From 744eb8ea740d9f63a1757cb4d83f63ee4096dea0 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 22 Feb 2011 15:25:43 +0100 Subject: Entitlements ACIs not visible to Permission plugin This patch fixes Entitlements privileges and ACIs. There were missing descriptions or the ACIs could not be processed by Permissino plugin because of missing prefix. https://fedorahosted.org/freeipa/ticket/997 --- install/share/delegation.ldif | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 02dc850af..5d4949ae3 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -152,6 +152,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Register and Write Entitlements +description: Register and Write Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX @@ -160,6 +161,7 @@ objectClass: top objectClass: groupofnames objectClass: nestedgroup cn: Read Entitlements +description: Read Entitlements member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX @@ -518,6 +520,7 @@ changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission +cn: Register Entitlements member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX @@ -656,17 +659,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. -- cgit