summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-04-24 15:30:23 -0400
committerRob Crittenden <rcritten@redhat.com>2009-05-19 09:52:21 -0400
commit4376ad0b1097faf22b13684bc07b0815a0c1e10f (patch)
tree63fdc24576052127b829dd4e2b255bbf2f84e5a9 /install/updates
parent7ac2b8ae454ca7a9570000b5ffe9971761422724 (diff)
downloadfreeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.tar.gz
freeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.tar.xz
freeipa-4376ad0b1097faf22b13684bc07b0815a0c1e10f.zip
Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/40-delegation.update15
1 files changed, 15 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 304f5f79..da4cde8f 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -420,3 +420,18 @@ add:aci: (targetattr = "memberhost || externalhost || memberuser || member")
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)
+
+# Taskgroup for retrieving host keytabs
+dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: manage_host_keytab
+add:description: Manage host keytab
+add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACI needed to do host keytab admin
+add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
+ cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
+ allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
+ cn=accounts,$SUFFIX";)
+