From 496ab3f738d55e9356142048dcfef2caa46c121f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 17 Feb 2011 17:19:24 -0500
Subject: Add aci to make managed netgroups immutable.

ticket 962
---
 install/updates/20-aci.update | 4 ++++
 install/updates/Makefile.am   | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/20-aci.update

(limited to 'install')

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
new file mode 100644
index 00000000..42f1e9fe
--- /dev/null
+++ b/install/updates/20-aci.update
@@ -0,0 +1,4 @@
+# Don't allow managed netgroups to be modified
+dn: cn=ng,cn=alt,$SUFFIX
+add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 26318e14..c3473ace 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -4,13 +4,14 @@ appdir = $(IPA_DATA_DIR)/updates
 app_DATA =				\
 	10-RFC2307bis.update		\
 	10-RFC4876.update		\
+	20-aci.update			\
 	20-dna.update			\
 	20-indices.update		\
 	20-nss_ldap.update		\
 	20-replication.update		\
 	20-winsync_index.update		\
 	40-delegation.update		\
-	50-lockout-policy.update		\
+	50-lockout-policy.update	\
 	$(NULL)
 
 EXTRA_DIST =				\
-- 
cgit