diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-06-23 19:07:34 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-07-01 09:37:25 +0200 |
commit | d1517482b5e9508780087ec48be63a5bb531fed9 (patch) | |
tree | 13dcc76d33f8669315c8f8c0933ad5aa4c8f6e01 /install | |
parent | c2af032c0333f7e210c54369159d1d9f5e3fec74 (diff) | |
download | freeipa-d1517482b5e9508780087ec48be63a5bb531fed9.tar.gz freeipa-d1517482b5e9508780087ec48be63a5bb531fed9.tar.xz freeipa-d1517482b5e9508780087ec48be63a5bb531fed9.zip |
Add ACI for admins to modify principal attributes
This is required for admins to utilize the APIs that enable them to add/remove
principal aliases to entities.
https://fedorahosted.org/freeipa/ticket/3864
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/updates/20-aci.update | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 0d617d849..6cadef416 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -59,6 +59,8 @@ add:aci:(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLif # Read-only add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + dn: cn=tasks,cn=config add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) |