summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-28 14:23:19 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-05-21 09:57:16 +0200
commit86f943ca180a72c4cfa3a8a03226f2471a97981b (patch)
tree1e387b2e671e58900a0175fc20a05aaaef65fa04
parent98102832789412f567a96693dfe27b0e00cc98e5 (diff)
downloadfreeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.zip
freeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.tar.gz
freeipa-86f943ca180a72c4cfa3a8a03226f2471a97981b.tar.xz
Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r--install/share/replica-acis.ldif5
-rw-r--r--install/updates/20-aci.update5
-rw-r--r--ipaserver/install/plugins/update_managed_permissions.py61
3 files changed, 66 insertions, 5 deletions
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index f4e9613..8c0bc8e 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,10 +1,5 @@
# Replica administration
-dn: cn=config
-changetype: modify
-add: aci
-aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index d9dcad2..f31c201 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -46,3 +46,8 @@ add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sa
add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
# Read-only
add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+
+# Removal of obsolete ACIs
+dn: cn=config
+# Replaced by 'System: Read Replication Agreements'
+remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index bffd9bb..92e5d96 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -155,6 +155,67 @@ NONOBJECT_PERMISSIONS = {
'ipantdomainguid', 'ipantfallbackprimarygroup',
},
},
+ 'System: Read Replication Agreements': {
+ 'ipapermlocation': DN('cn=config'),
+ 'ipapermtargetfilter': {
+ '(|'
+ '(objectclass=nsds5Replica)'
+ '(objectclass=nsds5replicationagreement)'
+ '(objectclass=nsDSWindowsReplicationAgreement)'
+ '(objectClass=nsMappingTree)'
+ ')'
+ },
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn', 'objectclass',
+ # nsds5Replica
+ 'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv',
+ 'nsds5replicaabortcleanruv', 'nsds5replicatype',
+ 'nsds5replicabinddn', 'nsstate', 'nsds5replicaname',
+ 'nsds5flags', 'nsds5task', 'nsds5replicareferral',
+ 'nsds5replicaautoreferral', 'nsds5replicapurgedelay',
+ 'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount',
+ 'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout',
+ 'nsds5replicabackoffmin', 'nsds5replicabackoffmax',
+ # nsds5replicationagreement
+ 'nsds5replicacleanruvnotified', 'nsds5replicahost',
+ 'nsds5replicaport', 'nsds5replicatransportinfo',
+ 'nsds5replicabinddn', 'nsds5replicacredentials',
+ 'nsds5replicabindmethod', 'nsds5replicaroot',
+ 'nsds5replicatedattributelist',
+ 'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule',
+ 'nsds5beginreplicarefresh', 'description', 'nsds50ruv',
+ 'nsruvreplicalastmodified', 'nsds5replicatimeout',
+ 'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend',
+ 'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus',
+ 'nsds5replicaupdateinprogress', 'nsds5replicalastinitend',
+ 'nsds5replicaenabled', 'nsds5replicalastinitstart',
+ 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
+ 'nsds5replicabusywaittime', 'nsds5replicastripattrs',
+ 'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout',
+ # nsDSWindowsReplicationAgreement
+ 'nsds5replicahost', 'nsds5replicaport',
+ 'nsds5replicatransportinfo', 'nsds5replicabinddn',
+ 'nsds5replicacredentials', 'nsds5replicabindmethod',
+ 'nsds5replicaroot', 'nsds5replicatedattributelist',
+ 'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh',
+ 'description', 'nsds50ruv', 'nsruvreplicalastmodified',
+ 'nsds5replicatimeout', 'nsds5replicachangessentsincestartup',
+ 'nsds5replicalastupdateend', 'nsds5replicalastupdatestart',
+ 'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress',
+ 'nsds5replicalastinitend', 'nsds5replicalastinitstart',
+ 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
+ 'nsds5replicabusywaittime', 'nsds5replicasessionpausetime',
+ 'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree',
+ 'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled',
+ 'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval',
+ 'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled',
+ 'winsyncdirectoryfilter', 'winsyncwindowsfilter',
+ 'winsyncsubtreepair',
+ },
+ 'default_privileges': {'Replication Administrators'},
+ }
}