summaryrefslogtreecommitdiffstats
path: root/install/share/delegation.ldif
diff options
context:
space:
mode:
Diffstat (limited to 'install/share/delegation.ldif')
-rw-r--r--install/share/delegation.ldif621
1 files changed, 515 insertions, 106 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 1539ae1d5..7881a029d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -1,348 +1,757 @@
-dn: cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Configure the DIT
+############################################
+dn: cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: rolegroups
+cn: roles
-dn: cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: taskgroups
+cn: privileges
+dn: cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: permissions
+
+############################################
# Add the default roles
-dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: helpdesk
description: Helpdesk
-dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Add the default privileges
+############################################
+dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: useradmin
description: User Administrators
-dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: groupadmin
description: Group Administrators
-dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostadmin
description: Host Administrators
-dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostgroupadmin
description: Host Group Administrators
-dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: delegationadmin
description: Role administration
-dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: serviceadmin
description: Service Administrators
-dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: automountadmin
description: Automount Administrators
-dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: netgroupadmin
description: Netgroups Administrators
-dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: certadmin
+description: Certificate Administrators
+
+dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: replicaadmin
+description: Replication Administrators
+member: cn=admins,cn=groups,cn=accounts,$SUFFIX
+
+dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsadmin
-description: DNS Administrators
+objectClass: nestedgroup
+cn: enrollhost
+description: Host Enrollment
-dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsserver
-description: DNS Servers
+objectClass: nestedgroup
+cn: entitlementadmin
+description: Entitlement Administrators
+
+############################################
+# Default permissions.
+############################################
+
+# User administration
-dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for group administration
-dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Group administration
+
+dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Host administration
-# Add the taskgroups referenced by the ACIs for host administration
-dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for hostgroup administration
-dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Hostgroup administration
+
+dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
-description: Add Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Add Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
-description: Remove Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Remove Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
-description: Modify Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
-description: Modify Host Group membership
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroup membership
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Service administration
-# Add the taskgroups referenced by the ACIs for service administration
-dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for delegation administration
-# This just lets one manage taskgroup membership and create and delete roles
-dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhrole
+cn: modifyservices
+description: Modify Services
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Delegation administration
+
+dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addroles
description: Add Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyrolegroupmembership
+cn: modifyrolemembership
description: Modify Role Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nestedgroup
+cn: modifyprivilegemembership
+description: Modify privilege membership
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Automount administration
-dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifytaskgroupmembership
-description: Modify Task Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountmaps
+description: Add Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for automount administration
-dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomount
-description: Add Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: removeautomountmaps
+description: Remove Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomount
-description: Remove Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountkeys
+description: Add Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for netgroup administration
-dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeautomountkeys
+description: Remove Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Netgroup administration
+
+dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Keytab access
-# Taskgroup for retrieving host keytabs
-dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
-# Taskgroup for updating the DNS entries
-dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_host_keytab
-description: Updates DNS
-member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
-member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+cn: manage_service_keytab
+description: Manage service keytab
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=admins,cn=privileges,cn=accounts,$SUFFIX
+
+# DNS administration
+
+# The permission and aci for this is in install/updates/dns.ldif
+
+dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: enroll_host
+description: Enroll a host
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
+
+# Replica administration
+
+dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: managereplica
+description: Manage Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: deletereplica
+description: Delete Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Entitlement management
+
+dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addentitlements
+description: Add Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeentitlements
+description: Remove Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyentitlements
+description: Modify Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+############################################
+# Default permissions (ACIs)
+############################################
+
+# User administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Group administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";)
+# We need objectclass and gidnumber in modify so a non-posix group can be
+# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Hostgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Delegation administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Automount administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Netgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Allow enrolledBy to be removed when a host is not enrolled
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Add the ACI needed to do host enrollment. When this occurs we
+# set the krbPrincipalName, add krbPrincipalAux to objectClass and
+# set enrolledBy to whoever ran join.
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Replica administration
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Entitlement administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Create virtual operations entry. This is used to control access to
+# operations that don't rely on LDAP directly.
+dn: cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: virtual operations
+
+# Retrieve Certificate virtual op
+dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: retrieve certificate
+
+dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: retrieve_certs
+description: Retrieve Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate virtual op
+dn: cn=request certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate
+
+dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_certs
+description: Request Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate from different host virtual op
+dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate different host
+
+dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_cert_different_host
+description: Request Certificates from a different host
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Status virtual op
+dn: cn=certificate status,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate status
+
+dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_status
+description: Get Certificates status from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Revoke Certificate virtual op
+dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: revoke certificate
+
+dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: revoke_certificate
+description: Revoke Certificate
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Remove Hold virtual op
+dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate remove hold
+
+dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_remove_hold
+description: Certificate Remove Hold
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";)
generated by cgit (git 2.34.1) at 2024-05-02 19:07:52 +0000