From d84ffd9e548d2cc1f4147e9b24906e4d7241f496 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 22 Dec 2010 11:11:29 -0500 Subject: Move permissions and privileges to their own container, cn=pbac,$SUFFIX ticket 638 --- install/share/delegation.ldif | 317 +++++++++++++------------- install/share/dns.ldif | 28 +-- install/share/replica-acis.ldif | 8 +- install/static/test/data/ipa_init.json | 10 +- install/static/test/data/permission_add.json | 4 +- install/static/test/data/permission_find.json | 98 ++++---- install/static/test/data/permission_show.json | 4 +- ipalib/constants.py | 4 +- ipaserver/install/bindinstance.py | 2 +- 9 files changed, 241 insertions(+), 234 deletions(-) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7b09ae130..85b7e736e 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -7,13 +7,20 @@ objectClass: top objectClass: nsContainer cn: roles -dn: cn=privileges,cn=accounts,$SUFFIX +# Permissions-based Access Control +dn: cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: pbac + +dn: cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer cn: privileges -dn: cn=permissions,cn=accounts,$SUFFIX +dn: cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nsContainer @@ -33,7 +40,7 @@ description: Helpdesk ############################################ # Add the default privileges ############################################ -dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -41,7 +48,7 @@ objectClass: nestedgroup cn: useradmin description: User Administrators -dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -49,7 +56,7 @@ objectClass: nestedgroup cn: groupadmin description: Group Administrators -dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -57,7 +64,7 @@ objectClass: nestedgroup cn: hostadmin description: Host Administrators -dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -65,7 +72,7 @@ objectClass: nestedgroup cn: hostgroupadmin description: Host Group Administrators -dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -73,7 +80,7 @@ objectClass: nestedgroup cn: delegationadmin description: Role administration -dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -81,7 +88,7 @@ objectClass: nestedgroup cn: serviceadmin description: Service Administrators -dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -89,7 +96,7 @@ objectClass: nestedgroup cn: automountadmin description: Automount Administrators -dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -97,7 +104,7 @@ objectClass: nestedgroup cn: netgroupadmin description: Netgroups Administrators -dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -105,7 +112,7 @@ objectClass: nestedgroup cn: certadmin description: Certificate Administrators -dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -114,7 +121,7 @@ cn: replicaadmin description: Replication Administrators member: cn=admins,cn=groups,cn=accounts,$SUFFIX -dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX +dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -122,7 +129,7 @@ objectClass: nestedgroup cn: enrollhost description: Host Enrollment -dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -136,360 +143,360 @@ description: Entitlement Administrators # User administration -dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addusers description: Add Users -member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX +dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: change_password description: Change a user password -member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX +dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: add_user_to_default_group description: Add user to default group -member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeusers description: Remove Users -member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyusers description: Modify Users -member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX # Group administration -dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addgroups description: Add Groups -member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removegroups description: Remove Groups -member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroups description: Modify Groups -member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifygroupmembership description: Modify Group membership -member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX # Host administration -dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhosts description: Add Hosts -member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehosts description: Remove Hosts -member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhosts description: Modify Hosts -member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX # Hostgroup administration -dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addhostgroups description: Add Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removehostgroups description: Remove Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroups description: Modify Hostgroups -member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyhostgroupmembership description: Modify Hostgroup membership -member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX # Service administration -dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addservices description: Add Services -member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeservices description: Remove Services -member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyservices description: Modify Services -member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX # Delegation administration -dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addroles description: Add Roles -member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeroles description: Remove Roles -member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyroles description: Modify Roles -member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyrolemembership description: Modify Role Group membership -member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: nestedgroup cn: modifyprivilegemembership description: Modify privilege membership -member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX # Automount administration -dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addautomountmaps description: Add Automount maps -member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeautomountmaps description: Remove Automount maps -member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addautomountkeys description: Add Automount keys -member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeautomountkeys description: Remove Automount keys -member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX # Netgroup administration -dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addnetgroups description: Add netgroups -member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removenetgroups description: Remove netgroups -member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroups description: Modify netgroups -member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifynetgroupmembership description: Modify netgroup membership -member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX # Keytab access -dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX +dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: manage_host_keytab description: Manage host keytab -member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX -dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX +dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: manage_service_keytab description: Manage service keytab -member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=admins,cn=privileges,cn=accounts,$SUFFIX +member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=admins,cn=privileges,cn=pbac,$SUFFIX # DNS administration # The permission and aci for this is in install/updates/dns.ldif -dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX +dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: enroll_host description: Enroll a host -member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX +member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX # Replica administration -dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addreplica description: Add Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyreplica description: Modify Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removereplica description: Remove Replication Agreements -member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX # Entitlement management -dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX +dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: addentitlements description: Add Entitlements -member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX +dn: cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: removeentitlements description: Remove Entitlements -member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX -dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX +dn: cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: modifyentitlements description: Modify Entitlements -member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX ############################################ # Default permissions (ACIs) @@ -500,96 +507,96 @@ member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";) # Group administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";) # Host administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";) # Hostgroup administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) # Service administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";) # Delegation administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";) # Automount administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) # Netgroup administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) # Host keytab admin dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";) # Service keytab admin dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";) # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and @@ -598,24 +605,24 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";) # Entitlement administration dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";) dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";) # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. @@ -632,18 +639,18 @@ objectClass: top objectClass: nsContainer cn: retrieve certificate -dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX +dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: retrieve_certs description: Retrieve Certificates from the CA -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";) # Request Certificate virtual op dn: cn=request certificate,cn=virtual operations,$SUFFIX @@ -652,18 +659,18 @@ objectClass: top objectClass: nsContainer cn: request certificate -dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX +dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: request_certs description: Request Certificates from the CA -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";) # Request Certificate from different host virtual op dn: cn=request certificate different host,cn=virtual operations,$SUFFIX @@ -672,18 +679,18 @@ objectClass: top objectClass: nsContainer cn: request certificate different host -dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX +dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: request_cert_different_host description: Request Certificates from a different host -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";) # Certificate Status virtual op dn: cn=certificate status,cn=virtual operations,$SUFFIX @@ -692,18 +699,18 @@ objectClass: top objectClass: nsContainer cn: certificate status -dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX +dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: certificate_status description: Get Certificates status from the CA -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";) # Revoke Certificate virtual op dn: cn=revoke certificate,cn=virtual operations,$SUFFIX @@ -712,18 +719,18 @@ objectClass: top objectClass: nsContainer cn: revoke certificate -dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX +dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: revoke_certificate description: Revoke Certificate -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";) # Certificate Remove Hold virtual op dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX @@ -732,15 +739,15 @@ objectClass: top objectClass: nsContainer cn: certificate remove hold -dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX +dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames cn: certificate_remove_hold description: Certificate Remove Hold -member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX +member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/share/dns.ldif b/install/share/dns.ldif index f9ea4958d..2bebd8271 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,41 +4,41 @@ objectClass: nsContainer objectClass: top cn: dns -dn: cn=add dns entries,cn=permissions,cn=accounts,$SUFFIX +dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top cn: add dns entries description: Add DNS entries -member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX -dn: cn=remove dns entries,cn=permissions,cn=accounts,$SUFFIX +dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top cn: remove dns entries description: Remove DNS entries -member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX -dn: cn=update dns entries,cn=permissions,cn=accounts,$SUFFIX +dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top cn: update dns entries description: Update DNS entries -member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX -member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX +member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX +dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames @@ -46,7 +46,7 @@ objectClass: nestedgroup cn: dnsadmin description: DNS Administrators -dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX +dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 9ff4ed1b9..11c785726 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -3,19 +3,19 @@ dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";) dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";) dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=tasks,cn=config changetype: modify add: aci -aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/static/test/data/ipa_init.json b/install/static/test/data/ipa_init.json index 3a5301e82..6228b2964 100644 --- a/install/static/test/data/ipa_init.json +++ b/install/static/test/data/ipa_init.json @@ -4490,7 +4490,7 @@ ] }, "bindable": false, - "container_dn": "cn=permissions,cn=accounts", + "container_dn": "cn=permissions,cn=pbac", "default_attributes": [ "cn", "description", @@ -4783,7 +4783,7 @@ ] }, "bindable": false, - "container_dn": "cn=privileges,cn=accounts", + "container_dn": "cn=privileges,cn=pbac", "default_attributes": [ "cn", "description", @@ -7248,11 +7248,11 @@ "container_host": "cn=computers,cn=accounts", "container_hostgroup": "cn=hostgroups,cn=accounts", "container_netgroup": "cn=ng,cn=alt", - "container_permission": "cn=permissions,cn=accounts", + "container_permission": "cn=permissions,cn=pbac", "container_policies": "cn=policies", "container_policygroups": "cn=policygroups,cn=configs,cn=policies", "container_policylinks": "cn=policylinks,cn=configs,cn=policies", - "container_privilege": "cn=privileges,cn=accounts", + "container_privilege": "cn=privileges,cn=pbac", "container_rolegroup": "cn=roles,cn=accounts", "container_roles": "cn=roles,cn=policies", "container_service": "cn=services,cn=accounts", @@ -7300,4 +7300,4 @@ } ] } -} \ No newline at end of file +} diff --git a/install/static/test/data/permission_add.json b/install/static/test/data/permission_add.json index 2235b74c4..9ea7b226b 100644 --- a/install/static/test/data/permission_add.json +++ b/install/static/test/data/permission_add.json @@ -9,7 +9,7 @@ "description": [ "description" ], - "dn": "cn=testperm,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=testperm,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "objectclass": [ "groupofnames", "top" @@ -23,4 +23,4 @@ "summary": "Added permission \"testperm\"", "value": "testperm" } -} \ No newline at end of file +} diff --git a/install/static/test/data/permission_find.json b/install/static/test/data/permission_find.json index 0cd4d9884..b0e1c101f 100644 --- a/install/static/test/data/permission_find.json +++ b/install/static/test/data/permission_find.json @@ -11,7 +11,7 @@ "description": [ "Add Users" ], - "dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "useradmin" ], @@ -34,7 +34,7 @@ "description": [ "Change a user password" ], - "dn": "cn=change_password,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=change_password,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "useradmin" ], @@ -52,7 +52,7 @@ "description": [ "Add user to default group" ], - "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=add_user_to_default_group,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "useradmin" ], @@ -68,7 +68,7 @@ "description": [ "Remove Users" ], - "dn": "cn=removeusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "useradmin" ], @@ -116,7 +116,7 @@ "description": [ "Modify Users" ], - "dn": "cn=modifyusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "useradmin" ], @@ -132,7 +132,7 @@ "description": [ "Add Groups" ], - "dn": "cn=addgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "groupadmin" ], @@ -148,7 +148,7 @@ "description": [ "Remove Groups" ], - "dn": "cn=removegroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removegroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "groupadmin" ], @@ -172,7 +172,7 @@ "description": [ "Modify Groups" ], - "dn": "cn=modifygroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifygroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "groupadmin" ], @@ -191,7 +191,7 @@ "description": [ "Modify Group membership" ], - "dn": "cn=modifygroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifygroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "groupadmin" ], @@ -207,7 +207,7 @@ "description": [ "Add Hosts" ], - "dn": "cn=addhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addhosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostadmin" ], @@ -223,7 +223,7 @@ "description": [ "Remove Hosts" ], - "dn": "cn=removehosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removehosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostadmin" ], @@ -246,7 +246,7 @@ "description": [ "Modify Hosts" ], - "dn": "cn=modifyhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyhosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostadmin" ], @@ -262,7 +262,7 @@ "description": [ "Add Hostgroups" ], - "dn": "cn=addhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addhostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostgroupadmin" ], @@ -278,7 +278,7 @@ "description": [ "Remove Hostgroups" ], - "dn": "cn=removehostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removehostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostgroupadmin" ], @@ -298,7 +298,7 @@ "description": [ "Modify Hostgroups" ], - "dn": "cn=modifyhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyhostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostgroupadmin" ], @@ -317,7 +317,7 @@ "description": [ "Modify Hostgroup membership" ], - "dn": "cn=modifyhostgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyhostgroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostgroupadmin" ], @@ -333,7 +333,7 @@ "description": [ "Add Services" ], - "dn": "cn=addservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "serviceadmin" ], @@ -349,7 +349,7 @@ "description": [ "Remove Services" ], - "dn": "cn=removeservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "serviceadmin" ], @@ -368,7 +368,7 @@ "description": [ "Modify Services" ], - "dn": "cn=modifyservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "serviceadmin" ], @@ -384,7 +384,7 @@ "description": [ "Add Roles" ], - "dn": "cn=addroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "delegationadmin" ], @@ -400,7 +400,7 @@ "description": [ "Remove Roles" ], - "dn": "cn=removeroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "delegationadmin" ], @@ -420,7 +420,7 @@ "description": [ "Modify Roles" ], - "dn": "cn=modifyroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "delegationadmin" ], @@ -439,7 +439,7 @@ "description": [ "Modify Role Group membership" ], - "dn": "cn=modifyrolemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyrolemembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "delegationadmin" ], @@ -458,14 +458,14 @@ "description": [ "Modify privilege membership" ], - "dn": "cn=modifyprivilegemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyprivilegemembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "delegationadmin" ], "permissions": [ "write" ], - "subtree": "ldap:///cn=*,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + "subtree": "ldap:///cn=*,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" }, { "cn": [ @@ -474,7 +474,7 @@ "description": [ "Add Automount maps" ], - "dn": "cn=addautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addautomountmaps,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "automountadmin" ], @@ -490,7 +490,7 @@ "description": [ "Remove Automount maps" ], - "dn": "cn=removeautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeautomountmaps,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "automountadmin" ], @@ -506,7 +506,7 @@ "description": [ "Add Automount keys" ], - "dn": "cn=addautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addautomountkeys,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "automountadmin" ], @@ -522,7 +522,7 @@ "description": [ "Remove Automount keys" ], - "dn": "cn=removeautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeautomountkeys,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "automountadmin" ], @@ -538,7 +538,7 @@ "description": [ "Add netgroups" ], - "dn": "cn=addnetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addnetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "netgroupadmin" ], @@ -554,7 +554,7 @@ "description": [ "Remove netgroups" ], - "dn": "cn=removenetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removenetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "netgroupadmin" ], @@ -573,7 +573,7 @@ "description": [ "Modify netgroups" ], - "dn": "cn=modifynetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifynetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "netgroupadmin" ], @@ -595,7 +595,7 @@ "description": [ "Modify netgroup membership" ], - "dn": "cn=modifynetgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifynetgroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "netgroupadmin" ], @@ -615,7 +615,7 @@ "description": [ "Manage host keytab" ], - "dn": "cn=manage_host_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=manage_host_keytab,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostadmin", "enrollhost" @@ -636,7 +636,7 @@ "description": [ "Manage service keytab" ], - "dn": "cn=manage_service_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=manage_service_keytab,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "serviceadmin", "admins" @@ -657,7 +657,7 @@ "description": [ "Enroll a host" ], - "dn": "cn=enroll_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=enroll_host,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "hostadmin", "enrollhost" @@ -674,7 +674,7 @@ "description": [ "Manage Replication Agreements" ], - "dn": "cn=managereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=managereplica,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "replicaadmin" ], @@ -690,7 +690,7 @@ "description": [ "Delete Replication Agreements" ], - "dn": "cn=deletereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=deletereplica,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "replicaadmin" ], @@ -706,7 +706,7 @@ "description": [ "Add Entitlements" ], - "dn": "cn=addentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "entitlementadmin" ], @@ -722,7 +722,7 @@ "description": [ "Remove Entitlements" ], - "dn": "cn=removeentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=removeentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "entitlementadmin" ], @@ -741,7 +741,7 @@ "description": [ "Modify Entitlements" ], - "dn": "cn=modifyentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=modifyentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "entitlementadmin" ], @@ -760,7 +760,7 @@ "description": [ "Retrieve Certificates from the CA" ], - "dn": "cn=retrieve_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=retrieve_certs,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -779,7 +779,7 @@ "description": [ "Request Certificates from the CA" ], - "dn": "cn=request_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=request_certs,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -798,7 +798,7 @@ "description": [ "Request Certificates from a different host" ], - "dn": "cn=request_cert_different_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=request_cert_different_host,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -817,7 +817,7 @@ "description": [ "Get Certificates status from the CA" ], - "dn": "cn=certificate_status,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=certificate_status,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -836,7 +836,7 @@ "description": [ "Revoke Certificate" ], - "dn": "cn=revoke_certificate,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=revoke_certificate,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -855,7 +855,7 @@ "description": [ "Certificate Remove Hold" ], - "dn": "cn=certificate_remove_hold,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=certificate_remove_hold,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "certadmin" ], @@ -871,7 +871,7 @@ "description": [ "DNS Servers Updates" ], - "dn": "cn=update_dns,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=update_dns,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member_privilege": [ "dnsadmin", "dnsserver" @@ -884,4 +884,4 @@ "summary": "47 permissions matched", "truncated": false } -} \ No newline at end of file +} diff --git a/install/static/test/data/permission_show.json b/install/static/test/data/permission_show.json index ac12ef0e2..d823061d5 100644 --- a/install/static/test/data/permission_show.json +++ b/install/static/test/data/permission_show.json @@ -22,7 +22,7 @@ "description": [ "Add Users" ], - "dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "dn": "cn=addusers,cn=permissions,cn=hbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "member": [ "cn=useradmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" ], @@ -38,4 +38,4 @@ "summary": null, "value": "addusers" } -} \ No newline at end of file +} diff --git a/ipalib/constants.py b/ipalib/constants.py index 5a07048d7..d1bca677e 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -85,8 +85,8 @@ DEFAULT_CONFIG = ( ('container_host', 'cn=computers,cn=accounts'), ('container_hostgroup', 'cn=hostgroups,cn=accounts'), ('container_rolegroup', 'cn=roles,cn=accounts'), - ('container_permission', 'cn=permissions,cn=accounts'), - ('container_privilege', 'cn=privileges,cn=accounts'), + ('container_permission', 'cn=permissions,cn=pbac'), + ('container_privilege', 'cn=privileges,cn=pbac'), ('container_automount', 'cn=automount'), ('container_policies', 'cn=policies'), ('container_configs', 'cn=configs,cn=policies'), diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index c791d20ed..10b387a8d 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -368,7 +368,7 @@ class BindInstance(service.Service): logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) raise e - dns_group = "cn=dnsserver,cn=privileges,cn=accounts,%s" % self.suffix + dns_group = "cn=dnsserver,cn=privileges,cn=pbac,%s" % self.suffix if isinstance(dns_principal, unicode): dns_principal = dns_principal.encode('utf-8') mod = [(ldap.MOD_ADD, 'member', dns_principal)] -- cgit