From 99691d117168e9ed95413f96f839b38320ac17f9 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 25 Apr 2014 13:14:47 +0200
Subject: aci-update: Add ACI for read-only admin attributes

Most admin access is granted with the "Admin can manage any entry" ACI,
but before the global anonymous read ACI is removed, read-only admin
access must be explicitly given.
Add an ACI for read-only attributes.

https://fedorahosted.org/freeipa/ticket/4319

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/updates/20-aci.update | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'install/updates')

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 2db3bead2..d9dcad2e5 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -44,3 +44,5 @@ add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || s
 remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+# Read-only
+add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
-- 
cgit