mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works)
This commit is contained in:
parent
7ac2b8ae45
commit
4376ad0b10
@ -420,3 +420,18 @@ add:aci: (targetattr = "memberhost || externalhost || memberuser || member")
|
||||
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
|
||||
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
|
||||
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Taskgroup for retrieving host keytabs
|
||||
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
|
||||
add:objectClass: top
|
||||
add:objectClass: groupofnames
|
||||
add:cn: manage_host_keytab
|
||||
add:description: Manage host keytab
|
||||
add:member:"cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX"
|
||||
|
||||
# Add the ACI needed to do host keytab admin
|
||||
add:aci: (targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
|
||||
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
|
||||
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
|
||||
cn=accounts,$SUFFIX";)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user