Add Kerberos ticket flags management to service and host plugins.

https://fedorahosted.org/freeipa/ticket/3329
author: Jan Cholasta <jcholast@redhat.com> 2013-03-18 12:31:23 +0100
committer: Martin Kosek <mkosek@redhat.com> 2013-03-29 16:34:46 +0100
commit: 5f26d2c6dbe878518963b5d8f9159ed3fcc71d58 (patch)
tree: d26dd5bac744b8f6110d7cd35a8201d0d312d46e /install/share
parent: cc56723151c9ebf58d891e85617319d861af14a4 (diff)
download: freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.tar.gz
freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.tar.xz
freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 3e6c10077..f173f7971 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -5,7 +5,7 @@ changetype: modify
 add: aci
 aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
author	Jan Cholasta <jcholast@redhat.com>	2013-03-18 12:31:23 +0100
committer	Martin Kosek <mkosek@redhat.com>	2013-03-29 16:34:46 +0100
commit	5f26d2c6dbe878518963b5d8f9159ed3fcc71d58 (patch)
tree	d26dd5bac744b8f6110d7cd35a8201d0d312d46e /install/share
parent	cc56723151c9ebf58d891e85617319d861af14a4 (diff)
download	freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.tar.gz freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.tar.xz freeipa-5f26d2c6dbe878518963b5d8f9159ed3fcc71d58.zip