From 4376ad0b1097faf22b13684bc07b0815a0c1e10f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 24 Apr 2009 15:30:23 -0400
Subject: Add taskgroup and ACI for writing host principal keys (so
 ipa-getkeytab works)

---
 install/updates/40-delegation.update | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'install/updates/40-delegation.update')

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 304f5f79..da4cde8f 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -420,3 +420,18 @@ add:aci: (targetattr = "memberhost || externalhost || memberuser || member")
  (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
  dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
  pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)
+
+# Taskgroup for retrieving host keytabs
+dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: manage_host_keytab
+add:description: Manage host keytab
+add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACI needed to do host keytab admin
+add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
+  cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
+  allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
+  cn=accounts,$SUFFIX";)
+
-- 
cgit