mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Move admin into cn=users,cn=accounts
After some deep thinking I think the advantages of keeping all posix enabled user accounts under cn=users,cn=accounts overweight a perceived better protection of the admin account by keeping it in a separate tree.
This commit is contained in:
parent
0695649926
commit
3931d1d753
@ -58,7 +58,7 @@ objectClass: nsContainer
|
||||
objectClass: top
|
||||
cn: masters
|
||||
|
||||
dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
dn: uid=admin,cn=users,cn=accounts,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: person
|
||||
@ -108,7 +108,7 @@ objectClass: posixGroup
|
||||
cn: admins
|
||||
description: Account administrators group
|
||||
gidNumber: 1001
|
||||
member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
member: uid=admin,cn=users,cn=accounts,$SUFFIX
|
||||
nsAccountLock: False
|
||||
|
||||
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
|
||||
|
@ -4,7 +4,7 @@ dn: $SUFFIX
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
|
||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
|
||||
@ -29,7 +29,7 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
|
||||
dn: cn=radius,$SUFFIX
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
|
||||
aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
|
||||
aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn=services,cn=accounts,$SUFFIX
|
||||
|
@ -375,7 +375,7 @@ class DsInstance(service.Service):
|
||||
args = [app,
|
||||
"-D", "cn=Directory Manager", "-w", self.dm_password,
|
||||
"-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
|
||||
"uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
|
||||
"uid=admin,cn=users,cn=accounts,"+self.suffix]
|
||||
try:
|
||||
ipautil.run(args)
|
||||
logging.debug("ldappasswd done")
|
||||
|
Loading…
Reference in New Issue
Block a user