From 65a146cdca7c62301b5be978027a44d880424529 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 21 Jan 2011 09:20:01 +0100 Subject: ACI plugin supports prefixes When more than one plugin produce ACIs, they share common namespace of ACI name. This may lead to name collisions between the ACIs from different plugins. This patch introduces a mandatory "prefix" attribute for non-find ACI operations which allow plugins to use their own prefixes (i.e. namespaces) which is then used when a name of the ACI is generated. Permission, Delegation and Selfservice plugins has been updated to use their own prefixes thus avoiding name collisions by using their own namespaces. Default ACIs in LDIFs has been updated to follow this new policy. Permission plugin now uses its CN (=primary key) instead of description in ACI names as Description may not be unique. This change requires an IPA server reinstall since the default ACI set has been changed. https://fedorahosted.org/freeipa/ticket/764 --- install/share/default-aci.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'install/share/default-aci.ldif') diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 945b0bb31..8b00f4609 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -6,7 +6,7 @@ add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) +aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -- cgit