summaryrefslogtreecommitdiffstats
path: root/install/updates/20-aci.update
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-16 10:27:09 +0200
committerMartin Kosek <mkosek@redhat.com>2014-04-24 11:19:51 +0200
commit1389567ec58dca310edf679af7903013f0bdaf07 (patch)
tree57cd19e6bd75500e897d8d9117d0b97aedad4830 /install/updates/20-aci.update
parentbaa72b68b1336edb28ca833fcc1616fe466fe709 (diff)
downloadfreeipa-1389567ec58dca310edf679af7903013f0bdaf07.tar.gz
freeipa-1389567ec58dca310edf679af7903013f0bdaf07.tar.xz
freeipa-1389567ec58dca310edf679af7903013f0bdaf07.zip
Extend anonymous read ACI for containers
- Allow cn=etc,$SUFFIX with these exceptions: - cn=masters,cn=ipa,cn=etc,$SUFFIX - virtual operations - cn=replicas,cn=ipa,cn=etc,$SUFFIX - Disallow anonymous read access to Kerberos password policy Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/20-aci.update')
-rw-r--r--install/updates/20-aci.update5
1 files changed, 4 insertions, 1 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 9d8a6392f..d3a9db2ae 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -23,7 +23,10 @@ add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc ||
# Read access to containers
dn: $SUFFIX
-add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+
+dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX