diff options
author | Sumit Bose <sbose@redhat.com> | 2011-09-19 11:48:05 +0200 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-09-20 17:27:40 -0400 |
commit | 0ebe23dc9643ba25a0dd32e24a9d97a53fbe00c0 (patch) | |
tree | 21ad06bc8fa92d2023d3479fdfa43b387040ef2d /ipaserver/install | |
parent | 21cd1857c86e540348cc07a2a86f3d35b51802d5 (diff) | |
download | freeipa-0ebe23dc9643ba25a0dd32e24a9d97a53fbe00c0.tar.gz freeipa-0ebe23dc9643ba25a0dd32e24a9d97a53fbe00c0.tar.xz freeipa-0ebe23dc9643ba25a0dd32e24a9d97a53fbe00c0.zip |
Fix ACIs in ipa-adtrust-install
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index f2cc3327..1bd37d4e 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -102,9 +102,20 @@ class ADTRUSTInstance(service.Service): self.admin_conn.add_s(entry) # And finally grant it permission to read NT passwords, we do not want - # to support LM passwords so there is no need to allow access to them + # to support LM passwords so there is no need to allow access to them. + # Also the premission to create trusted domain objects below the + # domain object is granted. mod = [(ldap.MOD_ADD, 'aci', - str(['(targetattr = "sambaNTPassword")(version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///%s";)' % self.smb_dn]))] + str('(targetattr = "sambaNTPassword")' \ + '(version 3.0; acl "Samba user can read NT passwords";' \ + 'allow (read) userdn="ldap:///%s";)' % self.smb_dn)), + (ldap.MOD_ADD, 'aci', + str('(target = "ldap:///cn=ad,cn=trusts,%s")' \ + '(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \ + '(version 3.0;acl "Allow samba user to create and delete trust accounts";' \ + 'allow (write,add,delete) userdn = "ldap:///%s";)' % \ + (self.suffix, self.smb_dn)))] + try: self.admin_conn.modify_s(self.suffix, mod) except ldap.TYPE_OR_VALUE_EXISTS: |