freeipa/install/updates/75-user-trust-attributes.update

# Add an explicit self-service ACI to allow writing to manage trust attributes
# for the owner of the object
dn: cn=users,cn=accounts,$SUFFIX
add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
Add SMB attributes for users SMB attributes are used by Samba domain controller when reporting details about IPA users via LSA DCE RPC calls. Based on the initial work from the external plugin: https://github.com/abbra/freeipa-user-trust-attributes Related: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Tibor Dudlák <tdudlak@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 2019-04-02 09:23:09 -05:00			`# Add an explicit self-service ACI to allow writing to manage trust attributes`
			`# for the owner of the object`
			`dn: cn=users,cn=accounts,$SUFFIX`
			`add:aci:(targetattr = "ipantlogonscript \|\| ipantprofilepath \|\| ipanthomedirectory \|\| ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)`
			`add:aci:(targetattr = "ipantlogonscript \|\| ipantprofilepath \|\| ipanthomedirectory \|\| ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)`