diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-01-12 18:59:11 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-01-18 14:10:08 +0100 |
commit | e7a4faab81dad6b77373d6f57f597c411a7557f4 (patch) | |
tree | afb90780014f96debb2f0fd0afa60ce344f4d041 /install/updates | |
parent | 7baa675947f012f36376811e2e1f47ff4779cfe3 (diff) | |
download | freeipa-e7a4faab81dad6b77373d6f57f597c411a7557f4.tar.gz freeipa-e7a4faab81dad6b77373d6f57f597c411a7557f4.tar.xz freeipa-e7a4faab81dad6b77373d6f57f597c411a7557f4.zip |
IPA upgrade: move replication ACIs to the mapping tree entry
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.
This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.
https://fedorahosted.org/freeipa/ticket/5575
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/20-aci.update | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index cef842bbd..7da48cfd1 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -66,16 +66,24 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea dn: cn=mapping tree,cn=config add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes +dn: cn=mapping tree,cn=config +add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + dn: cn="$SUFFIX",cn=mapping tree,cn=config remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = " +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=o\3Dipaca,cn=mapping tree,cn=config remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' |