summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--install/updates/10-RFC4876.update36
-rw-r--r--install/updates/40-delegation.update189
2 files changed, 113 insertions, 112 deletions
diff --git a/install/updates/10-RFC4876.update b/install/updates/10-RFC4876.update
index c743b4bc6..4ec6f8391 100644
--- a/install/updates/10-RFC4876.update
+++ b/install/updates/10-RFC4876.update
@@ -52,7 +52,7 @@ add:attributeTypes:
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod'
DESC 'Identifies the types of authentication methods either
used, required, or provided by a service or peer'
@@ -60,8 +60,8 @@ add:attributeTypes:
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL'
DESC 'Time to live, in seconds, before a profile is
considered stale'
@@ -69,29 +69,29 @@ add:attributeTypes:
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap'
DESC 'Attribute mappings used, required, or supported by an
agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel'
DESC 'Identifies type of credentials either used, required,
or supported by an agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap'
DESC 'Object class mappings used, required, or supported by
an agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- X-ORIGIN 'RFC4876' )
+ X-ORIGIN 'RFC4876' )"
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope'
DESC 'Default scope used when performing a search'
@@ -99,37 +99,37 @@ add:attributeTypes:
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel'
DESC 'Specifies the type of credentials either used, required,
or supported by a specific service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor'
DESC 'Specifies search descriptors required, used, or
supported by a particular service or agent'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod'
DESC 'Specifies types authentication methods either
used, required, or supported by a particular service'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- X-ORIGIN 'RFC4876' )
-add:attributeTypes:
+ X-ORIGIN 'RFC4876' )"
+add:attributeTypes:"
( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases'
DESC 'Specifies if a service or agent either requires,
supports, or uses dereferencing of aliases.'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
- X-ORIGIN 'RFC4876' )
+ X-ORIGIN 'RFC4876' )"
add:objectClasses:
( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile'
SUP top STRUCTURAL
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index da4cde8fc..78de12f7b 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -66,61 +66,61 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addusers
add:description: Add Users
-add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: change_password
add:description: Change a user password
-add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: add_user_to_default_group
add:description: Add user to default group
-add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeusers
add:description: Remove Users
-add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyusers
add:description: Modify Users
-add:member:"cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for user administration
dn: $SUFFIX
-add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
- ,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
+ ,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
- ";)
-add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
+ ";)'
+add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
- ,$SUFFIX";)
-add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+ ,$SUFFIX";)'
+add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
- askgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials
+ askgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
manager || secretary || description || carLicense || labeledURI || inetUserHT
TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
//uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,
- $SUFFIX";)
+ $SUFFIX";)'
# Add the taskgroups referenced by the ACIs for group administration
@@ -129,48 +129,48 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addgroups
add:description: Add Groups
-add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removegroups
add:description: Remove Groups
-add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifygroups
add:description: Modify Groups
-add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifygroupmembership
add:description: Modify Group membership
-add:member:"cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for group administration
dn: $SUFFIX
-add:aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
+add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
- ,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
+ ,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)
-add:aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
+ ,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
- askgroups,cn=accounts,$SUFFIX";)
+ askgroups,cn=accounts,$SUFFIX";)'
# we need objectclass and gidnumber in modify so a non-posix group can be
# promoted
-add:aci: (targetattr = "cn || description || gidnumber || objectclass")(target
+add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target
= "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group
s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,
- $SUFFIX";)
+ $SUFFIX";)'
# Add the taskgroups referenced by the ACIs for host administration
@@ -179,35 +179,35 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addhosts
add:description: Add Hosts
-add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removehosts
add:description: Remove Hosts
-add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhosts
add:description: Modify Hosts
-add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for host administration
dn: $SUFFIX
-add:aci: (target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
+add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
- ,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
+ ,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
- taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "cn || description || locality || location || platform
+ taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "cn || description || locality || location || platform
|| os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
- cn=taskgroups,cn=accounts,$SUFFIX";)
+ cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for hostgroup administration
@@ -216,46 +216,46 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addhostgroups
add:description: Add Host Groups
-add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removehostgroups
add:description: Remove Host Groups
-add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhostgroups
add:description: Modify Host Groups
-add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhostgroupmembership
add:description: Modify Host Group membership
-add:member:"cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for hostgroup administration
dn: $SUFFIX
-add:aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
+add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
+ taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=
- removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=
+ removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow
(write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
- cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
+ cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)
+ ,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for service administration
@@ -264,24 +264,24 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addservices
add:description: Add Services
-add:member:"cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeservices
add:description: Remove Services
-add:member:"cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for service administration
dn: $SUFFIX
-add:aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
+add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
- =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
+ =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
- :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)
+ :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for delegation administration
# This just lets one manage taskgroup membership and create and delete roles
@@ -291,56 +291,56 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addhrole
add:description: Add Roles
-add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeroles
add:description: Remove Roles
-add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyroles
add:description: Modify Roles
-add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyrolegroupmembership
add:description: Modify Role Group membership
-add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifytaskgroupmembership
add:description: Modify Task Group membership
-add:member:"cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for delegation administration
dn: $SUFFIX
-add:aci: (target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
+add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
- ,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
+ ,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
- taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
+ taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
- pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
+ pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)
-add:aci: (targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
+ ,$SUFFIX";)'
+add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)
+ ,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for automount administration
@@ -349,30 +349,30 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addautomount
add:description: Add Automount maps/keys
-add:member:"cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeautomount
add:description: Remove Automount maps/keys
-add:member:"cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for service administration
dn: $SUFFIX
-add:aci: (target = "ldap:///automountmapname=*,cn=automount,
+add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///automountmapname=*,cn=automount,
+ :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
+ "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
+ :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)
+ "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for netgroup administration
@@ -381,45 +381,45 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: addnetgroups
add:description: Add netgroups
-add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removenetgroups
add:description: Remove netgroups
-add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifynetgroups
add:description: Modify netgroups
-add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifynetgroupmembership
add:description: Modify netgroup membership
-add:member:"cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for netgroup administration
dn: $SUFFIX
-add:aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
+add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
+ taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
- removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
+ removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
- = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)
-add:aci: (targetattr = "memberhost || externalhost || memberuser || member")
+ = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
- pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)
+ pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Taskgroup for retrieving host keytabs
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
@@ -427,11 +427,12 @@ add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:description: Manage host keytab
-add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACI needed to do host keytab admin
-add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
+dn: $SUFFIX
+add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
- cn=accounts,$SUFFIX";)
+ cn=accounts,$SUFFIX";)'