diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/share/default-aci.ldif | 5 | ||||
-rw-r--r-- | install/share/delegation.ldif | 621 | ||||
-rw-r--r-- | install/share/dns.ldif | 27 | ||||
-rw-r--r-- | install/updates/30-rolegroup.update | 6 | ||||
-rw-r--r-- | install/updates/30-taskgroup.update | 5 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 732 | ||||
-rw-r--r-- | install/updates/Makefile.am | 3 |
7 files changed, 546 insertions, 853 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 11c2f51df..423922754 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -39,6 +39,7 @@ dn: cn=services,cn=accounts,$SUFFIX changetype: modify add: aci aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) # Define which hosts can edit services # The managedby attribute stores the DN of hosts that are allowed to manage @@ -63,3 +64,7 @@ changetype: modify add: aci aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) +dn: cn=computers,cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 1539ae1d5..7881a029d 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -1,348 +1,757 @@ -dn: cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Configure the DIT +############################################ +dn: cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: rolegroups +cn: roles -dn: cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer -cn: taskgroups +cn: privileges +dn: cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: permissions + +############################################ # Add the default roles -dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: helpdesk description: Helpdesk -dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +############################################ +# Add the default privileges +############################################ +dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: certadmin +description: Certificate Administrators + +dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: replicaadmin +description: Replication Administrators +member: cn=admins,cn=groups,cn=accounts,$SUFFIX + +dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsadmin -description: DNS Administrators +objectClass: nestedgroup +cn: enrollhost +description: Host Enrollment -dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: dnsserver -description: DNS Servers +objectClass: nestedgroup +cn: entitlementadmin +description: Entitlement Administrators + +############################################ +# Default permissions. +############################################ + +# User administration -dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description: Add Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: change_password description: Change a user password -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: add_user_to_default_group description: Add user to default group -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeusers description: Remove Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyusers description: Modify Users -member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for group administration -dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Group administration + +dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addgroups description: Add Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removegroups description: Remove Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroups description: Modify Groups -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroupmembership description: Modify Group membership -member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Host administration -# Add the taskgroups referenced by the ACIs for host administration -dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhosts description: Add Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehosts description: Remove Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhosts description: Modify Hosts -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for hostgroup administration -dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +# Hostgroup administration + +dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhostgroups -description: Add Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Add Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehostgroups -description: Remove Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Remove Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroups -description: Modify Host Groups -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroups +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroupmembership -description: Modify Host Group membership -member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +description: Modify Hostgroup membership +member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Service administration -# Add the taskgroups referenced by the ACIs for service administration -dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addservices description: Add Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeservices description: Remove Services -member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for delegation administration -# This just lets one manage taskgroup membership and create and delete roles -dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addhrole +cn: modifyservices +description: Modify Services +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX + +# Delegation administration + +dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addroles description: Add Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeroles description: Remove Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyroles description: Modify Roles -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifyrolegroupmembership +cn: modifyrolemembership description: Modify Role Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nestedgroup +cn: modifyprivilegemembership +description: Modify privilege membership +member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX + +# Automount administration -dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: modifytaskgroupmembership -description: Modify Task Group membership -member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountmaps +description: Add Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for automount administration -dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: addautomount -description: Add Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: removeautomountmaps +description: Remove Automount maps +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: removeautomount -description: Remove Automount maps/keys -member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +cn: addautomountkeys +description: Add Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX -# Add the taskgroups referenced by the ACIs for netgroup administration -dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeautomountkeys +description: Remove Automount keys +member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX + +# Netgroup administration + +dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addnetgroups description: Add netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removenetgroups description: Remove netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroups description: Modify netgroups -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX -dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroupmembership description: Modify netgroup membership -member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX + +# Keytab access -# Taskgroup for retrieving host keytabs -dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: manage_host_keytab description: Manage host keytab -member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX -# Taskgroup for updating the DNS entries -dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX +dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: groupofnames -cn: manage_host_keytab -description: Updates DNS -member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +cn: manage_service_keytab +description: Manage service keytab +member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=admins,cn=privileges,cn=accounts,$SUFFIX + +# DNS administration + +# The permission and aci for this is in install/updates/dns.ldif + +dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: enroll_host +description: Enroll a host +member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX + +# Replica administration + +dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: managereplica +description: Manage Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: deletereplica +description: Delete Replication Agreements +member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX + +# Entitlement management + +dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addentitlements +description: Add Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeentitlements +description: Remove Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyentitlements +description: Modify Entitlements +member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX + +############################################ +# Default permissions (ACIs) +############################################ + +# User administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) + +# Group administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) +# We need objectclass and gidnumber in modify so a non-posix group can be +# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. +aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) + +# Host administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";) + +# Hostgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Service administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) + +# Delegation administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Automount administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) + +# Netgroup administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) + +# Host keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Service keytab admin + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Allow enrolledBy to be removed when a host is not enrolled + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) + +# Add the ACI needed to do host enrollment. When this occurs we +# set the krbPrincipalName, add krbPrincipalAux to objectClass and +# set enrolledBy to whoever ran join. + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Replica administration + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";) + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";) + +# Entitlement administration + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";) + +# Create virtual operations entry. This is used to control access to +# operations that don't rely on LDAP directly. +dn: cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: virtual operations + +# Retrieve Certificate virtual op +dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: retrieve certificate + +dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: retrieve_certs +description: Retrieve Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate virtual op +dn: cn=request certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate + +dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_certs +description: Request Certificates from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) + +# Request Certificate from different host virtual op +dn: cn=request certificate different host,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: request certificate different host + +dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: request_cert_different_host +description: Request Certificates from a different host +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Status virtual op +dn: cn=certificate status,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate status + +dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_status +description: Get Certificates status from the CA +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) + +# Revoke Certificate virtual op +dn: cn=revoke certificate,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: revoke certificate + +dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: revoke_certificate +description: Revoke Certificate +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) + +# Certificate Remove Hold virtual op +dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: certificate remove hold + +dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: certificate_remove_hold +description: Certificate Remove Hold +member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX + +dn: $SUFFIX +changetype: modify +add: aci +aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index cb783b889..da58955f5 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -3,4 +3,29 @@ changetype: add objectClass: nsContainer objectClass: top cn: dns -aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";) +aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=permissions,cn=accounts,$SUFFIX";) + +dn: cn=update_dns,cn=permissions,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: update_dns +description: DNS Servers Updates +member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX + +dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: dnsadmin +description: DNS Administrators + +dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: dnsserver +description: DNS Servers diff --git a/install/updates/30-rolegroup.update b/install/updates/30-rolegroup.update deleted file mode 100644 index 1417167de..000000000 --- a/install/updates/30-rolegroup.update +++ /dev/null @@ -1,6 +0,0 @@ -# Add the rolegroup container - -dn: cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: rolegroups - diff --git a/install/updates/30-taskgroup.update b/install/updates/30-taskgroup.update deleted file mode 100644 index a98960657..000000000 --- a/install/updates/30-taskgroup.update +++ /dev/null @@ -1,5 +0,0 @@ -# Add the taskgroup container - -dn: cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: taskgroups diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update deleted file mode 100644 index 7dc12d8c9..000000000 --- a/install/updates/40-delegation.update +++ /dev/null @@ -1,732 +0,0 @@ -# Add the default roles - -dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: helpdesk -add:description: Helpdesk - -dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: useradmin -add:description: User Administrators - -dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: groupadmin -add:description: Group Administrators - -dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: hostadmin -add:description: Host Administrators - -dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: hostgroupadmin -add:description: Host Group Administrators - -dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: delegationadmin -add:description: Role administration - -dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: serviceadmin -add:description: Service Administrators - -dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: automountadmin -add:description: Automount Administrators - -dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: netgroupadmin -add:description: Netgroups Administrators - -dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: dnsadmin -add:description: DNS Administrators - -dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: dnsserver -add:description: DNS Servers - -dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certadmin -add:description: Certificate Administrators - -dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: replicaadmin -add:description: Replication Administrators -add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX' - -dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: enrollhost -add:description: Host Enrollment - -dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: entitlementadmin -add:description: Entitlement Administrators - -# Add the taskgroups referenced by the ACIs for user administration - -dn: cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:objectClass: top -add:cn: taskgroups - -dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addusers -add:description: Add Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: change_password -add:description: Change a user password -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: add_user_to_default_group -add:description: Add user to default group -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeusers -add:description: Remove Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyusers -add:description: Modify Users -add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for user administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb - aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri - te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX - ";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri - te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t - askgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials - || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN - umber || telephoneNumber || street || roomNumber || l || st || postalCode || - manager || secretary || description || carLicense || labeledURI || inetUserHT - TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry - || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") - (version 3.0;acl "Modify Users";allow (write) groupdn = - "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for group administration - -dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addgroups -add:description: Add Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removegroups -add:description: Remove Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifygroups -add:description: Modify Groups -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifygroupmembership -add:description: Modify Group membership -add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for group administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri - te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t - askgroups,cn=accounts,$SUFFIX";)' -# we need objectclass and gidnumber in modify so a non-posix group can be -# promoted -add:aci: '(targetattr = "cn || description || gidnumber || objectclass || - mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX") - (version 3.0;acl "Modify Groups";allow (write) groupdn = - "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for host administration - -dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhosts -add:description: Add Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removehosts -add:description: Remove Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhosts -add:description: Modify Hosts -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for host administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "description || l || nshostlocation || - nshardwareplatform || nsosversion") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; - acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for hostgroup administration - -dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhostgroups -add:description: Add Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removehostgroups -add:description: Remove Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhostgroups -add:description: Modify Host Groups -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyhostgroupmembership -add:description: Modify Host Group membership -add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for hostgroup administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn= - removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn= - hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow - (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups, - cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri - te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for service administration - -dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addservices -add:description: Add Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeservices -add:description: Remove Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyservices -add:description: Modify Services -add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for service administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, - $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn - =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, - $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap - :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal - name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services" - ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco - unts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for delegation administration -# This just lets one manage taskgroup membership and create and delete roles - -dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addhrole -add:description: Add Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeroles -add:description: Remove Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyroles -add:description: Modify Roles -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyrolegroupmembership -add:description: Modify Role Group membership -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifytaskgroupmembership -add:description: Modify Task Group membership -add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for delegation administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups - ,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version - 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro - ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou - pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri - te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' -add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun - ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri - te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts - ,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for automount administration - -dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addautomount -add:description: Add Automount maps/keys -add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeautomount -add:description: Remove Automount maps/keys -add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for service administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap - :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, - $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = - "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Add the taskgroups referenced by the ACIs for netgroup administration - -dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addnetgroups -add:description: Add netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removenetgroups -add:description: Remove netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifynetgroups -add:description: Modify netgroups -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifynetgroupmembership -add:description: Modify netgroup membership -add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACIs that grant these permissions for netgroup administration - -dn: $SUFFIX -add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version - 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn= - taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version - 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn= - removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng, - cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn - = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "memberhost || externalhost || memberuser || member") - (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo - dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou - pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Taskgroup for retrieving host keytabs -dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: manage_host_keytab -add:description: Manage host keytab -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACI needed to do host keytab admin -dn: $SUFFIX -add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") - (version 3.0;acl "Manage host keytab"; - allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Taskgroup for enrolling hosts. Note that this also requires -# manage_host_keytab access -dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: enroll_host -add:description: Enroll a host -add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add the ACI needed to do host enrollment. When this occurs we -# set the krbPrincipalName, add krbPrincipalAux to objectClass and -# set enrolledBy to whoever ran join. -dn: $SUFFIX -add:aci: '(targetattr = "enrolledBy || objectClass") - (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") - (version 3.0;acl "Enroll a host"; - allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Taskgroup for updating the DNS entries -dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: update_sn -add:description: Updates DNS -add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX' -add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX' - -# Create virtual operations entry. This is used to control access to -# operations that don't rely on LDAP directly. -dn: cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: virtual operations - -# Retrieve Certificate virtual op -dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: retrieve certificate - -# Taskgroup for retrieving certs -dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: retrieve_certs -add:description: Retrieve SSL Certificates -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=retrieve certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the - CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Request Certificate virtual op -dn: cn=request certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: request certificate - -# Taskgroup for requesting certs -dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: request_certs -add:description: Request a SSL Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=request certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Request Certificates from the - CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups, - cn=accounts,$SUFFIX";)' - -# Request Certificate from different host virtual op -dn: cn=request certificate different host,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: request certificate different host - -# Taskgroup for requesting certs from a different host -dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: request_cert_different_host -add:description: Request a SSL Certificate from a different host -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=request certificate different host,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Request Certificates from a - different host" ; allow (write) groupdn = "ldap:///cn=request_cert - _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Certificate Status virtual op -dn: cn=certificate status,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: certificate status - -# Taskgroup for requesting certs -dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certificate_status -add:description: Status of cert request -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=certificate status,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the - CA" ; allow (write) groupdn = "ldap:///cn=certificate_status, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Revoke Certificate virtual op -dn: cn=revoke certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: revoke certificate - -# Taskgroup for requesting certs -dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: revoke_certificate -add:description: Revoke Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=revoke certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" - ; allow (write) groupdn = "ldap:///cn=revoke_certificate, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Revoke Certificate virtual op -dn: cn=revoke certificate,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: revoke certificate - -# Taskgroup for requesting certs -dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: revoke_certificate -add:description: Revoke Certificate -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=revoke certificate,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" - ; allow (write) groupdn = "ldap:///cn=revoke_certificate, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Certificate Remove Hold virtual op -dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: certificate remove hold - -# Taskgroup for requesting certs -dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: certificate_remove_hold -add:description: Certificate Remove Hold -add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(targetattr = "objectClass")(target = - "ldap:///cn=certificate remove hold,cn=virtual operations, - $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold" - ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold, - cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Taskgroup for managing replicas -dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: managereplica -add:description: Manage Replication Agreements -add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Taskgroup for deleting replicas -dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: deletereplica -add:description: Delete Replication Agreements -add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -# Add acis allowing admins to read/write/delete replicas -dn: cn="$SUFFIX",cn=mapping tree,cn=config -add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica) - (objectclass=nsds5replicationagreement)(objectclass= - nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage - replication agreements"; allow (read, write, search) groupdn = - "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: cn="$SUFFIX",cn=mapping tree,cn=config -add: aci: '(targetattr=*)(targetfilter="(|(objectclass= - nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement - ))")(version 3.0;acl "Delete replication agreements";allow (delete) - groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' - -# Entitlement management -dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: addentitlements -add:description: Add Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: removeentitlements -add:description: Remove Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nestedgroup -add:cn: modifyentitlements -add:description: Modify Entitlements -add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' - -dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: $SUFFIX -add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' - -dn: $SUFFIX -add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 72acf7f4a..48f53d21d 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -13,9 +13,6 @@ app_DATA = \ 30-hbacsvc.update \ 30-groupofhosts.update \ 30-netgroups.update \ - 30-rolegroup.update \ - 30-taskgroup.update \ - 40-delegation.update \ $(NULL) EXTRA_DIST = \ |