IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ACI plugin supports prefixes

Browse Source 
When more than one plugin produce ACIs, they share common namespace
of ACI name. This may lead to name collisions between the ACIs
from different plugins.

This patch introduces a mandatory "prefix" attribute for non-find
ACI operations which allow plugins to use their own prefixes
(i.e. namespaces) which is then used when a name of the ACI is
generated.

Permission, Delegation and Selfservice plugins has been updated
to use their own prefixes thus avoiding name collisions by using
their own namespaces. Default ACIs in LDIFs has been updated to
follow this new policy.

Permission plugin now uses its CN (=primary key) instead of
description in ACI names as Description may not be unique.

This change requires an IPA server reinstall since the default ACI
set has been changed.

https://fedorahosted.org/freeipa/ticket/764
This commit is contained in:
Martin Kosek 2011-01-21 09:20:01 +01:00 committed by Rob Crittenden
parent add7d701c6
commit 65a146cdca
7 changed files with 179 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/share/default-aci.ldif
View File

@ -6,7 +6,7 @@ add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)

88
install/share/delegation.ldif
View File

@ -507,51 +507,51 @@ member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)
# Group administration # Group administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be # We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration # Host administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration # Hostgroup administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration # Service administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration # Delegation administration
@ -563,45 +563,45 @@ aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(ve
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration # Automount administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration # Netgroup administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin # Host keytab admin
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin # Service keytab admin
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we # Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and # set the krbPrincipalName, add krbPrincipalAux to objectClass and
@ -610,24 +610,24 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration # Entitlement administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:addentitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:modifyentitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:removeentitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";)
# Create virtual operations entry. This is used to control access to # Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly. # operations that don't rely on LDAP directly.
@ -655,7 +655,7 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate virtual op # Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
@ -675,7 +675,7 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate from different host virtual op # Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
@ -695,7 +695,7 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Status virtual op # Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
@ -715,7 +715,7 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)
# Revoke Certificate virtual op # Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
@ -735,7 +735,7 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Remove Hold virtual op # Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
@ -755,4 +755,4 @@ member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)

6
install/share/replica-acis.ldif
View File

@ -3,17 +3,17 @@
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr=*)(version 3.0;acl "permission:addreplica";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:modifyreplica"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:removereplica";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config dn: cn=tasks,cn=config
changetype: modify changetype: modify

95
ipalib/plugins/aci.py
View File

@ -89,22 +89,22 @@ command-line now (see last example).
Add an ACI so that the group "secretaries" can update the address on any user: Add an ACI so that the group "secretaries" can update the address on any user:
ipa group-add --desc="Office secretaries" secretaries ipa group-add --desc="Office secretaries" secretaries
ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write "Secretaries write addresses" ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
Show the new ACI: Show the new ACI:
ipa aci-show "Secretaries write addresses" ipa aci-show --prefix=none "Secretaries write addresses"
Add an ACI that allows members of the "addusers" permission to add new users: Add an ACI that allows members of the "addusers" permission to add new users:
ipa aci-add --type=user --permission=addusers --permissions=add "Add new users" ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
Add an ACI that allows members of the editors manage members of the admins group: Add an ACI that allows members of the editors manage members of the admins group:
ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors "Editors manage admins" ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
Add an ACI that allows members of the admin group to manage the street and zip code of those in the editors group: Add an ACI that allows members of the admin group to manage the street and zip code of those in the editors group:
ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode "admins edit the address of editors" ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors"
Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" "Edit the address of those who work for the boss" ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
@ -128,6 +128,8 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
from ldap import explode_dn from ldap import explode_dn
import logging import logging
ACI_NAME_PREFIX_SEP = ":"
_type_map = { _type_map = {
'user': 'ldap:///uid=*,%s,%s' % (api.env.container_user, api.env.basedn), 'user': 'ldap:///uid=*,%s,%s' % (api.env.container_user, api.env.basedn),
'group': 'ldap:///cn=*,%s,%s' % (api.env.container_group, api.env.basedn), 'group': 'ldap:///cn=*,%s,%s' % (api.env.container_group, api.env.basedn),
@ -142,6 +144,10 @@ _valid_permissions_values = [
u'read', u'write', u'add', u'delete', u'all' u'read', u'write', u'add', u'delete', u'all'
] ]
_valid_prefix_values = (
u'permission', u'delegation', u'selfservice', u'none'
)
class ListOfACI(output.Output): class ListOfACI(output.Output):
type = (list, tuple) type = (list, tuple)
doc = _('A list of ACI values') doc = _('A list of ACI values')
@ -162,6 +168,26 @@ aci_output = (
) )
def _make_aci_name(aciprefix, aciname):
"""
Given a name and a prefix construct an ACI name.
"""
if aciprefix == u"none":
return aciname
return aciprefix + ACI_NAME_PREFIX_SEP + aciname
def _parse_aci_name(aciname):
"""
Parse the raw ACI name and return a tuple containing the ACI prefix
and the actual ACI name.
"""
aciparts = aciname.partition(ACI_NAME_PREFIX_SEP)
if not aciparts[2]: # no prefix/name separator found
return (u"none",aciparts[0])
return (aciparts[0], aciparts[2])
def _make_aci(ldap, current, aciname, kw): def _make_aci(ldap, current, aciname, kw):
""" """
@ -177,6 +203,9 @@ def _make_aci(ldap, current, aciname, kw):
if t1 + t2 + t3 + t4 > 1: if t1 + t2 + t3 + t4 > 1:
raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive')) raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive'))
if 'aciprefix' not in kw:
raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required'))
if t1 + t2 + t3 + t4 + t5 + t6 == 0: if t1 + t2 + t3 + t4 + t5 + t6 == 0:
raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required')) raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'))
@ -209,7 +238,7 @@ def _make_aci(ldap, current, aciname, kw):
try: try:
a = ACI(current) a = ACI(current)
a.name = aciname a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions'] a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']: if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"') a.set_bindrule('userdn = "ldap:///self"')
@ -260,7 +289,7 @@ def _aci_to_kw(ldap, a, test=False):
_make_aci(). _make_aci().
""" """
kw = {} kw = {}
kw['aciname'] = a.name kw['aciprefix'], kw['aciname'] = _parse_aci_name(a.name)
kw['permissions'] = tuple(a.permissions) kw['permissions'] = tuple(a.permissions)
if 'targetattr' in a.target: if 'targetattr' in a.target:
kw['attrs'] = list(a.target['targetattr']['expression']) kw['attrs'] = list(a.target['targetattr']['expression'])
@ -328,9 +357,10 @@ def _convert_strings_to_acis(acistrs):
logging.warn("Failed to parse: %s" % a) logging.warn("Failed to parse: %s" % a)
return acis return acis
def _find_aci_by_name(acis, aciname): def _find_aci_by_name(acis, aciprefix, aciname):
name = _make_aci_name(aciprefix, aciname).lower()
for a in acis: for a in acis:
if a.name.lower() == aciname.lower(): if a.name.lower() == name:
return a return a
raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname) raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname)
@ -351,6 +381,13 @@ def _normalize_permissions(permissions):
valid_permissions.append(p) valid_permissions.append(p)
return ','.join(valid_permissions) return ','.join(valid_permissions)
_prefix_option = StrEnum('aciprefix',
cli_name='prefix',
label=_('ACI prefix'),
doc=_('Prefix used to distinguish ACI types ' \
'(permission, delegation, selfservice, none)'),
values=_valid_prefix_values,
)
class aci(Object): class aci(Object):
""" """
@ -423,7 +460,6 @@ class aci(Object):
api.register(aci) api.register(aci)
class aci_add(crud.Create): class aci_add(crud.Create):
""" """
Create new ACI. Create new ACI.
@ -432,6 +468,7 @@ class aci_add(crud.Create):
msg_summary = _('Created ACI "%(value)s"') msg_summary = _('Created ACI "%(value)s"')
takes_options = ( takes_options = (
_prefix_option,
Flag('test?', Flag('test?',
doc=_('Test the ACI syntax but don\'t write anything'), doc=_('Test the ACI syntax but don\'t write anything'),
default=False, default=False,
@ -486,6 +523,8 @@ class aci_del(crud.Delete):
has_output = output.standard_boolean has_output = output.standard_boolean
msg_summary = _('Deleted ACI "%(value)s"') msg_summary = _('Deleted ACI "%(value)s"')
takes_options = (_prefix_option,)
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
""" """
Execute the aci-delete operation. Execute the aci-delete operation.
@ -500,7 +539,7 @@ class aci_del(crud.Delete):
acistrs = entry_attrs.get('aci', []) acistrs = entry_attrs.get('aci', [])
acis = _convert_strings_to_acis(acistrs) acis = _convert_strings_to_acis(acistrs)
aci = _find_aci_by_name(acis, aciname) aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
for a in acistrs: for a in acistrs:
candidate = ACI(a) candidate = ACI(a)
if aci.isequal(candidate): if aci.isequal(candidate):
@ -530,6 +569,8 @@ class aci_mod(crud.Update):
), ),
) )
takes_options = (_prefix_option,)
msg_summary = _('Modified ACI "%(value)s"') msg_summary = _('Modified ACI "%(value)s"')
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
@ -538,7 +579,7 @@ class aci_mod(crud.Update):
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci']) (dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry_attrs.get('aci', [])) acis = _convert_strings_to_acis(entry_attrs.get('aci', []))
aci = _find_aci_by_name(acis, aciname) aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
# The strategy here is to convert the ACI we're updating back into # The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been # a series of keywords. Then we replace any keywords that have been
@ -558,7 +599,7 @@ class aci_mod(crud.Update):
if aci.isequal(newaci): if aci.isequal(newaci):
raise errors.EmptyModlist() raise errors.EmptyModlist()
self.api.Command['aci_del'](aciname) self.api.Command['aci_del'](aciname, **kw)
result = self.api.Command['aci_add'](aciname, **newkw)['result'] result = self.api.Command['aci_add'](aciname, **newkw)['result']
@ -597,6 +638,8 @@ class aci_find(crud.Search):
NO_CLI = True NO_CLI = True
msg_summary = ngettext('%(count)d ACI matched', '%(count)d ACIs matched', 0) msg_summary = ngettext('%(count)d ACI matched', '%(count)d ACIs matched', 0)
takes_options = (_prefix_option.clone_rename("aciprefix?", required=False),)
def execute(self, term, **kw): def execute(self, term, **kw):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
@ -616,7 +659,15 @@ class aci_find(crud.Search):
if 'aciname' in kw: if 'aciname' in kw:
for a in acis: for a in acis:
if a.name != kw['aciname']: prefix, name = _parse_aci_name(a.name)
if name != kw['aciname']:
results.remove(a)
acis = list(results)
if 'aciprefix' in kw:
for a in acis:
prefix, name = _parse_aci_name(a.name)
if prefix != kw['aciprefix']:
results.remove(a) results.remove(a)
acis = list(results) acis = list(results)
@ -760,6 +811,8 @@ class aci_show(crud.Retrieve):
), ),
) )
takes_options = (_prefix_option,)
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
""" """
Execute the aci-show operation. Execute the aci-show operation.
@ -775,7 +828,7 @@ class aci_show(crud.Retrieve):
acis = _convert_strings_to_acis(entry_attrs.get('aci', [])) acis = _convert_strings_to_acis(entry_attrs.get('aci', []))
aci = _find_aci_by_name(acis, aciname) aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
if kw.get('raw', False): if kw.get('raw', False):
result = dict(aci=unicode(aci)) result = dict(aci=unicode(aci))
else: else:
@ -800,12 +853,13 @@ class aci_rename(crud.Update):
) )
takes_options = ( takes_options = (
_prefix_option,
Str('newname', Str('newname',
doc=_('New ACI name'), doc=_('New ACI name'),
), ),
) )
msg_summary = _('Renameed ACI to "%(value)s"') msg_summary = _('Renamed ACI to "%(value)s"')
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
@ -813,10 +867,11 @@ class aci_rename(crud.Update):
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci']) (dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry_attrs.get('aci', [])) acis = _convert_strings_to_acis(entry_attrs.get('aci', []))
aci = _find_aci_by_name(acis, aciname) aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
for a in acis: for a in acis:
if kw['newname'] == a.name: prefix, name = _parse_aci_name(a.name)
if _make_aci_name(prefix, kw['newname']) == a.name:
raise errors.DuplicateEntry() raise errors.DuplicateEntry()
# The strategy here is to convert the ACI we're updating back into # The strategy here is to convert the ACI we're updating back into
@ -833,7 +888,7 @@ class aci_rename(crud.Update):
# Do this before we delete the existing ACI. # Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, kw['newname'], newkw) newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname) self.api.Command['aci_del'](aciname, **kw)
result = self.api.Command['aci_add'](kw['newname'], **newkw)['result'] result = self.api.Command['aci_add'](kw['newname'], **newkw)['result']

9
ipalib/plugins/delegation.py
View File

@ -50,6 +50,8 @@ from ipalib import api, crud, errors
from ipalib import output from ipalib import output
from ipalib import Object, Command from ipalib import Object, Command
ACI_PREFIX=u"delegation"
def convert_delegation(ldap, aci): def convert_delegation(ldap, aci):
""" """
memberOf is in filter but we want to pull out the group for easier memberOf is in filter but we want to pull out the group for easier
@ -70,6 +72,7 @@ def convert_delegation(ldap, aci):
aci['membergroup'] = entry_attrs['cn'] aci['membergroup'] = entry_attrs['cn']
del aci['filter'] del aci['filter']
del aci['aciprefix'] # do not include prefix in result
return aci return aci
@ -81,7 +84,7 @@ def is_delegation(ldap, aciname):
Return the result if it is a delegation ACI, adding a new attribute Return the result if it is a delegation ACI, adding a new attribute
membergroup. membergroup.
""" """
result = api.Command['aci_show'](aciname)['result'] result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX)['result']
if 'filter' in result: if 'filter' in result:
result = convert_delegation(ldap, result) result = convert_delegation(ldap, result)
else: else:
@ -157,6 +160,7 @@ class delegation_add(crud.Create):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
if not 'permissions' in kw: if not 'permissions' in kw:
kw['permissions'] = (u'write',) kw['permissions'] = (u'write',)
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_add'](aciname, **kw)['result'] result = api.Command['aci_add'](aciname, **kw)['result']
if 'filter' in result: if 'filter' in result:
result = convert_delegation(ldap, result) result = convert_delegation(ldap, result)
@ -180,6 +184,7 @@ class delegation_del(crud.Delete):
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
is_delegation(ldap, aciname) is_delegation(ldap, aciname)
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_del'](aciname, **kw) result = api.Command['aci_del'](aciname, **kw)
return dict( return dict(
result=True, result=True,
@ -199,6 +204,7 @@ class delegation_mod(crud.Update):
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
is_delegation(ldap, aciname) is_delegation(ldap, aciname)
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_mod'](aciname, **kw)['result'] result = api.Command['aci_mod'](aciname, **kw)['result']
if 'filter' in result: if 'filter' in result:
result = convert_delegation(ldap, result) result = convert_delegation(ldap, result)
@ -221,6 +227,7 @@ class delegation_find(crud.Search):
def execute(self, term, **kw): def execute(self, term, **kw):
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
kw['aciprefix'] = ACI_PREFIX
acis = api.Command['aci_find'](term, **kw)['result'] acis = api.Command['aci_find'](term, **kw)['result']
results = [] results = []
for aci in acis: for aci in acis:

49
ipalib/plugins/permission.py
View File

@ -61,7 +61,7 @@ EXAMPLES:
ipa permission-add --desc="Add a User" --type=user --permissions=add adduser ipa permission-add --desc="Add a User" --type=user --permissions=add adduser
Add a permission that grants the ability to manage group membership: Add a permission that grants the ability to manage group membership:
ipa permission-add --desc='Manage group members' --attrs=member --permissions=-write --type=group manage_group_members ipa permission-add --desc='Manage group members' --attrs=member --permissions=write --type=group manage_group_members
""" """
import copy import copy
@ -70,6 +70,7 @@ from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum from ipalib import Flag, Str, StrEnum
from ipalib.request import context from ipalib.request import context
ACI_PREFIX=u"permission"
class permission(LDAPObject): class permission(LDAPObject):
""" """
@ -167,8 +168,9 @@ class permission_add(LDAPCreate):
del opts['description'] del opts['description']
opts['test'] = True opts['test'] = True
opts['permission'] = keys[-1] opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try: try:
self.api.Command.aci_add(options['description'], **opts) self.api.Command.aci_add(keys[-1], **opts)
except Exception, e: except Exception, e:
raise e raise e
@ -187,8 +189,9 @@ class permission_add(LDAPCreate):
del opts['description'] del opts['description']
opts['test'] = False opts['test'] = False
opts['permission'] = keys[-1] opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try: try:
result = self.api.Command.aci_add(options['description'], **opts)['result'] result = self.api.Command.aci_add(keys[-1], **opts)['result']
for attr in self.obj.aci_attributes: for attr in self.obj.aci_attributes:
if attr in result: if attr in result:
entry_attrs[attr] = result[attr] entry_attrs[attr] = result[attr]
@ -204,7 +207,7 @@ class permission_add(LDAPCreate):
except Exception, ignore: except Exception, ignore:
pass pass
try: try:
self.api.Command.aci_del(keys[-1]) self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
except Exception, ignore: except Exception, ignore:
pass pass
raise e raise e
@ -221,10 +224,9 @@ class permission_del(LDAPDelete):
msg_summary = _('Deleted permission "%(value)s"') msg_summary = _('Deleted permission "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options): def pre_callback(self, ldap, dn, *keys, **options):
(dn, entry_attrs) = ldap.get_entry(dn, ['*']) # remove permission even when the underlying ACI is missing
if 'description' in entry_attrs:
try: try:
self.api.Command.aci_del(entry_attrs['description'][0]) self.api.Command.aci_del(keys[-1], aciprefix=ACI_PREFIX)
except errors.NotFound: except errors.NotFound:
pass pass
return dn return dn
@ -247,9 +249,7 @@ class permission_mod(LDAPUpdate):
except errors.NotFound: except errors.NotFound:
self.obj.handle_not_found(*keys) self.obj.handle_not_found(*keys)
opts = copy.copy(options) opts = copy.copy(options)
if 'description' in opts: for o in ['all', 'raw', 'rights', 'description', 'rename']:
del opts['description']
for o in ['all', 'raw', 'rights', 'description']:
if o in opts: if o in opts:
del opts[o] del opts[o]
setattr(context, 'aciupdate', False) setattr(context, 'aciupdate', False)
@ -258,8 +258,9 @@ class permission_mod(LDAPUpdate):
if len(opts) > 0: if len(opts) > 0:
opts['test'] = False opts['test'] = False
opts['permission'] = keys[-1] opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try: try:
self.api.Command.aci_mod(attrs['description'][0], **opts) self.api.Command.aci_mod(keys[-1], **opts)
setattr(context, 'aciupdate', True) setattr(context, 'aciupdate', True)
except Exception, e: except Exception, e:
raise e raise e
@ -271,10 +272,6 @@ class permission_mod(LDAPUpdate):
except: except:
pass pass
if 'description' in options:
if attrs['description'][0] != options['description']:
self.api.Command.aci_rename(attrs['description'][0], newname=options['description'])
return dn return dn
def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs):
@ -294,6 +291,15 @@ class permission_mod(LDAPUpdate):
raise exc raise exc
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
# rename the underlying ACI after the change to permission
if 'rename' in options:
aciname = keys[-1] # ACI still refers to the old permission CN
self.api.Command.aci_mod(aciname,aciprefix=ACI_PREFIX,
permission=options['rename'])
self.api.Command.aci_rename(aciname, aciprefix=ACI_PREFIX,
newname=keys[-1], newprefix=ACI_PREFIX)
result = self.api.Command.permission_show(keys[-1])['result'] result = self.api.Command.permission_show(keys[-1])['result']
for r in result: for r in result:
if not r.startswith('member'): if not r.startswith('member'):
@ -317,24 +323,29 @@ class permission_find(LDAPSearch):
for entry in entries: for entry in entries:
(dn, attrs) = entry (dn, attrs) = entry
try: try:
aci = self.api.Command.aci_show(attrs['description'][0])['result'] aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX)['result']
# copy information from respective ACI to permission entry
for attr in self.obj.aci_attributes: for attr in self.obj.aci_attributes:
if attr in aci: if attr in aci:
attrs[attr] = aci[attr] attrs[attr] = aci[attr]
except errors.NotFound: except errors.NotFound:
self.debug('ACI not found for %s' % attrs['description'][0]) self.debug('ACI not found for %s' % attrs['cn'][0])
# Now find all the ACIs that match. Once we find them, add any that # Now find all the ACIs that match. Once we find them, add any that
# aren't already in the list along with their permission info. # aren't already in the list along with their permission info.
options['aciprefix'] = ACI_PREFIX
aciresults = self.api.Command.aci_find(*args, **options) aciresults = self.api.Command.aci_find(*args, **options)
truncated = truncated or aciresults['truncated'] truncated = truncated or aciresults['truncated']
results = aciresults['result'] results = aciresults['result']
for aci in results: for aci in results:
found = False found = False
if 'permission' in aci: if 'permission' in aci:
for entry in entries: for entry in entries:
(dn, attrs) = entry (dn, attrs) = entry
if aci['permission'] == attrs['cn']: if aci['permission'] == attrs['cn'][0]:
found = True found = True
break break
if not found: if not found:
@ -359,7 +370,7 @@ class permission_show(LDAPRetrieve):
""" """
def post_callback(self, ldap, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try: try:
aci = self.api.Command.aci_show(entry_attrs['description'][0])['result'] aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX)['result']
for attr in self.obj.aci_attributes: for attr in self.obj.aci_attributes:
if attr in aci: if attr in aci:
entry_attrs[attr] = aci[attr] entry_attrs[attr] = aci[attr]

16
ipalib/plugins/selfservice.py
View File

@ -50,6 +50,8 @@ from ipalib import api, crud, errors
from ipalib import output from ipalib import output
from ipalib import Object, Command from ipalib import Object, Command
ACI_PREFIX=u"selfservice"
def is_selfservice(aciname): def is_selfservice(aciname):
""" """
Determine if the ACI is a Self-Service ACI and raise an exception if it Determine if the ACI is a Self-Service ACI and raise an exception if it
@ -57,7 +59,7 @@ def is_selfservice(aciname):
Return the result if it is a self-service ACI. Return the result if it is a self-service ACI.
""" """
result = api.Command['aci_show'](aciname)['result'] result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX)['result']
if 'selfaci' not in result or result['selfaci'] == False: if 'selfaci' not in result or result['selfaci'] == False:
raise errors.NotFound(reason=_('Self-service permission \'%(permission)s\' not found') % dict(permission=aciname)) raise errors.NotFound(reason=_('Self-service permission \'%(permission)s\' not found') % dict(permission=aciname))
return result return result
@ -119,7 +121,9 @@ class selfservice_add(crud.Create):
if not 'permissions' in kw: if not 'permissions' in kw:
kw['permissions'] = (u'write',) kw['permissions'] = (u'write',)
kw['selfaci'] = True kw['selfaci'] = True
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_add'](aciname, **kw)['result'] result = api.Command['aci_add'](aciname, **kw)['result']
del result['aciprefix'] # do not include prefix in result
return dict( return dict(
result=result, result=result,
@ -139,7 +143,9 @@ class selfservice_del(crud.Delete):
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
is_selfservice(aciname) is_selfservice(aciname)
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_del'](aciname, **kw) result = api.Command['aci_del'](aciname, **kw)
return dict( return dict(
result=True, result=True,
value=aciname, value=aciname,
@ -159,7 +165,10 @@ class selfservice_mod(crud.Update):
is_selfservice(aciname) is_selfservice(aciname)
if 'attrs' in kw and kw['attrs'] is None: if 'attrs' in kw and kw['attrs'] is None:
raise errors.RequirementError(name='attrs') raise errors.RequirementError(name='attrs')
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_mod'](aciname, **kw)['result'] result = api.Command['aci_mod'](aciname, **kw)['result']
del result['aciprefix'] # do not include prefix in result
return dict( return dict(
result=result, result=result,
value=aciname, value=aciname,
@ -179,8 +188,12 @@ class selfservice_find(crud.Search):
def execute(self, term, **kw): def execute(self, term, **kw):
kw['selfaci'] = True kw['selfaci'] = True
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_find'](term, **kw)['result'] result = api.Command['aci_find'](term, **kw)['result']
for aci in result:
del aci['aciprefix'] # do not include prefix in result
return dict( return dict(
result=result, result=result,
count=len(result), count=len(result),
@ -202,6 +215,7 @@ class selfservice_show(crud.Retrieve):
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
result = is_selfservice(aciname) result = is_selfservice(aciname)
del result['aciprefix'] # do not include prefix in result
return dict( return dict(
result=result, result=result,
value=aciname, value=aciname,