diff options
Diffstat (limited to 'install/share/delegation.ldif')
-rw-r--r-- | install/share/delegation.ldif | 621 |
1 files changed, 515 insertions, 106 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 1539ae1d5..7881a029d 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -1,348 +1,757 @@ -dn: cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Configure the DIT +############################################ +dn: cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: rolegroups +cn: roles -dn: cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: taskgroups +cn: privileges +dn: cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: permissions + +############################################ # Add the default roles -dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: helpdesk description: Helpdesk -dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Add the default privileges +############################################ +dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: certadmin +description: Certificate Administrators + +dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: replicaadmin +description: Replication Administrators +member: cn=admins,cn=groups,cn=accounts,$SUFFIX + +dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsadmin -description: DNS Administrators +objectClass: nestedgroup +cn: enrollhost +description: Host Enrollment -dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsserver -description: DNS Servers +objectClass: nestedgroup +cn: entitlementadmin +description: Entitlement Administrators + +############################################ +# Default permissions. +############################################ + +# User administration -dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description: Add Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: change_password description: Change a user password -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: add_user_to_default_group description: Add user to default group -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeusers description: Remove Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyusers description: Modify Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for group administration -dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Group administration + +dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addgroups description: Add Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removegroups description: Remove Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroups description: Modify Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroupmembership description: Modify Group membership -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Host administration -# Add the taskgroups referenced by the ACIs for host administration -dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhosts description: Add Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehosts description: Remove Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhosts description: Modify Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for hostgroup administration -dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Hostgroup administration + +dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhostgroups -description: Add Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Add Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehostgroups -description: Remove Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Remove Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroups -description: Modify Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroupmembership -description: Modify Host Group membership -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroup membership +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Service administration -# Add the taskgroups referenced by the ACIs for service administration -dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addservices description: Add Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeservices description: Remove Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for delegation administration -# This just lets one manage taskgroup membership and create and delete roles -dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addhrole +cn: modifyservices +description: Modify Services +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX + +# Delegation administration + +dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addroles description: Add Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeroles description: Remove Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyroles description: Modify Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyrolegroupmembership +cn: modifyrolemembership description: Modify Role Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nestedgroup +cn: modifyprivilegemembership +description: Modify privilege membership +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +# Automount administration -dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifytaskgroupmembership -description: Modify Task Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountmaps +description: Add Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for automount administration -dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addautomount -description: Add Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: removeautomountmaps +description: Remove Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeautomount -description: Remove Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountkeys +description: Add Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for netgroup administration -dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeautomountkeys +description: Remove Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX + +# Netgroup administration + +dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addnetgroups description: Add netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removenetgroups description: Remove netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroups description: Modify netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroupmembership description: Modify netgroup membership -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Keytab access -# Taskgroup for retrieving host keytabs -dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: manage_host_keytab description: Manage host keytab -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX -# Taskgroup for updating the DNS entries -dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: manage_host_keytab -description: Updates DNS -member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +cn: manage_service_keytab +description: Manage service keytab +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=admins,cn=privileges,cn=accounts,$SUFFIX + +# DNS administration + +# The permission and aci for this is in install/updates/dns.ldif + +dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: enroll_host +description: Enroll a host +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX + +# Replica administration + +dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: managereplica +description: Manage Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: deletereplica +description: Delete Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +# Entitlement management + +dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addentitlements +description: Add Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeentitlements +description: Remove Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyentitlements +description: Modify Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +############################################ +# Default permissions (ACIs) +############################################ + +# User administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) + +# Group administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) +# We need objectclass and gidnumber in modify so a non-posix group can be +# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. +aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) + +# Host administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";) + +# Hostgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Service administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) + +# Delegation administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Automount administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) + +# Netgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Host keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Service keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Allow enrolledBy to be removed when a host is not enrolled + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Add the ACI needed to do host enrollment. When this occurs we +# set the krbPrincipalName, add krbPrincipalAux to objectClass and +# set enrolledBy to whoever ran join. + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Replica administration + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";) + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";) + +# Entitlement administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +# Create virtual operations entry. This is used to control access to +# operations that don't rely on LDAP directly. +dn: cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: virtual operations + +# Retrieve Certificate virtual op +dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: retrieve certificate + +dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: retrieve_certs +description: Retrieve Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate virtual op +dn: cn=request certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate + +dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_certs +description: Request Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate from different host virtual op +dn: cn=request certificate different host,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate different host + +dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_cert_different_host +description: Request Certificates from a different host +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Status virtual op +dn: cn=certificate status,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate status + +dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_status +description: Get Certificates status from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) + +# Revoke Certificate virtual op +dn: cn=revoke certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: revoke certificate + +dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: revoke_certificate +description: Revoke Certificate +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Remove Hold virtual op +dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate remove hold + +dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_remove_hold +description: Certificate Remove Hold +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) |