diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-12-01 11:23:52 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-12-01 20:42:31 -0500 |
| commit | 4ad8055341b9f12c833abdf757755ed95f1b375e (patch) | |
| tree | 1733fffdfe47574f2c5eb723e52f88cd58a7e0a4 /install/share/default-aci.ldif | |
| parent | 85d5bfd1b19b0ed6282a8c6cc056e8e550dde79d (diff) | |
| download | freeipa.git-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.gz freeipa.git-4ad8055341b9f12c833abdf757755ed95f1b375e.tar.xz freeipa.git-4ad8055341b9f12c833abdf757755ed95f1b375e.zip | |
Re-implement access control using an updated model.
The new model is based on permssions, privileges and roles.
Most importantly it corrects the reverse membership that caused problems
in the previous implementation. You add permission to privileges and
privileges to roles, not the other way around (even though it works that
way behind the scenes).
A permission object is a combination of a simple group and an aci.
The linkage between the aci and the permission is the description of
the permission. This shows as the name/description of the aci.
ldap:///self and groups granting groups (v1-style) are not supported by
this model (it will be provided separately).
This makes the aci plugin internal only.
ticket 445
Diffstat (limited to 'install/share/default-aci.ldif')
| -rw-r--r-- | install/share/default-aci.ldif | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 11c2f51d..42392275 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -39,6 +39,7 @@ dn: cn=services,cn=accounts,$SUFFIX changetype: modify add: aci aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) # Define which hosts can edit services # The managedby attribute stores the DN of hosts that are allowed to manage @@ -63,3 +64,7 @@ changetype: modify add: aci aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";) +dn: cn=computers,cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) |