diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-10-13 10:10:48 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-10-13 14:34:00 +0200 |
commit | 2f3450249ded2c14d2ca55f15bdcace7007a6ebb (patch) | |
tree | 3201067fc127d0fba7ce090c3854947baac49bf2 /install/updates | |
parent | 88fc27da529e2d098a10bac4abb280a0445dfa5f (diff) | |
download | freeipa-2f3450249ded2c14d2ca55f15bdcace7007a6ebb.tar.gz freeipa-2f3450249ded2c14d2ca55f15bdcace7007a6ebb.tar.xz freeipa-2f3450249ded2c14d2ca55f15bdcace7007a6ebb.zip |
vault: fix private service vault creation
https://fedorahosted.org/freeipa/ticket/5361
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-vault.update | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update index 3daea5b19..8d03f348c 100644 --- a/install/updates/40-vault.update +++ b/install/updates/40-vault.update @@ -7,8 +7,9 @@ remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0 remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) +remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) -addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) +addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";) addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";) addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";) addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";) |