diff options
Diffstat (limited to 'pki/base/kra')
-rw-r--r-- | pki/base/kra/shared/conf/CS.cfg.in | 1 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/manager.ldif | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in index 19570155c..a6d49ceb5 100644 --- a/pki/base/kra/shared/conf/CS.cfg.in +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -225,6 +225,7 @@ preop.internaldb.schema.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/schema.ldif preop.internaldb.ldif=/usr/share/[PKI_FLAVOR]/kra/conf/database.ldif preop.internaldb.data_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/db.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/acl.ldif preop.internaldb.index_ldif= +preop.internaldb.manager_ldif=/usr/share/[PKI_FLAVOR]/ca/conf/manager.ldif preop.internaldb.post_ldif=/usr/share/[PKI_FLAVOR]/kra/conf/index.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlv.ldif,/usr/share/[PKI_FLAVOR]/kra/conf/vlvtasks.ldif preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config internaldb.multipleSuffix.enable=false diff --git a/pki/base/kra/shared/conf/manager.ldif b/pki/base/kra/shared/conf/manager.ldif new file mode 100644 index 000000000..52e486987 --- /dev/null +++ b/pki/base/kra/shared/conf/manager.ldif @@ -0,0 +1,48 @@ +# acis for cert manager + +dn: ou=csusers,cn=config +objectClass: top +objectClass: organizationalUnit +ou: csusers + +dn: {rootSuffix} +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) + +dn: cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) + +dn: ou=csusers,cn=config +changetype: modify +add: aci +aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) + +dn: cn="{rootSuffix}",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";) + +dn: cn=tasks,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";) + + |