From 5b894d1fb76f176b71aed6b8f6c2ea1ce4158af8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 9 Aug 2010 16:40:51 -0400 Subject: Allow decoupling of user-private groups. To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75 --- install/updates/40-delegation.update | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'install') diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f63534c8..451919b5 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -154,10 +154,10 @@ add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initia || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN umber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHT - TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/ - //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User - s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts, - $SUFFIX";)' + TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry + || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") + (version 3.0;acl "Modify Users";allow (write) groupdn = + "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for group administration @@ -204,10 +204,10 @@ add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version askgroups,cn=accounts,$SUFFIX";)' # we need objectclass and gidnumber in modify so a non-posix group can be # promoted -add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target - = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group - s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts, - $SUFFIX";)' +add:aci: '(targetattr = "cn || description || gidnumber || objectclass || + mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX") + (version 3.0;acl "Modify Groups";allow (write) groupdn = + "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for host administration -- cgit