summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2015-12-08 09:51:09 +0100
committerMartin Basti <mbasti@redhat.com>2015-12-11 12:25:26 +0100
commite130d35687a05cb3d2dd8708b76e7745e337c0c0 (patch)
tree463d600771567455c0c8182efa7af64f93670d41 /install/updates
parentccb2f523134af5246450edd04874af2d34d896cc (diff)
downloadfreeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.tar.gz
freeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.tar.xz
freeipa-e130d35687a05cb3d2dd8708b76e7745e337c0c0.zip
add ACIs for custodia container to its parent during IPA upgrade
This fixes the situation when LDAPUpdater tries to add ACIs for storing secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually created leading to creation of container without any ACI and subsequent erroneous behavior. https://fedorahosted.org/freeipa/ticket/5524 Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/20-aci.update2
1 files changed, 1 insertions, 1 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index ca4c0df05..5b9741d7e 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -113,6 +113,6 @@ dn: cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# IPA server hosts can create and manage own Custodia secrets
-dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
+dn: cn=ipa,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
generated by cgit (git 2.34.1) at 2024-05-30 22:35:58 +0000