diff options
| author | Simo Sorce <ssorce@redhat.com> | 2008-05-22 17:55:27 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2008-05-23 15:08:02 -0400 |
| commit | 3b7b9bfdc24bcbf6104c3fa5d309feb5e1ca860f (patch) | |
| tree | fdbd9c6bd26e26975dfa7d4224e0aeaede4a9818 | |
| parent | c9ce1ca70433e9b18aa798e71bbf3c1c27482a51 (diff) | |
| download | freeipa-3b7b9bfdc24bcbf6104c3fa5d309feb5e1ca860f.tar.gz freeipa-3b7b9bfdc24bcbf6104c3fa5d309feb5e1ca860f.tar.xz freeipa-3b7b9bfdc24bcbf6104c3fa5d309feb5e1ca860f.zip | |
Move admin into cn=users,cn=accounts
After some deep thinking I think the advantages of keeping all
posix enabled user accounts under cn=users,cn=accounts overweight a
perceived better protection of the admin account by keeping it in a
separate tree.
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 4 | ||||
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 2 |
3 files changed, 5 insertions, 5 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 014f9d61..eb69ae4d 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -58,7 +58,7 @@ objectClass: nsContainer objectClass: top cn: masters -dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: person @@ -108,7 +108,7 @@ objectClass: posixGroup cn: admins description: Account administrators group gidNumber: 1001 -member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +member: uid=admin,cn=users,cn=accounts,$SUFFIX nsAccountLock: False dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index b268ad19..9cb5d831 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) @@ -29,7 +29,7 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow dn: cn=radius,$SUFFIX changetype: modify add: aci -aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) dn: cn=services,cn=accounts,$SUFFIX diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index f0ff2da7..540ff686 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -375,7 +375,7 @@ class DsInstance(service.Service): args = [app, "-D", "cn=Directory Manager", "-w", self.dm_password, "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, - "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + "uid=admin,cn=users,cn=accounts,"+self.suffix] try: ipautil.run(args) logging.debug("ldappasswd done") |