summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--install/share/bootstrap-template.ldif6
-rw-r--r--install/updates/40-delegation.update37
2 files changed, 43 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 0d16d1dfd..f1f36a64d 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,6 +64,12 @@ objectClass: nsContainer
objectClass: top
cn: sysaccounts
+dn: cn=entitlements,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: entitlements
+
dn: cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index fa8d2af1a..f63534c8d 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -85,6 +85,12 @@ add:objectClass: nestedgroup
add:cn: enrollhost
add:description: Host Enrollment
+dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: entitlementadmin
+add:description: Entitlement Administrators
+
# Add the taskgroups referenced by the ACIs for user administration
dn: cn=taskgroups,cn=accounts,$SUFFIX
@@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
))")(version 3.0;acl "Delete replication agreements";allow (delete)
groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
+
+# Entitlement management
+dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: addentitlements
+add:description: Add Entitlements
+add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: removeentitlements
+add:description: Remove Entitlements
+add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: modifyentitlements
+add:description: Modify Entitlements
+add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
+
+dn: $SUFFIX
+add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
generated by cgit (git 2.34.1) at 2024-05-19 13:55:35 +0000