summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2015-11-13 08:15:55 +0100
committerJan Cholasta <jcholast@redhat.com>2015-12-07 08:14:13 +0100
commite137f305edf2a107b06a00b05b06464b8707ab82 (patch)
tree459cdfe5e2171f3bf87a27434c42f070ff713ca8
parent7b9a97383ce4090d30e624fc8b7263d6c5f1b823 (diff)
downloadfreeipa-e137f305edf2a107b06a00b05b06464b8707ab82.tar.gz
freeipa-e137f305edf2a107b06a00b05b06464b8707ab82.tar.xz
freeipa-e137f305edf2a107b06a00b05b06464b8707ab82.zip
aci: allow members of ipaservers to set up replication
Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
-rw-r--r--install/updates/20-aci.update25
-rw-r--r--install/updates/45-roles.update1
2 files changed, 26 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index cba1897e1..ca4c0df05 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -32,6 +32,14 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
+# Allow hosts to read masters service configuration
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
+
+# Allow hosts to read replication managers
+dn: cn=sysaccounts,cn=etc,$SUFFIX
+add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "objectClass || cn")(version 3.0; acl "Allow hosts to read replication managers"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
+
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX
add:aci:(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)
@@ -54,6 +62,10 @@ add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || kr
dn: cn=tasks,cn=config
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+# Allow hosts to read their replication agreements
+dn: cn=mapping tree,cn=config
+add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
# Removal of obsolete ACIs
dn: cn=config
# Replaced by 'System: Read Replication Agreements'
@@ -91,3 +103,16 @@ add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=acco
# CIFS service on the master can manage ID ranges
dn: cn=ranges,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=*,cn=ranges,cn=etc,$SUFFIX")(targetfilter = "(objectClass=ipaIDrange)")(version 3.0;acl "CIFS service can manage ID ranges for trust"; allow(all) userdn="ldap:///krbprincipalname=cifs/*@$REALM,cn=services,cn=accounts,$SUFFIX" and groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
+
+# IPA server hosts can modify replication managers members
+dn: cn=sysaccounts,cn=etc,$SUFFIX
+add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "member")(version 3.0; acl "IPA server hosts can modify replication managers members"; allow(read, search, compare, write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
+
+# IPA server hosts can change replica ID
+dn: cn=etc,$SUFFIX
+add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
+
+# IPA server hosts can create and manage own Custodia secrets
+dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
+add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index dd4549f31..fb28464f2 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -82,6 +82,7 @@ dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+add:member: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX