IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Allow read access to masters, but not their services, to auth'd users

Browse Source 
Fixes commit b243da415e

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-06-19 13:01:06 +02:00 committed by Martin Kosek
parent b243da415e
commit 18744d1833
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/updates/20-aci.update
View File

@ -30,7 +30,7 @@ add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read
# Read access to masters (but not their services) # Read access to masters (but not their services)
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)' add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX dn: cn=kerberos,$SUFFIX