diff options
Diffstat (limited to 'install/share')
-rw-r--r-- | install/share/delegation.ldif | 449 | ||||
-rw-r--r-- | install/share/dns.ldif | 20 | ||||
-rw-r--r-- | install/share/replica-acis.ldif | 8 |
3 files changed, 216 insertions, 261 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index df8cb1072..e154f6b00 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -40,93 +40,93 @@ description: Helpdesk ############################################ # Add the default privileges ############################################ -dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: useradmin +cn: User Administrators description: User Administrators -dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: groupadmin +cn: Group Administrators description: Group Administrators -dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: hostadmin +cn: Host Administrators description: Host Administrators -dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: hostgroupadmin +cn: Host Group Administrators description: Host Group Administrators -dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: delegationadmin +cn: Delegation Administrator description: Role administration -dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: serviceadmin +cn: Service Administrators description: Service Administrators -dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: automountadmin +cn: Automount Administrators description: Automount Administrators -dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: netgroupadmin +cn: Netgroups Administrators description: Netgroups Administrators -dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: certadmin +cn: Certificate Administrators description: Certificate Administrators -dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: replicaadmin +cn: Replication Administrators description: Replication Administrators member: cn=admins,cn=groups,cn=accounts,$SUFFIX -dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: enrollhost +cn: Host Enrollment description: Host Enrollment dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX @@ -143,343 +143,304 @@ description: Entitlement Administrators # User administration -dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addusers -description: Add Users -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Users +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: change_password -description: Change a user password -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Change a user password +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: add_user_to_default_group -description: Add user to default group -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add user to default group +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectclass: top objectclass: groupofnames -cn: unlock_user -description: Unlock user accounts -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Unlock user accounts +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX -dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeusers -description: Remove Users -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Users +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyusers -description: Modify Users -member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Users +member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX # Group administration -dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addgroups -description: Add Groups -member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Groups +member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removegroups -description: Remove Groups -member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Groups +member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifygroups -description: Modify Groups -member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Groups +member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifygroupmembership -description: Modify Group membership -member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Group membership +member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX # Host administration -dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addhosts -description: Add Hosts -member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Hosts +member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removehosts -description: Remove Hosts -member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Hosts +member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyhosts -description: Modify Hosts -member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Hosts +member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX # Hostgroup administration -dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addhostgroups -description: Add Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Hostgroups +member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removehostgroups -description: Remove Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Hostgroups +member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyhostgroups -description: Modify Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Hostgroups +member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyhostgroupmembership -description: Modify Hostgroup membership -member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Hostgroup membership +member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX # Service administration -dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addservices -description: Add Services -member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Services +member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeservices -description: Remove Services -member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Services +member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyservices -description: Modify Services -member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Services +member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX # Delegation administration -dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addroles -description: Add Roles -member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Roles +member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeroles -description: Remove Roles -member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Roles +member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyroles -description: Modify Roles -member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Roles +member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyrolemembership -description: Modify Role Group membership -member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Role membership +member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyprivilegemembership -description: Modify privilege membership -member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify privilege membership +member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX # Automount administration -dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addautomountmaps -description: Add Automount maps -member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Automount maps +member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeautomountmaps -description: Remove Automount maps -member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Automount maps +member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addautomountkeys -description: Add Automount keys -member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Automount keys +member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeautomountkeys -description: Remove Automount keys -member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Automount keys +member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX # Netgroup administration -dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addnetgroups -description: Add netgroups -member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add netgroups +member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removenetgroups -description: Remove netgroups -member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove netgroups +member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifynetgroups -description: Modify netgroups -member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify netgroups +member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifynetgroupmembership -description: Modify netgroup membership -member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify netgroup membership +member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX # Keytab access -dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: manage_host_keytab -description: Manage host keytab -member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX +cn: Manage host keytab +member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX -dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: manage_service_keytab -description: Manage service keytab -member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=admins,cn=privileges,cn=pbac,$SUFFIX +cn: Manage service keytab +member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=admins,cn=groups,cn=accounts,$SUFFIX # DNS administration # The permission and aci for this is in install/updates/dns.ldif -dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: enroll_host -description: Enroll a host -member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX +cn: Enroll a host +member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX # Replica administration -dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addreplica -description: Add Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Add Replication Agreements +member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyreplica -description: Modify Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Modify Replication Agreements +member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removereplica -description: Remove Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Remove Replication Agreements +member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX # Entitlement management @@ -516,52 +477,52 @@ member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";) # Group administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";) # Host administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";) # Hostgroup administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";) # Service administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";) # Delegation administration @@ -573,45 +534,45 @@ aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(ve dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";) # Automount administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";) # Netgroup administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";) # Host keytab admin dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";) # Service keytab admin dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";) # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and @@ -620,7 +581,7 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";) # Entitlement administration @@ -654,18 +615,17 @@ objectClass: top objectClass: nsContainer cn: retrieve certificate -dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: retrieve_certs -description: Retrieve Certificates from the CA -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Retrieve Certificates from the CA +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";) # Request Certificate virtual op dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX @@ -674,18 +634,17 @@ objectClass: top objectClass: nsContainer cn: request certificate -dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: request_certs -description: Request Certificates from the CA -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Request Certificate +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";) # Request Certificate from different host virtual op dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX @@ -694,18 +653,17 @@ objectClass: top objectClass: nsContainer cn: request certificate different host -dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: request_cert_different_host -description: Request Certificates from a different host -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Request Certificates from a different host +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";) # Certificate Status virtual op dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX @@ -714,18 +672,17 @@ objectClass: top objectClass: nsContainer cn: certificate status -dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: certificate_status -description: Get Certificates status from the CA -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Get Certificates status from the CA +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";) # Revoke Certificate virtual op dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX @@ -734,18 +691,17 @@ objectClass: top objectClass: nsContainer cn: revoke certificate -dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: revoke_certificate -description: Revoke Certificate -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Revoke Certificate +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";) # Certificate Remove Hold virtual op dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX @@ -754,15 +710,14 @@ objectClass: top objectClass: nsContainer cn: certificate remove hold -dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX +dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: certificate_remove_hold -description: Certificate Remove Hold -member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX +cn: Certificate Remove Hold +member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 2bebd8271..dc7922218 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -10,8 +10,8 @@ objectClass: groupofnames objectClass: top cn: add dns entries description: Add DNS entries -member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add @@ -19,8 +19,8 @@ objectClass: groupofnames objectClass: top cn: remove dns entries description: Remove DNS entries -member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add @@ -28,8 +28,8 @@ objectClass: groupofnames objectClass: top cn: update dns entries description: Update DNS entries -member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify @@ -38,18 +38,18 @@ aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS ent aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: dnsadmin +cn: DNS Administrators description: DNS Administrators -dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: nestedgroup -cn: dnsserver +cn: DNS Servers description: DNS Servers diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 49d6b75c9..a2f4cc22b 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -3,19 +3,19 @@ dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(version 3.0;acl "permission:addreplica";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:modifyreplica"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:removereplica";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=tasks,cn=config changetype: modify add: aci -aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) |