summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2016-06-23 19:07:34 +0200
committerMartin Basti <mbasti@redhat.com>2016-07-01 09:37:25 +0200
commitd1517482b5e9508780087ec48be63a5bb531fed9 (patch)
tree13dcc76d33f8669315c8f8c0933ad5aa4c8f6e01
parentc2af032c0333f7e210c54369159d1d9f5e3fec74 (diff)
downloadfreeipa-d1517482b5e9508780087ec48be63a5bb531fed9.tar.gz
freeipa-d1517482b5e9508780087ec48be63a5bb531fed9.tar.xz
freeipa-d1517482b5e9508780087ec48be63a5bb531fed9.zip
Add ACI for admins to modify principal attributes
This is required for admins to utilize the APIs that enable them to add/remove principal aliases to entities. https://fedorahosted.org/freeipa/ticket/3864 https://fedorahosted.org/freeipa/ticket/3961 https://fedorahosted.org/freeipa/ticket/5413 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r--install/updates/20-aci.update2
1 files changed, 2 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 0d617d849..6cadef416 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -59,6 +59,8 @@ add:aci:(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLif
# Read-only
add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+
dn: cn=tasks,cn=config
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)