diff options
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-delegation.update | 6 | ||||
-rw-r--r-- | install/updates/40-dns.update | 22 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 |
3 files changed, 29 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 66c62ed54..a23521166 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -262,3 +262,9 @@ add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX' # Don't allow admins to update enrolledBy dn: $SUFFIX replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)' + +# The original DNS permissions lacked the tag. +dn: $SUFFIX +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update new file mode 100644 index 000000000..7b1c45754 --- /dev/null +++ b/install/updates/40-dns.update @@ -0,0 +1,22 @@ +# Add missing member values to attach permissions to their respective +# privileges and run a memberOf task. +dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config +add: objectClass: top +add: objectClass: extensibleObject +add: cn: IPA PBAC memberOf $TIME +add: basedn: 'cn=privileges,cn=pbac,$SUFFIX' +add: filter: (objectclass=*) +add: ttl: 10 + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index bf4d9af96..99b7c56c7 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -19,6 +19,7 @@ app_DATA = \ 20-winsync_index.update \ 21-replicas_container.update \ 40-delegation.update \ + 40-dns.update \ 45-roles.update \ 50-lockout-policy.update \ 50-groupuuid.update \ |