diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-12-09 10:31:18 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-12-14 14:40:17 +0100 |
commit | 6ea868e172738bdd6a8fae34e65126cdd134bbbe (patch) | |
tree | 80c6fbc563ba5176fb6c6e6798383384ed6c2a2c /install/updates | |
parent | 38861428e76c19107a03f07530e3724aee60a270 (diff) | |
download | freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.tar.gz freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.tar.xz freeipa-6ea868e172738bdd6a8fae34e65126cdd134bbbe.zip |
aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.
https://fedorahosted.org/freeipa/ticket/5399
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/20-aci.update | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 5b9741d7e..cef842bbd 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea dn: cn=mapping tree,cn=config add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +dn: cn="$SUFFIX",cn=mapping tree,cn=config +remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = " + +dn: cn=o\3Dipaca,cn=mapping tree,cn=config +remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' |