summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/21-ca_renewal_container.update8
-rw-r--r--install/updates/40-delegation.update4
-rw-r--r--install/updates/Makefile.am1
3 files changed, 13 insertions, 0 deletions
diff --git a/install/updates/21-ca_renewal_container.update b/install/updates/21-ca_renewal_container.update
new file mode 100644
index 00000000..50b92d73
--- /dev/null
+++ b/install/updates/21-ca_renewal_container.update
@@ -0,0 +1,8 @@
+#
+# Add CA renewal container if not available
+#
+
+dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: ca_renewal
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index de112d99..1e512d0f 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -356,3 +356,7 @@ replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr
# Don't allow the default 'manage group membership' to be able to manage the
# admins group
replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=ipa,cn=etc,$SUFFIX
+add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
+add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index e45690f1..bc7945d7 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -22,6 +22,7 @@ app_DATA = \
20-user_private_groups.update \
20-winsync_index.update \
21-replicas_container.update \
+ 21-ca_renewal_container.update \
30-s4u2proxy.update \
40-delegation.update \
40-dns.update \
generated by cgit (git 2.34.1) at 2025-09-04 01:12:35 +0000