diff options
Diffstat (limited to 'install/share')
-rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
-rw-r--r-- | install/share/default-aci.ldif | 10 |
2 files changed, 16 insertions, 0 deletions
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 23510c953..aac3f059a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,12 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca_renewal + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 870ac12e9..f3ed39599 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -86,3 +86,13 @@ changetype: modify add: aci aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) +# Let host add and update CA renewal certificates +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) + +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) |