diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2013-06-18 14:21:25 -0400 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-11 12:39:27 +0300 |
commit | 4bbbc11029aae9c29b9da2347ed1e905c885c0fd (patch) | |
tree | 6e7ba09cc271cacd7da2b032c6feaa02198d2933 /install/share/default-aci.ldif | |
parent | a209bb38aad66a079d62541e3b364d714cc3ed29 (diff) | |
download | freeipa-4bbbc11029aae9c29b9da2347ed1e905c885c0fd.tar.gz freeipa-4bbbc11029aae9c29b9da2347ed1e905c885c0fd.tar.xz freeipa-4bbbc11029aae9c29b9da2347ed1e905c885c0fd.zip |
Permit reads to ipatokenRadiusProxyUser objects
This fixes an outstanding permissions issue from the OTP work.
https://fedorahosted.org/freeipa/ticket/3693
Diffstat (limited to 'install/share/default-aci.ldif')
-rw-r--r-- | install/share/default-aci.ldif | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 18881ece4..8a0fa60e3 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,7 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) |