diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-08-04 01:13:09 -0400 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-08-14 14:02:05 +0200 |
commit | 6fa14fd21e664925268d80a2263c556b2bc35139 (patch) | |
tree | 7bf4d8ad5dfaa8b94f3086752b5ba475e0d4383c /install | |
parent | 6b978d74ae36f377c2d4f2cae860ca79b102e3c0 (diff) | |
download | freeipa-6fa14fd21e664925268d80a2263c556b2bc35139.tar.gz freeipa-6fa14fd21e664925268d80a2263c556b2bc35139.tar.xz freeipa-6fa14fd21e664925268d80a2263c556b2bc35139.zip |
Add permission for bypassing CA ACL enforcement
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/updates/40-delegation.update | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index bc0736c5b..8d4f6296c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -144,6 +144,21 @@ default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) +dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX +default:objectClass: top +default:objectClass: nsContainer +default:cn: request certificate ignore caacl + +dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Request Certificate ignoring CA ACLs +default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: $SUFFIX +add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";) + # Read privileges dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX |