diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/share/60basev3.ldif | 4 | ||||
-rw-r--r-- | install/share/delegation.ldif | 8 | ||||
-rw-r--r-- | install/updates/30-provisioning.update | 1 | ||||
-rw-r--r-- | install/updates/45-roles.update | 3 |
4 files changed, 15 insertions, 1 deletions
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 4efb1fe8b..eb1c1298b 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -54,6 +54,8 @@ attributeTypes: (2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encrypted attributeTypes: (2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS#11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.1' ) attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') +attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) @@ -71,7 +73,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDran objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v4.0' ) +objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' ) objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0') objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 66a9f1b07..76e726fb9 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -129,6 +129,14 @@ objectClass: nestedgroup cn: Host Enrollment description: Host Enrollment +dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: Stage User Administrators +description: Stage User Administrators + ############################################ # Default permissions. ############################################ diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update index f1666ff3a..b8ec80e00 100644 --- a/install/updates/30-provisioning.update +++ b/install/updates/30-provisioning.update @@ -26,6 +26,7 @@ dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) # This is used for the admin to reset the delete users credential +# No one is allowed to add entry in Delete container dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";) diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update index 3442c7bf8..eb50e2b9c 100644 --- a/install/updates/45-roles.update +++ b/install/updates/45-roles.update @@ -28,6 +28,9 @@ add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX +dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX +add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX + dn: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX default:objectClass: groupofnames default:objectClass: nestedgroup |