summaryrefslogtreecommitdiffstats
path: root/install/updates/20-aci.update
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-29 21:46:26 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-05-26 12:14:55 +0200
commit193ced0bd7a9a26e7b25f08b023ee21302acaac7 (patch)
tree994ad23b37d49ab451f65c52a54e71901cc3aedc /install/updates/20-aci.update
parent63becae88c6c270b98f0432dc474b661b82f3119 (diff)
downloadfreeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.gz
freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.xz
freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.zip
Remove the global anonymous read ACI
Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/20-aci.update')
-rw-r--r--install/updates/20-aci.update11
1 files changed, 11 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index f31c20177..34cba4cc8 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -51,3 +51,14 @@ add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || k
dn: cn=config
# Replaced by 'System: Read Replication Agreements'
remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: $SUFFIX
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)'
+remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)'
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
+
+dn: cn=hbac,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)'
+
+dn: cn=sudo,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
generated by cgit (git 2.34.1) at 2024-05-03 00:55:46 +0000