diff options
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-delegation.update | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 988de5e19..a79f906ea 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -184,3 +184,33 @@ default:description: Read list of IPA masters dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' + +# PassSync +dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: PassSync Service +default:description: PassSync Service + +dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: groupofnames +default:objectClass: ipapermission +default:objectClass: top +default:cn: Read PassSync Managers Configuration +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +default:ipapermissiontype: SYSTEM + +dn: cn=config +add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: groupofnames +default:objectClass: ipapermission +default:objectClass: top +default:cn: Modify PassSync Managers Configuration +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +default:ipapermissiontype: SYSTEM + +dn: cn=config +add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)' |