diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-02-21 10:21:03 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-02-23 11:05:52 +0100 |
commit | 960baaebf4a1305a38f7cec099f51607e2427d24 (patch) | |
tree | 95b044a9e6e33641431cbade9632afafe9b75d5c /install/updates/40-delegation.update | |
parent | ce7b66ebfbe52e5efb3a7cf28e61954baf78982e (diff) | |
download | freeipa.git-960baaebf4a1305a38f7cec099f51607e2427d24.tar.gz freeipa.git-960baaebf4a1305a38f7cec099f51607e2427d24.tar.xz freeipa.git-960baaebf4a1305a38f7cec099f51607e2427d24.zip |
Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 74d882bd..09b80568 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -331,3 +331,7 @@ add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn= # of administrators dn: $SUFFIX replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)' + +# Don't allow the default 'manage group membership' to be able to manage the +# admins group +replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)' |