diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-25 13:14:47 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-25 14:06:08 +0200 |
commit | 99691d117168e9ed95413f96f839b38320ac17f9 (patch) | |
tree | 6e5106bd579372094059fca509bf55f29837999b /install | |
parent | 223e6dc3f766879220a01f855da627e29f30e385 (diff) | |
download | freeipa-99691d117168e9ed95413f96f839b38320ac17f9.tar.gz freeipa-99691d117168e9ed95413f96f839b38320ac17f9.tar.xz freeipa-99691d117168e9ed95413f96f839b38320ac17f9.zip |
aci-update: Add ACI for read-only admin attributes
Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.
https://fedorahosted.org/freeipa/ticket/4319
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/updates/20-aci.update | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 2db3bead2..d9dcad2e5 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -44,3 +44,5 @@ add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || s remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' +# Read-only +add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' |