diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-12-08 09:51:09 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-12-11 12:25:26 +0100 |
commit | e130d35687a05cb3d2dd8708b76e7745e337c0c0 (patch) | |
tree | 463d600771567455c0c8182efa7af64f93670d41 | |
parent | ccb2f523134af5246450edd04874af2d34d896cc (diff) | |
download | freeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.tar.gz freeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.tar.xz freeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.zip |
add ACIs for custodia container to its parent during IPA upgrade
This fixes the situation when LDAPUpdater tries to add ACIs for storing
secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually
created leading to creation of container without any ACI and subsequent
erroneous behavior.
https://fedorahosted.org/freeipa/ticket/5524
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | install/updates/20-aci.update | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index ca4c0df05..5b9741d7e 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -113,6 +113,6 @@ dn: cn=etc,$SUFFIX add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) # IPA server hosts can create and manage own Custodia secrets -dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX +dn: cn=ipa,cn=etc,$SUFFIX add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) |