From 86f943ca180a72c4cfa3a8a03226f2471a97981b Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 28 Apr 2014 14:23:19 +0200 Subject: Replace "replica admins read access" ACI with a permission Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 Reviewed-By: Martin Kosek --- install/share/replica-acis.ldif | 5 -- install/updates/20-aci.update | 5 ++ .../install/plugins/update_managed_permissions.py | 61 ++++++++++++++++++++++ 3 files changed, 66 insertions(+), 5 deletions(-) diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index f4e96139f..8c0bc8ec3 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,10 +1,5 @@ # Replica administration -dn: cn=config -changetype: modify -add: aci -aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index d9dcad2e5..f31c20177 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -46,3 +46,8 @@ add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sa add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' # Read-only add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' + +# Removal of obsolete ACIs +dn: cn=config +# Replaced by 'System: Read Replication Agreements' +remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index bffd9bbf4..92e5d963b 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -155,6 +155,67 @@ NONOBJECT_PERMISSIONS = { 'ipantdomainguid', 'ipantfallbackprimarygroup', }, }, + 'System: Read Replication Agreements': { + 'ipapermlocation': DN('cn=config'), + 'ipapermtargetfilter': { + '(|' + '(objectclass=nsds5Replica)' + '(objectclass=nsds5replicationagreement)' + '(objectclass=nsDSWindowsReplicationAgreement)' + '(objectClass=nsMappingTree)' + ')' + }, + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', + # nsds5Replica + 'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv', + 'nsds5replicaabortcleanruv', 'nsds5replicatype', + 'nsds5replicabinddn', 'nsstate', 'nsds5replicaname', + 'nsds5flags', 'nsds5task', 'nsds5replicareferral', + 'nsds5replicaautoreferral', 'nsds5replicapurgedelay', + 'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount', + 'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout', + 'nsds5replicabackoffmin', 'nsds5replicabackoffmax', + # nsds5replicationagreement + 'nsds5replicacleanruvnotified', 'nsds5replicahost', + 'nsds5replicaport', 'nsds5replicatransportinfo', + 'nsds5replicabinddn', 'nsds5replicacredentials', + 'nsds5replicabindmethod', 'nsds5replicaroot', + 'nsds5replicatedattributelist', + 'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule', + 'nsds5beginreplicarefresh', 'description', 'nsds50ruv', + 'nsruvreplicalastmodified', 'nsds5replicatimeout', + 'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend', + 'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus', + 'nsds5replicaupdateinprogress', 'nsds5replicalastinitend', + 'nsds5replicaenabled', 'nsds5replicalastinitstart', + 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout', + 'nsds5replicabusywaittime', 'nsds5replicastripattrs', + 'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout', + # nsDSWindowsReplicationAgreement + 'nsds5replicahost', 'nsds5replicaport', + 'nsds5replicatransportinfo', 'nsds5replicabinddn', + 'nsds5replicacredentials', 'nsds5replicabindmethod', + 'nsds5replicaroot', 'nsds5replicatedattributelist', + 'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh', + 'description', 'nsds50ruv', 'nsruvreplicalastmodified', + 'nsds5replicatimeout', 'nsds5replicachangessentsincestartup', + 'nsds5replicalastupdateend', 'nsds5replicalastupdatestart', + 'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress', + 'nsds5replicalastinitend', 'nsds5replicalastinitstart', + 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout', + 'nsds5replicabusywaittime', 'nsds5replicasessionpausetime', + 'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree', + 'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled', + 'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval', + 'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled', + 'winsyncdirectoryfilter', 'winsyncwindowsfilter', + 'winsyncsubtreepair', + }, + 'default_privileges': {'Replication Administrators'}, + } } -- cgit