From 3931d1d753289630d0a4199b6100302ddca2bd47 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Thu, 22 May 2008 17:55:27 -0400
Subject: Move admin into cn=users,cn=accounts

After some deep thinking I think the advantages of keeping all
posix enabled user accounts under cn=users,cn=accounts overweight a
perceived better protection of the admin account by keeping it in a
separate tree.
---
 ipa-server/ipa-install/share/bootstrap-template.ldif | 4 ++--
 ipa-server/ipa-install/share/default-aci.ldif        | 4 ++--
 ipa-server/ipaserver/dsinstance.py                   | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'ipa-server')

diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 014f9d61d..eb69ae4d0 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -58,7 +58,7 @@ objectClass: nsContainer
 objectClass: top
 cn: masters
 
-dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+dn: uid=admin,cn=users,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: person
@@ -108,7 +108,7 @@ objectClass: posixGroup
 cn: admins
 description: Account administrators group
 gidNumber: 1001
-member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+member: uid=admin,cn=users,cn=accounts,$SUFFIX
 nsAccountLock: False
 
 dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index b268ad199..9cb5d831b 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
@@ -29,7 +29,7 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
 dn: cn=radius,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
 dn: cn=services,cn=accounts,$SUFFIX
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index f0ff2da7b..540ff686f 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -375,7 +375,7 @@ class DsInstance(service.Service):
         args = [app,
                 "-D", "cn=Directory Manager", "-w", self.dm_password,
                 "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
-                "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
+                "uid=admin,cn=users,cn=accounts,"+self.suffix]
         try:
             ipautil.run(args)
             logging.debug("ldappasswd done")
-- 
cgit