diff options
-rw-r--r-- | ACI.txt | 6 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 24 | ||||
-rw-r--r-- | ipalib/plugins/pwpolicy.py | 22 |
3 files changed, 28 insertions, 24 deletions
@@ -8,6 +8,12 @@ dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=exa aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";) +dn: cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 3c3212d58..690f02eeb 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -170,27 +170,6 @@ default:objectClass: top default:cn: Password Policy Administrator default:description: Password Policy Administrator -dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Add Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Delete Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Modify Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX default:objectClass: groupofnames default:objectClass: ipapermission @@ -213,9 +192,6 @@ default:cn: Modify Group Password Policy default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index a0850ccf4..5057093ba 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -96,6 +96,28 @@ class cosentry(LDAPObject): 'Password Policy Administrator', }, }, + 'System: Add Group Password Policy costemplate': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Delete Group Password Policy costemplate': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Modify Group Password Policy costemplate': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'cospriority'}, + 'replaces': [ + '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, } takes_params = ( |