$SUFFIX";) -add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version + ,$SUFFIX";)' +add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t - askgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials + askgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN umber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHT TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/ //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts, - $SUFFIX";) + $SUFFIX";)' # Add the taskgroups referenced by the ACIs for group administration @@ -129,48 +129,48 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addgroups add:description: Add Groups -add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removegroups add:description: Remove Groups -add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifygroups add:description: Modify Groups -add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifygroupmembership add:description: Modify Group membership -add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for group administration dn: $SUFFIX -add:aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version +add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups - ,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun + ,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";) -add:aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version + ,$SUFFIX";)' +add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t - askgroups,cn=accounts,$SUFFIX";) + askgroups,cn=accounts,$SUFFIX";)' # we need objectclass and gidnumber in modify so a non-posix group can be # promoted -add:aci: (targetattr = "cn || description || gidnumber || objectclass")(target +add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts, - $SUFFIX";) + $SUFFIX";)' # Add the taskgroups referenced by the ACIs for host administration @@ -179,35 +179,35 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addhosts add:description: Add Hosts -add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removehosts add:description: Remove Hosts -add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyhosts add:description: Modify Hosts -add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for host administration dn: $SUFFIX -add:aci: (target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version +add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups - ,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version + ,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= - taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "cn || description || locality || location || platform + taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "cn || description || locality || location || platform || os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, - cn=taskgroups,cn=accounts,$SUFFIX";) + cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for hostgroup administration @@ -216,46 +216,46 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addhostgroups add:description: Add Host Groups -add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removehostgroups add:description: Remove Host Groups -add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyhostgroups add:description: Modify Host Groups -add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyhostgroupmembership add:description: Modify Host Group membership -add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for hostgroup administration dn: $SUFFIX -add:aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version +add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhostgroups,cn= - taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version + taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn= - removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn= + removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn= hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups, - cn=accounts,$SUFFIX";) -add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun + cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";) + ,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for service administration @@ -264,24 +264,24 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addservices add:description: Add Services -add:member:"cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removeservices add:description: Remove Services -add:member:"cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for service administration dn: $SUFFIX -add:aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, +add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn - =addservices,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, + =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap - :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";) + :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for delegation administration # This just lets one manage taskgroup membership and create and delete roles @@ -291,56 +291,56 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addhrole add:description: Add Roles -add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removeroles add:description: Remove Roles -add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyroles add:description: Modify Roles -add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifyrolegroupmembership add:description: Modify Role Group membership -add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifytaskgroupmembership add:description: Modify Task Group membership -add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for delegation administration dn: $SUFFIX -add:aci: (target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version +add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups - ,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version + ,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn= - taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro + taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou - pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun + pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";) -add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun + ,$SUFFIX";)' +add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";) + ,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for automount administration @@ -349,30 +349,30 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addautomount add:description: Add Automount maps/keys -add:member:"cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removeautomount add:description: Remove Automount maps/keys -add:member:"cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for service administration dn: $SUFFIX -add:aci: (target = "ldap:///automountmapname=*,cn=automount, +add:aci: '(target = "ldap:///automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///automountmapname=*,cn=automount, + :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount, + "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount, + :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";) + "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for netgroup administration @@ -381,45 +381,45 @@ add:objectClass: top add:objectClass: groupofnames add:cn: addnetgroups add:description: Add netgroups -add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: removenetgroups add:description: Remove netgroups -add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifynetgroups add:description: Modify netgroups -add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames add:cn: modifynetgroupmembership add:description: Modify netgroup membership -add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for netgroup administration dn: $SUFFIX -add:aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version +add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn= - taskgroups,cn=accounts,$SUFFIX";) -add:aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version + taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn= - removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng, + removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng, cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn - = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";) -add:aci: (targetattr = "memberhost || externalhost || memberuser || member") + = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' +add:aci: '(targetattr = "memberhost || externalhost || memberuser || member") (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou - pmembership,cn=taskgroups,cn=accounts,$SUFFIX";) + pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)' # Taskgroup for retrieving host keytabs dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX @@ -427,11 +427,12 @@ add:objectClass: top add:objectClass: groupofnames add:cn: manage_host_keytab add:description: Manage host keytab -add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX" +add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACI needed to do host keytab admin -add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*, +dn: $SUFFIX +add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*, cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, - cn=accounts,$SUFFIX";) + cn=accounts,$SUFFIX";)' |