mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Replication Administrators cannot remove replication agreements
Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
parent
82ab0eabf8
commit
251c97cf96
@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
|
||||
dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:cn: Read DNA Range
|
||||
default:ipapermissiontype: SYSTEM
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
|
Loading…
Reference in New Issue
Block a user