Use Anonymous user to obtain FAST armor ccache

The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>

2 files changed, 11 insertions, 0 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 72f474a47..bb09c9882 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -27,6 +27,7 @@ dist_app_DATA =				\
 	70topology.ldif			\
 	71idviews.ldif			\
 	72domainlevels.ldif			\
+	anon-princ-aci.ldif		\
 	bootstrap-template.ldif		\
 	ca-topology.uldif		\
 	caJarSigningCert.cfg.template	\
diff --git a/install/share/anon-princ-aci.ldif b/install/share/anon-princ-aci.ldif
new file mode 100644
index 000000000..384a500be
--- /dev/null
+++ b/install/share/anon-princ-aci.ldif
@@ -0,0 +1,10 @@
+dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX
+changetype: modify
+add: objectclass
+objectclass: ipaAllowedOperations
+-
+add: aci
+aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
+-
+add: ipaAllowedToPerform;read_keys
+ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX