diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-04-24 15:30:23 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-05-19 09:52:21 -0400 |
commit | 4376ad0b1097faf22b13684bc07b0815a0c1e10f (patch) | |
tree | 63fdc24576052127b829dd4e2b255bbf2f84e5a9 /install/updates | |
parent | 7ac2b8ae454ca7a9570000b5ffe9971761422724 (diff) | |
download | freeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.tar.gz freeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.tar.xz freeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.zip |
Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-delegation.update | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 304f5f79..da4cde8f 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -420,3 +420,18 @@ add:aci: (targetattr = "memberhost || externalhost || memberuser || member") (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou pmembership,cn=taskgroups,cn=accounts,$SUFFIX";) + +# Taskgroup for retrieving host keytabs +dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: manage_host_keytab +add:description: Manage host keytab +add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX" + +# Add the ACI needed to do host keytab admin +add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*, + cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab"; + allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, + cn=accounts,$SUFFIX";) + |