summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
Diffstat (limited to 'install')
-rw-r--r--install/share/default-aci.ldif5
-rw-r--r--install/share/delegation.ldif621
-rw-r--r--install/share/dns.ldif27
-rw-r--r--install/updates/30-rolegroup.update6
-rw-r--r--install/updates/30-taskgroup.update5
-rw-r--r--install/updates/40-delegation.update732
-rw-r--r--install/updates/Makefile.am3
7 files changed, 546 insertions, 853 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 11c2f51df..423922754 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -39,6 +39,7 @@ dn: cn=services,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Define which hosts can edit services
# The managedby attribute stores the DN of hosts that are allowed to manage
@@ -63,3 +64,7 @@ changetype: modify
add: aci
aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
+dn: cn=computers,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 1539ae1d5..7881a029d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -1,348 +1,757 @@
-dn: cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Configure the DIT
+############################################
+dn: cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: rolegroups
+cn: roles
-dn: cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
-cn: taskgroups
+cn: privileges
+dn: cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: permissions
+
+############################################
# Add the default roles
-dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: helpdesk
description: Helpdesk
-dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+############################################
+# Add the default privileges
+############################################
+dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: useradmin
description: User Administrators
-dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: groupadmin
description: Group Administrators
-dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostadmin
description: Host Administrators
-dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: hostgroupadmin
description: Host Group Administrators
-dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: delegationadmin
description: Role administration
-dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: serviceadmin
description: Service Administrators
-dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: automountadmin
description: Automount Administrators
-dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
+objectClass: nestedgroup
cn: netgroupadmin
description: Netgroups Administrators
-dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: certadmin
+description: Certificate Administrators
+
+dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: replicaadmin
+description: Replication Administrators
+member: cn=admins,cn=groups,cn=accounts,$SUFFIX
+
+dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsadmin
-description: DNS Administrators
+objectClass: nestedgroup
+cn: enrollhost
+description: Host Enrollment
-dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: dnsserver
-description: DNS Servers
+objectClass: nestedgroup
+cn: entitlementadmin
+description: Entitlement Administrators
+
+############################################
+# Default permissions.
+############################################
+
+# User administration
-dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
-member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for group administration
-dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Group administration
+
+dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
-member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Host administration
-# Add the taskgroups referenced by the ACIs for host administration
-dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for hostgroup administration
-dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+# Hostgroup administration
+
+dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
-description: Add Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Add Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
-description: Remove Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Remove Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
-description: Modify Host Groups
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroups
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
-description: Modify Host Group membership
-member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+description: Modify Hostgroup membership
+member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Service administration
-# Add the taskgroups referenced by the ACIs for service administration
-dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
-member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for delegation administration
-# This just lets one manage taskgroup membership and create and delete roles
-dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhrole
+cn: modifyservices
+description: Modify Services
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Delegation administration
+
+dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addroles
description: Add Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyrolegroupmembership
+cn: modifyrolemembership
description: Modify Role Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nestedgroup
+cn: modifyprivilegemembership
+description: Modify privilege membership
+member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Automount administration
-dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifytaskgroupmembership
-description: Modify Task Group membership
-member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountmaps
+description: Add Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for automount administration
-dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomount
-description: Add Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: removeautomountmaps
+description: Remove Automount maps
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomount
-description: Remove Automount maps/keys
-member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+cn: addautomountkeys
+description: Add Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
-# Add the taskgroups referenced by the ACIs for netgroup administration
-dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeautomountkeys
+description: Remove Automount keys
+member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Netgroup administration
+
+dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
-dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
-member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Keytab access
-# Taskgroup for retrieving host keytabs
-dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
-member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
-# Taskgroup for updating the DNS entries
-dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_host_keytab
-description: Updates DNS
-member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
-member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+cn: manage_service_keytab
+description: Manage service keytab
+member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=admins,cn=privileges,cn=accounts,$SUFFIX
+
+# DNS administration
+
+# The permission and aci for this is in install/updates/dns.ldif
+
+dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: enroll_host
+description: Enroll a host
+member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX
+
+# Replica administration
+
+dn: cn=managereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: managereplica
+description: Manage Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: deletereplica
+description: Delete Replication Agreements
+member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX
+
+# Entitlement management
+
+dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addentitlements
+description: Add Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeentitlements
+description: Remove Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyentitlements
+description: Modify Entitlements
+member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
+
+############################################
+# Default permissions (ACIs)
+############################################
+
+# User administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Group administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";)
+# We need objectclass and gidnumber in modify so a non-posix group can be
+# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Hostgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Delegation administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Automount administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Netgroup administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";)
+aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Host keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Service keytab admin
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Allow enrolledBy to be removed when a host is not enrolled
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Add the ACI needed to do host enrollment. When this occurs we
+# set the krbPrincipalName, add krbPrincipalAux to objectClass and
+# set enrolledBy to whoever ran join.
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Replica administration
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+changetype: modify
+add: aci
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Entitlement administration
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Create virtual operations entry. This is used to control access to
+# operations that don't rely on LDAP directly.
+dn: cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: virtual operations
+
+# Retrieve Certificate virtual op
+dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: retrieve certificate
+
+dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: retrieve_certs
+description: Retrieve Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate virtual op
+dn: cn=request certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate
+
+dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_certs
+description: Request Certificates from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Request Certificate from different host virtual op
+dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: request certificate different host
+
+dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: request_cert_different_host
+description: Request Certificates from a different host
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Status virtual op
+dn: cn=certificate status,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate status
+
+dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_status
+description: Get Certificates status from the CA
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Revoke Certificate virtual op
+dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: revoke certificate
+
+dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: revoke_certificate
+description: Revoke Certificate
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";)
+
+# Certificate Remove Hold virtual op
+dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: certificate remove hold
+
+dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: certificate_remove_hold
+description: Certificate Remove Hold
+member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
+
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";)
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index cb783b889..da58955f5 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -3,4 +3,29 @@ changetype: add
objectClass: nsContainer
objectClass: top
cn: dns
-aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";)
+aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=permissions,cn=accounts,$SUFFIX";)
+
+dn: cn=update_dns,cn=permissions,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: update_dns
+description: DNS Servers Updates
+member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX
+member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX
+
+dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: dnsadmin
+description: DNS Administrators
+
+dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: dnsserver
+description: DNS Servers
diff --git a/install/updates/30-rolegroup.update b/install/updates/30-rolegroup.update
deleted file mode 100644
index 1417167de..000000000
--- a/install/updates/30-rolegroup.update
+++ /dev/null
@@ -1,6 +0,0 @@
-# Add the rolegroup container
-
-dn: cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:cn: rolegroups
-
diff --git a/install/updates/30-taskgroup.update b/install/updates/30-taskgroup.update
deleted file mode 100644
index a98960657..000000000
--- a/install/updates/30-taskgroup.update
+++ /dev/null
@@ -1,5 +0,0 @@
-# Add the taskgroup container
-
-dn: cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:cn: taskgroups
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
deleted file mode 100644
index 7dc12d8c9..000000000
--- a/install/updates/40-delegation.update
+++ /dev/null
@@ -1,732 +0,0 @@
-# Add the default roles
-
-dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: helpdesk
-add:description: Helpdesk
-
-dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: useradmin
-add:description: User Administrators
-
-dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: groupadmin
-add:description: Group Administrators
-
-dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: hostadmin
-add:description: Host Administrators
-
-dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: hostgroupadmin
-add:description: Host Group Administrators
-
-dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: delegationadmin
-add:description: Role administration
-
-dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: serviceadmin
-add:description: Service Administrators
-
-dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: automountadmin
-add:description: Automount Administrators
-
-dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: netgroupadmin
-add:description: Netgroups Administrators
-
-dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: dnsadmin
-add:description: DNS Administrators
-
-dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: dnsserver
-add:description: DNS Servers
-
-dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certadmin
-add:description: Certificate Administrators
-
-dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: replicaadmin
-add:description: Replication Administrators
-add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX'
-
-dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: enrollhost
-add:description: Host Enrollment
-
-dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: entitlementadmin
-add:description: Entitlement Administrators
-
-# Add the taskgroups referenced by the ACIs for user administration
-
-dn: cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: nsContainer
-add:objectClass: top
-add:cn: taskgroups
-
-dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addusers
-add:description: Add Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: change_password
-add:description: Change a user password
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: add_user_to_default_group
-add:description: Add user to default group
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeusers
-add:description: Remove Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyusers
-add:description: Modify Users
-add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for user administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
- aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
- te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
- ";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
- te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
- askgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
- || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
- umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
- manager || secretary || description || carLicense || labeledURI || inetUserHT
- TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry
- || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
- (version 3.0;acl "Modify Users";allow (write) groupdn =
- "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for group administration
-
-dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addgroups
-add:description: Add Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removegroups
-add:description: Remove Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifygroups
-add:description: Modify Groups
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifygroupmembership
-add:description: Modify Group membership
-add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for group administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
- te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
- askgroups,cn=accounts,$SUFFIX";)'
-# we need objectclass and gidnumber in modify so a non-posix group can be
-# promoted
-add:aci: '(targetattr = "cn || description || gidnumber || objectclass ||
- mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")
- (version 3.0;acl "Modify Groups";allow (write) groupdn =
- "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for host administration
-
-dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhosts
-add:description: Add Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removehosts
-add:description: Remove Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhosts
-add:description: Modify Hosts
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for host administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "description || l || nshostlocation ||
- nshardwareplatform || nsosversion")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
- acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for hostgroup administration
-
-dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhostgroups
-add:description: Add Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removehostgroups
-add:description: Remove Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhostgroups
-add:description: Modify Host Groups
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyhostgroupmembership
-add:description: Modify Host Group membership
-add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for hostgroup administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=
- removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
- hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow
- (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
- te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for service administration
-
-dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addservices
-add:description: Add Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeservices
-add:description: Remove Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyservices
-add:description: Modify Services
-add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for service administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
- $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
- =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
- $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
- :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal
- name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services"
- ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco
- unts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for delegation administration
-# This just lets one manage taskgroup membership and create and delete roles
-
-dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addhrole
-add:description: Add Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeroles
-add:description: Remove Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyroles
-add:description: Modify Roles
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyrolegroupmembership
-add:description: Modify Role Group membership
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifytaskgroupmembership
-add:description: Modify Task Group membership
-add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for delegation administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
- ,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
- 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
- ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
- pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
- te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
- ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
- te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
- ,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for automount administration
-
-dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addautomount
-add:description: Add Automount maps/keys
-add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeautomount
-add:description: Remove Automount maps/keys
-add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for service administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
- :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
- $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
- "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Add the taskgroups referenced by the ACIs for netgroup administration
-
-dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addnetgroups
-add:description: Add netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removenetgroups
-add:description: Remove netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifynetgroups
-add:description: Modify netgroups
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifynetgroupmembership
-add:description: Modify netgroup membership
-add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACIs that grant these permissions for netgroup administration
-
-dn: $SUFFIX
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
- 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
- taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
- 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
- removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
- cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
- = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
- (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
- dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
- pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Taskgroup for retrieving host keytabs
-dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: manage_host_keytab
-add:description: Manage host keytab
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACI needed to do host keytab admin
-dn: $SUFFIX
-add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
- (version 3.0;acl "Manage host keytab";
- allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Taskgroup for enrolling hosts. Note that this also requires
-# manage_host_keytab access
-dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: enroll_host
-add:description: Enroll a host
-add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add the ACI needed to do host enrollment. When this occurs we
-# set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join.
-dn: $SUFFIX
-add:aci: '(targetattr = "enrolledBy || objectClass")
- (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
- (version 3.0;acl "Enroll a host";
- allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Taskgroup for updating the DNS entries
-dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: update_sn
-add:description: Updates DNS
-add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Create virtual operations entry. This is used to control access to
-# operations that don't rely on LDAP directly.
-dn: cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: virtual operations
-
-# Retrieve Certificate virtual op
-dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: retrieve certificate
-
-# Taskgroup for retrieving certs
-dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: retrieve_certs
-add:description: Retrieve SSL Certificates
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=retrieve certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
- CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Request Certificate virtual op
-dn: cn=request certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: request certificate
-
-# Taskgroup for requesting certs
-dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: request_certs
-add:description: Request a SSL Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=request certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Request Certificates from the
- CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
- cn=accounts,$SUFFIX";)'
-
-# Request Certificate from different host virtual op
-dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: request certificate different host
-
-# Taskgroup for requesting certs from a different host
-dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: request_cert_different_host
-add:description: Request a SSL Certificate from a different host
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=request certificate different host,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Request Certificates from a
- different host" ; allow (write) groupdn = "ldap:///cn=request_cert
- _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Certificate Status virtual op
-dn: cn=certificate status,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: certificate status
-
-# Taskgroup for requesting certs
-dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certificate_status
-add:description: Status of cert request
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=certificate status,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
- CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Revoke Certificate virtual op
-dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: revoke certificate
-
-# Taskgroup for requesting certs
-dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: revoke_certificate
-add:description: Revoke Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=revoke certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
- ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Revoke Certificate virtual op
-dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: revoke certificate
-
-# Taskgroup for requesting certs
-dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: revoke_certificate
-add:description: Revoke Certificate
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=revoke certificate,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
- ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Certificate Remove Hold virtual op
-dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
-add:objectClass: top
-add:objectClass: nsContainer
-add:cn: certificate remove hold
-
-# Taskgroup for requesting certs
-dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: certificate_remove_hold
-add:description: Certificate Remove Hold
-add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "objectClass")(target =
- "ldap:///cn=certificate remove hold,cn=virtual operations,
- $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
- ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
- cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Taskgroup for managing replicas
-dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: managereplica
-add:description: Manage Replication Agreements
-add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Taskgroup for deleting replicas
-dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: deletereplica
-add:description: Delete Replication Agreements
-add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-# Add acis allowing admins to read/write/delete replicas
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
-add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)
- (objectclass=nsds5replicationagreement)(objectclass=
- nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage
- replication agreements"; allow (read, write, search) groupdn =
- "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
-add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
- nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
- ))")(version 3.0;acl "Delete replication agreements";allow (delete)
- groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-# Entitlement management
-dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: addentitlements
-add:description: Add Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: removeentitlements
-add:description: Remove Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX
-add:objectClass: top
-add:objectClass: nestedgroup
-add:cn: modifyentitlements
-add:description: Modify Entitlements
-add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
-
-dn: $SUFFIX
-add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: $SUFFIX
-add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
-
-dn: $SUFFIX
-add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 72acf7f4a..48f53d21d 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -13,9 +13,6 @@ app_DATA = \
30-hbacsvc.update \
30-groupofhosts.update \
30-netgroups.update \
- 30-rolegroup.update \
- 30-taskgroup.update \
- 40-delegation.update \
$(NULL)
EXTRA_DIST = \
generated by cgit (git 2.34.1) at 2024-05-02 22:34:54 +0000