diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/share/default-aci.ldif | 8 | ||||
-rw-r--r-- | install/updates/20-aci.update | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 88269d282..586ec61fc 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) + +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) + diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 42f1e9fe6..41d35da35 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -2,3 +2,7 @@ dn: cn=ng,cn=alt,$SUFFIX add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)' +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) |