summaryrefslogtreecommitdiffstats
path: root/install/updates/20-aci.update
Commit message (Collapse)AuthorAgeFilesLines
* aci-update: Add ACI for read-only admin attributesPetr Viktorin2014-04-251-0/+2
| | | | | | | | | | | Most admin access is granted with the "Admin can manage any entry" ACI, but before the global anonymous read ACI is removed, read-only admin access must be explicitly given. Add an ACI for read-only attributes. https://fedorahosted.org/freeipa/ticket/4319 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* aci-update: Trim the admin write blacklistPetr Viktorin2014-04-251-0/+13
| | | | | | | | | | | | | | | | | | | These attributes are removed from the blacklist, which means high-level admins can now modify them: - krbPrincipalAliases - krbPrincipalType - krbPwdPolicyReference - krbTicketPolicyReference - krbUPEnabled - serverHostName The intention is to only blacklist password attributes and attributes that are managed by DS plugins. Also, move the admin ACIs from ldif and trusts.update to aci.update. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Extend anonymous read ACI for containersPetr Viktorin2014-04-241-1/+4
| | | | | | | | | | | | - Allow cn=etc,$SUFFIX with these exceptions: - cn=masters,cn=ipa,cn=etc,$SUFFIX - virtual operations - cn=replicas,cn=ipa,cn=etc,$SUFFIX - Disallow anonymous read access to Kerberos password policy Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow anonymous read access to Kerberos containersPetr Viktorin2014-04-161-0/+4
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Allow anonymous read access to containersPetr Viktorin2014-04-081-0/+8
| | | | | | | | | | | | | All nsContainer objects, except ones in cn=etc, can now be read anonymously. The allowed attributes are cn and objectclass. These are the same in all IPA installations so they don't provide any sensitive information. Also, $SUFFIX itself can now be read anonymously. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add LDAP ACIs for SSH public key schema.Jan Cholasta2012-02-131-0/+10
| | | | https://fedorahosted.org/freeipa/ticket/754
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+4
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Add aci to make managed netgroups immutable.Rob Crittenden2011-02-181-0/+4
ticket 962
generated by cgit (git 2.34.1) at 2024-06-23 14:18:18 +0000