diff options
| author | Ana Krivokapic <akrivoka@redhat.com> | 2013-04-22 21:43:12 +0200 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-04-24 14:35:22 -0400 |
| commit | 4cff518517fb400a399fc3cb5cc8bf5285c7cbc5 (patch) | |
| tree | 6b916219df784ec0080830e227530bc68a4e1f6e /install/updates | |
| parent | 6d2176322c672ecc257cb4407023988268376794 (diff) | |
Add missing permissions to Host Administrators privilege
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.
https://fedorahosted.org/freeipa/ticket/3585
Diffstat (limited to 'install/updates')
| -rw-r--r-- | install/updates/40-delegation.update | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 5c14a7036..64a6432ac 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -365,3 +365,11 @@ replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=account dn: cn=ipa,cn=etc,$SUFFIX add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' + +# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate" +# to privilege "Host Administrators" +dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX +add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' |