Restrict the old setkeytab operationsetkeytab

Allow it only to set computers keys by default. This is to allow older hosts
to join a newer IPA Server only. All other principals are denied access to
the setkeytab operation by default.

Ticket: https://fedorahosted.org/freeipa/ticket/232

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index e9c10f54a..0251a7af9 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -114,6 +114,11 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entit
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
 
+# Set Keytab operation Access Control - legacy interface for host joins
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Installers are allowed to set host keytabs"; allow(write) userattr="managedby#USERDN";)
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Admins are allowed to set host keytabs"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+
 # User certificates
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)