mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
parent
af1f87a034
commit
0a7a8d6604
2
ACI.txt
2
ACI.txt
@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: ou=profile,dc=ipa,dc=example
|
||||
aci: (targetattr = "attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor")(targetfilter = "(|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile))")(version 3.0;acl "permission:System: Read DUA Profile";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=config
|
||||
|
@ -320,6 +320,26 @@ NONOBJECT_PERMISSIONS = {
|
||||
'winsyncsubtreepair',
|
||||
},
|
||||
'default_privileges': {'Replication Administrators'},
|
||||
},
|
||||
'System: Read DUA Profile': {
|
||||
'ipapermlocation': DN('ou=profile', api.env.basedn),
|
||||
'ipapermtargetfilter': {
|
||||
'(|'
|
||||
'(objectclass=organizationalUnit)'
|
||||
'(objectclass=DUAConfigProfile)'
|
||||
')'
|
||||
},
|
||||
'ipapermbindruletype': 'anonymous',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'objectclass', 'ou', 'cn', 'defaultServerList',
|
||||
'preferredServerList', 'defaultSearchBase', 'defaultSearchScope',
|
||||
'searchTimeLimit', 'bindTimeLimit', 'credentialLevel',
|
||||
'authenticationMethod', 'followReferrals', 'dereferenceAliases',
|
||||
'serviceSearchDescriptor', 'serviceCredentialLevel',
|
||||
'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap',
|
||||
'profileTTL'
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user