IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Extend anonymous read ACI for containers

Browse Source 
- Allow cn=etc,$SUFFIX with these exceptions:
  - cn=masters,cn=ipa,cn=etc,$SUFFIX
  - virtual operations
  - cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin
2014-04-16 10:27:09 +02:00
committed by Martin Kosek
parent baa72b68b1
commit 1389567ec5
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
install/updates/20-aci.update
View File

@@ -23,7 +23,10 @@ add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc ||
# Read access to containers
dn: $SUFFIX
add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX