Move admin into cn=users,cn=accounts

After some deep thinking I think the advantages of keeping all
posix enabled user accounts under cn=users,cn=accounts overweight a
perceived better protection of the admin account by keeping it in a
separate tree.
This commit is contained in:
Simo Sorce 2008-05-22 17:55:27 -04:00
parent 0695649926
commit 3931d1d753
3 changed files with 5 additions and 5 deletions

View File

@ -58,7 +58,7 @@ objectClass: nsContainer
objectClass: top objectClass: top
cn: masters cn: masters
dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: person objectClass: person
@ -108,7 +108,7 @@ objectClass: posixGroup
cn: admins cn: admins
description: Account administrators group description: Account administrators group
gidNumber: 1001 gidNumber: 1001
member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX member: uid=admin,cn=users,cn=accounts,$SUFFIX
nsAccountLock: False nsAccountLock: False
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX

View File

@ -4,7 +4,7 @@ dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
@ -29,7 +29,7 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
dn: cn=radius,$SUFFIX dn: cn=radius,$SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=services,cn=accounts,$SUFFIX dn: cn=services,cn=accounts,$SUFFIX

View File

@ -375,7 +375,7 @@ class DsInstance(service.Service):
args = [app, args = [app,
"-D", "cn=Directory Manager", "-w", self.dm_password, "-D", "cn=Directory Manager", "-w", self.dm_password,
"-P", dirname+"/cert8.db", "-ZZZ", "-s", password, "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
"uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] "uid=admin,cn=users,cn=accounts,"+self.suffix]
try: try:
ipautil.run(args) ipautil.run(args)
logging.debug("ldappasswd done") logging.debug("ldappasswd done")