diff options
| -rw-r--r-- | ACI.txt | 2 | ||||
| -rw-r--r-- | install/updates/60-trusts.update | 8 | ||||
| -rw-r--r-- | ipalib/plugins/trust.py | 11 |
3 files changed, 21 insertions, 0 deletions
@@ -214,6 +214,8 @@ dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +dn: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add User to default group";allow (write) groupdn = "ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 371bf656f..d55bc94bb 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -15,6 +15,14 @@ default: objectClass: GroupOfNames default: objectClass: top default: cn: adtrust agents +dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX +default: objectClass: top +default: objectClass: groupofnames +default: objectClass: nestedgroup +default: cn: ADTrust Agents +default: description: System accounts able to access trust information +default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX + dn: cn=trusts,$SUFFIX default: objectClass: top default: objectClass: nsContainer diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 25755d7a4..99acfb8f8 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -330,6 +330,17 @@ class trust(LDAPObject): 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' }, }, + + 'System: Read system trust accounts': { + 'non_object': True, + 'ipapermlocation': DN(container_dn, api.env.basedn), + 'replaces_global_anonymous_aci': True, + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'uidnumber', 'gidnumber', 'krbprincipalname' + }, + 'default_privileges': {'ADTrust Agents'}, + }, } label = _('Trusts') |