From e137f305edf2a107b06a00b05b06464b8707ab82 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 13 Nov 2015 08:15:55 +0100 Subject: aci: allow members of ipaservers to set up replication Add ACIs which allow the members of the ipaservers host group to set up replication. This allows IPA hosts to perform replica promotion on themselves. A number of checks which need read access to certain LDAP entries is done during replica promotion. Add ACIs to allow these checks to be done using any valid IPA host credentials. https://fedorahosted.org/freeipa/ticket/5401 Reviewed-By: Martin Basti Reviewed-By: Simo Sorce --- install/updates/20-aci.update | 25 +++++++++++++++++++++++++ install/updates/45-roles.update | 1 + 2 files changed, 26 insertions(+) (limited to 'install/updates') diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index cba1897e1..ca4c0df05 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -32,6 +32,14 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";) +# Allow hosts to read masters service configuration +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";) + +# Allow hosts to read replication managers +dn: cn=sysaccounts,cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "objectClass || cn")(version 3.0; acl "Allow hosts to read replication managers"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";) + # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX add:aci:(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";) @@ -54,6 +62,10 @@ add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || kr dn: cn=tasks,cn=config add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +# Allow hosts to read their replication agreements +dn: cn=mapping tree,cn=config +add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' @@ -91,3 +103,16 @@ add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=acco # CIFS service on the master can manage ID ranges dn: cn=ranges,cn=etc,$SUFFIX add:aci: (target = "ldap:///cn=*,cn=ranges,cn=etc,$SUFFIX")(targetfilter = "(objectClass=ipaIDrange)")(version 3.0;acl "CIFS service can manage ID ranges for trust"; allow(all) userdn="ldap:///krbprincipalname=cifs/*@$REALM,cn=services,cn=accounts,$SUFFIX" and groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) + +# IPA server hosts can modify replication managers members +dn: cn=sysaccounts,cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "member")(version 3.0; acl "IPA server hosts can modify replication managers members"; allow(read, search, compare, write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) + +# IPA server hosts can change replica ID +dn: cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) + +# IPA server hosts can create and manage own Custodia secrets +dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update index dd4549f31..fb28464f2 100644 --- a/install/updates/45-roles.update +++ b/install/updates/45-roles.update @@ -82,6 +82,7 @@ dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX +add:member: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX -- cgit