From 338831aea3cdf04a27f5ea9159f84f9ce933e0c1 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 19 Jan 2015 12:42:11 +0100 Subject: [PATCH] Replication Administrators cannot remove replication agreements Replication agreement deletion requires read access to DNA range setting. The read access was accidently removed during PermissionV2 refactoring. Add the read ACI back as a special SYSTEM permission. https://fedorahosted.org/freeipa/ticket/4848 Reviewed-By: Martin Basti --- install/updates/40-replication.update | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update index 619d14663..f46ab19f0 100644 --- a/install/updates/40-replication.update +++ b/install/updates/40-replication.update @@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Read DNA Range +default:ipapermissiontype: SYSTEM +default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config +add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'