############################################
# Configure the DIT
############################################
dn: cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: roles

# Permissions-based Access Control
dn: cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: pbac

dn: cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: privileges

dn: cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: permissions

############################################
# Add the default roles
############################################
dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: helpdesk
description: Helpdesk

############################################
# Add the default privileges
############################################
dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: useradmin
description: User Administrators

dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: groupadmin
description: Group Administrators

dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: hostadmin
description: Host Administrators

dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: hostgroupadmin
description: Host Group Administrators

dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: delegationadmin
description: Role administration

dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: serviceadmin
description: Service Administrators

dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: automountadmin
description: Automount Administrators

dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: netgroupadmin
description: Netgroups Administrators

dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: certadmin
description: Certificate Administrators

dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: replicaadmin
description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX

dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: enrollhost
description: Host Enrollment

dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: entitlementadmin
description: Entitlement Administrators

############################################
# Default permissions.
############################################

# User administration

dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
cn: unlock_user
description: Unlock user accounts
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX

dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX

# Group administration

dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX

# Host administration

dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX

# Hostgroup administration

dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
description: Add Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
description: Remove Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
description: Modify Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
description: Modify Hostgroup membership
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX

# Service administration

dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyservices
description: Modify Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX

# Delegation administration

dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addroles
description: Add Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyrolemembership
description: Modify Role Group membership
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyprivilegemembership
description: Modify privilege membership
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX

# Automount administration

dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addautomountmaps
description: Add Automount maps
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeautomountmaps
description: Remove Automount maps
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addautomountkeys
description: Add Automount keys
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeautomountkeys
description: Remove Automount keys
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX

# Netgroup administration

dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX

# Keytab access

dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX

dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_service_keytab
description: Manage service keytab
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=privileges,cn=pbac,$SUFFIX

# DNS administration

# The permission and aci for this is in install/updates/dns.ldif

dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: enroll_host
description: Enroll a host
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX

# Replica administration

dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addreplica
description: Add Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyreplica
description: Modify Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removereplica
description: Remove Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX

# Entitlement management

dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addentitlements
description: Add Entitlements
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeentitlements
description: Remove Entitlements
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX

dn: cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyentitlements
description: Modify Entitlements
member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX

############################################
# Default permissions (ACIs)
############################################

# User administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)

# Group administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)

# Host administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)

# Hostgroup administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)

# Service administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)

# Delegation administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)

# Automount administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)

# Netgroup administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)

# Host keytab admin

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)

# Service keytab admin

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)

# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
# set enrolledBy to whoever ran join.

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)

# Entitlement administration

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:addentitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";)

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:modifyentitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";)

dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:removeentitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";)

# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.
dn: cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: virtual operations

# Retrieve Certificate virtual op
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: retrieve certificate

dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: retrieve_certs
description: Retrieve Certificates from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)

# Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: request certificate

dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: request_certs
description: Request Certificates from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)

# Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: request certificate different host

dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: request_cert_different_host
description: Request Certificates from a different host
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)

# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: certificate status

dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: certificate_status
description: Get Certificates status from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)

# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: revoke certificate

dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: revoke_certificate
description: Revoke Certificate
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)

# Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: certificate remove hold

dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: certificate_remove_hold
description: Certificate Remove Hold
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)