IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)

Browse Source
This commit is contained in:
Rob Crittenden 2009-04-24 15:30:23 -04:00
parent 7ac2b8ae45
commit 4376ad0b10
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
install/updates/40-delegation.update
View File

@ -420,3 +420,18 @@ add:aci: (targetattr = "memberhost || externalhost || memberuser || member")
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)
# Taskgroup for retrieving host keytabs
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:description: Manage host keytab
add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
# Add the ACI needed to do host keytab admin
add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,$SUFFIX";)