2010-12-01 10:23:52 -06:00
############################################
# Configure the DIT
############################################
dn: cn=roles,cn=accounts,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: nsContainer
2010-12-01 10:23:52 -06:00
cn: roles
2009-06-04 14:33:49 -05:00
2010-12-22 10:11:29 -06:00
# Permissions-based Access Control
dn: cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: pbac
dn: cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: nsContainer
2010-12-01 10:23:52 -06:00
cn: privileges
2009-06-04 14:33:49 -05:00
2010-12-22 10:11:29 -06:00
dn: cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: nsContainer
cn: permissions
############################################
2009-06-04 14:33:49 -05:00
# Add the default roles
2010-12-01 10:23:52 -06:00
############################################
dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2009-06-04 14:33:49 -05:00
cn: helpdesk
description: Helpdesk
2010-12-01 10:23:52 -06:00
############################################
# Add the default privileges
############################################
2011-01-31 10:01:56 -06:00
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: User Administrators
2009-06-04 14:33:49 -05:00
description: User Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Group Administrators
2009-06-04 14:33:49 -05:00
description: Group Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Host Administrators
2009-06-04 14:33:49 -05:00
description: Host Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Host Group Administrators
2009-06-04 14:33:49 -05:00
description: Host Group Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Delegation Administrator
2009-06-04 14:33:49 -05:00
description: Role administration
2011-01-31 10:01:56 -06:00
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Service Administrators
2009-06-04 14:33:49 -05:00
description: Service Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Automount Administrators
2009-06-04 14:33:49 -05:00
description: Automount Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Netgroups Administrators
2009-06-04 14:33:49 -05:00
description: Netgroups Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Certificate Administrators
2010-12-01 10:23:52 -06:00
description: Certificate Administrators
2011-01-31 10:01:56 -06:00
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Replication Administrators
2010-12-01 10:23:52 -06:00
description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
2011-01-31 10:01:56 -06:00
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
2009-06-04 14:33:49 -05:00
changetype: add
objectClass: top
objectClass: groupofnames
2010-12-01 10:23:52 -06:00
objectClass: nestedgroup
2011-01-31 10:01:56 -06:00
cn: Host Enrollment
2010-12-01 10:23:52 -06:00
description: Host Enrollment
2009-06-04 14:33:49 -05:00
2010-12-01 10:23:52 -06:00
############################################
# Default permissions.
############################################
# DNS administration
# The permission and aci for this is in install/updates/dns.ldif
# Replica administration
2011-01-31 10:01:56 -06:00
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Add Replication Agreements
2011-02-01 10:57:18 -06:00
ipapermissiontype: SYSTEM
2011-01-31 10:01:56 -06:00
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
2011-01-31 10:01:56 -06:00
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Modify Replication Agreements
2011-02-01 10:57:18 -06:00
ipapermissiontype: SYSTEM
2011-01-31 10:01:56 -06:00
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-20 09:05:17 -06:00
2011-01-31 10:01:56 -06:00
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
2010-12-20 09:05:17 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Remove Replication Agreements
2011-02-01 10:57:18 -06:00
ipapermissiontype: SYSTEM
2011-01-31 10:01:56 -06:00
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
2013-03-01 14:02:14 -06:00
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify DNA Range
ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.
2011-01-13 14:54:06 -06:00
dn: cn=virtual operations,cn=etc,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: nsContainer
cn: virtual operations
# Retrieve Certificate virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Retrieve Certificates from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
2010-12-01 10:23:52 -06:00
# Request Certificate virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Request Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
2010-12-01 10:23:52 -06:00
# Request Certificate from different host virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Request Certificates from a different host
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
2010-12-01 10:23:52 -06:00
# Certificate Status virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Get Certificates status from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
2010-12-01 10:23:52 -06:00
# Revoke Certificate virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Revoke Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
2010-12-01 10:23:52 -06:00
# Certificate Remove Hold virtual op
2011-01-31 10:01:56 -06:00
dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
changetype: add
objectClass: top
objectClass: groupofnames
2011-02-01 10:57:18 -06:00
objectClass: ipapermission
2011-01-31 10:01:56 -06:00
cn: Certificate Remove Hold
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
2010-12-01 10:23:52 -06:00
dn: $SUFFIX
changetype: modify
add: aci
2011-01-31 10:01:56 -06:00
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)