diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-12-09 10:31:18 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-12-14 14:40:17 +0100 |
commit | 6ea868e172738bdd6a8fae34e65126cdd134bbbe (patch) | |
tree | 80c6fbc563ba5176fb6c6e6798383384ed6c2a2c /install/share | |
parent | 38861428e76c19107a03f07530e3724aee60a270 (diff) | |
download | freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.tar.gz freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.tar.xz freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.zip |
aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.
https://fedorahosted.org/freeipa/ticket/5399
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/share')
-rw-r--r-- | install/share/ca-topology.uldif | 6 | ||||
-rw-r--r-- | install/share/replica-acis.ldif | 6 |
2 files changed, 3 insertions, 9 deletions
diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index 7ce3cb18b..fea591b07 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf default: ipaReplTopoConfRoot: o=ipaca default: cn: ca -# Update CA replication settings -dn: cn=o\3Dipaca,cn=mapping tree,cn=config -add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 8c0bc8ec3..673513087 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,16 +1,16 @@ # Replica administration -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) |