diff options
author | Ana Krivokapic <akrivoka@redhat.com> | 2013-04-22 21:43:12 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-04-24 14:36:18 -0400 |
commit | 89f65ddccd8e08d30ddcedaf1f88fbb54066af0f (patch) | |
tree | bd1a88faf0a959679e81eb6ff30e5ead212de5e8 | |
parent | 29b22d5f8b4d62127e644b51ea2d67aeb8c30f10 (diff) | |
download | freeipa.git-89f65ddccd8e08d30ddcedaf1f88fbb54066af0f.tar.gz freeipa.git-89f65ddccd8e08d30ddcedaf1f88fbb54066af0f.tar.xz freeipa.git-89f65ddccd8e08d30ddcedaf1f88fbb54066af0f.zip |
Add missing permissions to Host Administrators privilege
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.
https://fedorahosted.org/freeipa/ticket/3585
-rw-r--r-- | install/updates/40-delegation.update | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 5c14a703..64a6432a 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -365,3 +365,11 @@ replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=account dn: cn=ipa,cn=etc,$SUFFIX add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' + +# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate" +# to privilege "Host Administrators" +dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' |