summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-09-29 13:51:41 -0400
committerRob Crittenden <rcritten@redhat.com>2010-10-01 13:38:52 -0400
commitaac7badb773d575449eb7af589b1f505f7c66b52 (patch)
tree0c3134c23ca1f5213001c2cafbd33c71f4fd1778
parent3703062ab25a7817581eefa2f89214e8a6244bee (diff)
downloadfreeipa-aac7badb773d575449eb7af589b1f505f7c66b52.tar.gz
freeipa-aac7badb773d575449eb7af589b1f505f7c66b52.tar.xz
freeipa-aac7badb773d575449eb7af589b1f505f7c66b52.zip
Remove reliance on the name 'admin' as a special user.
And move it to the group 'admins' instead. This way the admin user can be removed/renamed. ticket 197
-rw-r--r--install/share/default-aci.ldif2
-rw-r--r--install/updates/40-delegation.update2
-rw-r--r--ipalib/plugins/user.py5
3 files changed, 2 insertions, 7 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index a18245fee..3b6d16aa8 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groupss,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 451919b51..bab2d0485 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -77,7 +77,7 @@ add:objectClass: top
add:objectClass: nestedgroup
add:cn: replicaadmin
add:description: Replication Administrators
-add:member:'uid=admin,cn=users,cn=accounts,$SUFFIX'
+add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX'
dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 607081300..53551898b 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -215,11 +215,6 @@ class user_del(LDAPDelete):
msg_summary = _('Deleted user "%(value)s"')
- def pre_callback(self, ldap, dn, *keys, **options):
- if keys[-1] == 'admin':
- raise errors.ExecutionError('Cannot delete user "admin".')
- return dn
-
def post_callback(self, ldap, dn, *keys, **options):
self.log.info('IPA: %s "%s"' % (self.name, keys[-1]))
return True