From a8fe485065ee7c2bc686bc7a4f673ce2f163ecc5 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Thu, 30 Aug 2007 12:23:39 -0400
Subject: Integrate corrections pointed out on the list

---
 ipa-server/ipa-install/share/bootstrap-template.ldif | 7 +++----
 ipa-server/ipa-install/share/default-aci.ldif        | 6 +++---
 ipa-server/ipa-install/share/kerberos.ldif           | 8 ++++----
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index e8e6b9b4a..7416aaece 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -45,12 +45,10 @@ objectClass: top
 objectClass: account
 uid: webservice
 
-dn: uid=admin,cn=users,cn=accounts,$SUFFIX
+dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: KrbPrincipalAux
 uid: admin
@@ -68,7 +66,8 @@ changetype: add
 objectClass: top
 objectClass: groupofuniquenames
 objectClass: posixGroup
-cn: admins
+cn: Account Admins
+description: Account administrators group
 gidNumber: 1001
 uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
 
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index a942b683e..9ed65a43c 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -3,9 +3,9 @@ dn: $SUFFIX
 changetype: modify
 replace: aci
 aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
-aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif
index 0ffc2bba0..d55f39ce4 100644
--- a/ipa-server/ipa-install/share/kerberos.ldif
+++ b/ipa-server/ipa-install/share/kerberos.ldif
@@ -15,20 +15,20 @@ cn: kerberos
 aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 
 #sasl mapping
-dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config
+dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
 changetype: add
 objectclass: top
 objectclass: nsSaslMapping
-cn: fullprinc
+cn: Full Principal
 nsSaslMapRegexString: \(.*\)@\(.*\)
 nsSaslMapBaseDNTemplate: $SUFFIX
 nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
 
-dn: cn=justname,cn=mapping,cn=sasl,cn=config
+dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
 changetype: add
 objectclass: top
 objectclass: nsSaslMapping
-cn: justname
+cn: Name Only
 nsSaslMapRegexString: \(.*\)
 nsSaslMapBaseDNTemplate: $SUFFIX
 nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
-- 
cgit