diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-10-25 15:22:58 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-10-25 15:26:51 +0200 |
| commit | cdd2e9caffb568c0915fb335e46c464404b21e26 (patch) | |
| tree | ddfcd5aa5c845b8d8ba01687fe89cc2d1944c216 /install/share | |
| parent | 9a368b6358e77607214a33bedd3f906641bea4e4 (diff) | |
| download | freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.tar.gz freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.tar.xz freeipa-cdd2e9caffb568c0915fb335e46c464404b21e26.zip | |
Do not add kadmin/changepw ACIs on new installs
These ACI were needed when FreeIPA had a custom ipa_kpasswd daemon,
now that a standard kadmin is used, ACIs are not needed anymore as
kadmin uses the same driver as the KDC.
The ACIs is not removed on upgrades to avoid breaking older
replicas which may still use FreeIPA version with the ipa_kpasswd
daemon.
https://fedorahosted.org/freeipa/ticket/3987
Diffstat (limited to 'install/share')
| -rw-r--r-- | install/share/default-aci.ldif | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 8a0fa60e3..510ea3284 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -8,7 +8,6 @@ aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) |