diff options
Diffstat (limited to 'pki/base/ca/shared')
| -rw-r--r-- | pki/base/ca/shared/conf/CS.cfg.in | 1 | ||||
| -rw-r--r-- | pki/base/ca/shared/conf/manager.ldif | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 1ba0d2f40..980ed5854 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -818,6 +818,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/ca/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/db.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/index.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/ca/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/ca/shared/conf/manager.ldif b/pki/base/ca/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/ca/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + |