diff options
-rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 37 |
2 files changed, 43 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 0d16d1dfd..f1f36a64d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,6 +64,12 @@ objectClass: nsContainer objectClass: top cn: sysaccounts +dn: cn=entitlements,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: entitlements + dn: cn=ipa,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index fa8d2af1a..f63534c8d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -85,6 +85,12 @@ add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment +dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: entitlementadmin +add:description: Entitlement Administrators + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Entitlement management +dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: addentitlements +add:description: Add Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: removeentitlements +add:description: Remove Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: modifyentitlements +add:description: Modify Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' |