Allow anonymous read access to virtual operation entries

These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>

3 files changed, 1 insertions, 8 deletions

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 552045b63..8b92af247 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -64,4 +64,3 @@ objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP i
 objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.23 NAME 'ipaVirtualOperation' DESC 'IPA Virtual operation objectclass' SUP top AUXILIARY MUST ( cn ) X-ORIGIN 'IPA v3' )
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 42fca71f3..4eb5c737a 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -23,7 +23,7 @@ add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc ||
 
 # Read access to containers
 dn: $SUFFIX
-add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
 
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 889f3a1f6..6eef59d42 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -306,37 +306,31 @@ add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config
 # Virtual operations
 
 dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: retrieve certificate
 
 dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: request certificate
 
 dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: request certificate different host
 
 dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate status
 
 dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: revoke certificate
 
 dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate remove hold