summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-25 13:14:47 +0200
committerMartin Kosek <mkosek@redhat.com>2014-04-25 14:06:08 +0200
commit99691d117168e9ed95413f96f839b38320ac17f9 (patch)
tree6e5106bd579372094059fca509bf55f29837999b /install
parent223e6dc3f766879220a01f855da627e29f30e385 (diff)
downloadfreeipa-99691d117168e9ed95413f96f839b38320ac17f9.tar.gz
freeipa-99691d117168e9ed95413f96f839b38320ac17f9.tar.xz
freeipa-99691d117168e9ed95413f96f839b38320ac17f9.zip
aci-update: Add ACI for read-only admin attributes
Most admin access is granted with the "Admin can manage any entry" ACI, but before the global anonymous read ACI is removed, read-only admin access must be explicitly given. Add an ACI for read-only attributes. https://fedorahosted.org/freeipa/ticket/4319 Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install')
-rw-r--r--install/updates/20-aci.update2
1 files changed, 2 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 2db3bead2..d9dcad2e5 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -44,3 +44,5 @@ add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || s
remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+# Read-only
+add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'