diff options
author | Martin Basti <mbasti@redhat.com> | 2016-02-04 16:23:40 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-25 14:30:01 +0100 |
commit | bba2355631c4cbadfb5089663c2a3af65a817fb7 (patch) | |
tree | c02b133b955f049f3888fbb0b8c47db912d9c7e0 /install/share | |
parent | 5c33edcd11c466df59dbd13aac5e1b42ffa6fbb7 (diff) | |
download | freeipa-bba2355631c4cbadfb5089663c2a3af65a817fb7.tar.gz freeipa-bba2355631c4cbadfb5089663c2a3af65a817fb7.tar.xz freeipa-bba2355631c4cbadfb5089663c2a3af65a817fb7.zip |
fix permission: Read Replication Agreements
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.
As side effect, the particular ACI has not been created on all replicas.
This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.
https://fedorahosted.org/freeipa/ticket/5631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install/share')
-rw-r--r-- | install/share/delegation.ldif | 9 | ||||
-rw-r--r-- | install/share/replica-acis.ldif | 5 |
2 files changed, 14 insertions, 0 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index bacd9e68a..067b4d26a 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -173,6 +173,15 @@ cn: Modify Replication Agreements ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: ipapermission +cn: Read Replication Agreements +ipapermissiontype: SYSTEM +member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX + dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 673513087..fcfe7bd4a 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -3,6 +3,11 @@ dn: cn=mapping tree,cn=config changetype: modify add: aci +aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + +dn: cn=mapping tree,cn=config +changetype: modify +add: aci aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=mapping tree,cn=config |