permission plugin: Auto-add operational atttributes to read permissions

The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-09-12 09:59:52 +02:00
parent d61fb40542
commit 6ce44c4f05
4 changed files with 96 additions and 43 deletions

84
ACI.txt
View File

@ -1,7 +1,7 @@
dn: cn=automember,cn=etc,dc=ipa,dc=example
aci: (targetattr = "automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass")(targetfilter = "(objectclass=automemberdefinition)")(version 3.0;acl "permission:System: Read Automember Definitions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || createtimestamp || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=automemberdefinition)")(version 3.0;acl "permission:System: Read Automember Definitions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=automember,cn=etc,dc=ipa,dc=example
aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=tasks,cn=config
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=automount,dc=ipa,dc=example
@ -13,7 +13,7 @@ aci: (targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:Syst
dn: cn=automount,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Add Automount Locations";allow (add) groupdn = "ldap:///cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=automount,dc=ipa,dc=example
aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=automount,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Remove Automount Locations";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=automount,dc=ipa,dc=example
@ -23,7 +23,7 @@ aci: (targetattr = "automountmapname || description")(targetfilter = "(objectcla
dn: cn=automount,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
@ -31,15 +31,15 @@ aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:Sy
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbpwdpolicyreference || modifytimestamp || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "createtimestamp || entryusn || idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
@ -51,11 +51,11 @@ aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipause
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || gidnumber || memberuid || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbac,dc=ipa,dc=example
@ -67,13 +67,13 @@ aci: (targetattr = "externalhost || memberhost || memberservice || memberuser")(
dn: cn=hbac,dc=ipa,dc=example
aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbac,dc=ipa,dc=example
aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Delete HBAC Services";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipauniqueid || memberof || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Add HBAC Service Groups";allow (add) groupdn = "ldap:///cn=System: Add HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
@ -81,7 +81,7 @@ aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permi
dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Manage HBAC Service Group Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Service Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hbacservicegroups,cn=hbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || member || memberhost || memberuser || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add Hosts";allow (add) groupdn = "ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
@ -99,11 +99,11 @@ aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(versi
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || macaddress || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
@ -115,13 +115,13 @@ aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgrou
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=ranges,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
@ -131,11 +131,11 @@ aci: (targetattr = "externalhost || member || memberhost || memberuser")(targetf
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroups";allow (write) groupdn = "ldap:///cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || membernisnetgroup || nisnetgrouptriple || objectclass")(target = "ldap:///cn=ng,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Netgroup Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || entryusn || membernisnetgroup || modifytimestamp || nisnetgrouptriple || objectclass")(target = "ldap:///cn=ng,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Netgroup Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "createtimestamp || entryusn || externalhost || member || memberhost || memberof || memberuser || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || modifytimestamp || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=permissions,cn=pbac,dc=ipa,dc=example
@ -143,13 +143,13 @@ aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(versi
dn: dc=ipa,dc=example
aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=privileges,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Privileges";allow (add) groupdn = "ldap:///cn=System: Add Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=privileges,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || o || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Privileges";allow (write) groupdn = "ldap:///cn=System: Modify Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=privileges,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || member || memberhost || memberof || memberuser || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=privileges,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Privileges";allow (delete) groupdn = "ldap:///cn=System: Remove Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
@ -159,11 +159,11 @@ aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:S
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "associateddomain || cn || createtimestamp || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=roles,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Roles";allow (add) groupdn = "ldap:///cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=roles,cn=accounts,dc=ipa,dc=example
@ -171,7 +171,7 @@ aci: (targetattr = "member")(targetfilter = "(objectclass=groupofnames)")(versio
dn: cn=roles,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Roles";allow (write) groupdn = "ldap:///cn=System: Modify Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=roles,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || member || memberhost || memberof || memberuser || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=roles,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Roles";allow (delete) groupdn = "ldap:///cn=System: Remove Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=usermap,cn=selinux,dc=ipa,dc=example
@ -179,7 +179,7 @@ aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permiss
dn: cn=usermap,cn=selinux,dc=ipa,dc=example
aci: (targetattr = "cn || ipaenabledflag || ipaselinuxuser || memberhost || memberuser || seealso")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=System: Modify SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=usermap,cn=selinux,dc=ipa,dc=example
aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "accesstime || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || modifytimestamp || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=usermap,cn=selinux,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
@ -189,7 +189,7 @@ aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objec
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=services,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
@ -199,7 +199,7 @@ aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:Sys
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Modify Sudo Command";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "createtimestamp || description || entryusn || ipauniqueid || memberof || modifytimestamp || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Add Sudo Command Group";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
@ -209,7 +209,7 @@ aci: (targetattr = "member")(targetfilter = "(objectclass=ipasudocmdgrp)")(versi
dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Modify Sudo Command Group";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudocmdgroups,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || member || memberhost || memberuser || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
@ -217,11 +217,11 @@ aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:Sy
dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entryusn || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || modifytimestamp || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=trusts,dc=ipa,dc=example
aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=trusts,dc=ipa,dc=example
aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
@ -239,7 +239,7 @@ aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Ma
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || gecos || gidnumber || homedirectory || loginshell || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@ -249,7 +249,7 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@ -265,23 +265,23 @@ aci: (targetattr = "usercertificate")(target = "ldap:///cn=caSigningCert cert-pk
dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cacertificate || ipacertissuerserial || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Modify Certificate Store Entry";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || modifytimestamp || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || crosscertificatepair || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || createtimestamp || crosscertificatepair || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cacertificate || cn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: dc=ipa,dc=example
aci: (targetattr = "creatorsname || modifiersname")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Creator and Modifier Operational Attributes";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=config
aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=replication,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || modifytimestamp")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Timestamp and USN Operational Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example

View File

@ -503,6 +503,14 @@ class permission(baseldap.LDAPObject):
def get_effective_attrs(self, entry):
attrs = set(entry.get('ipapermdefaultattr', ()))
attrs.update(entry.get('ipapermincludedattr', ()))
if ('read' in entry.get('ipapermright', ()) and
'objectclass' in (x.lower() for x in attrs)):
# Add special-cased operational attributes
# We want to allow reading these whenever reading the objectclass
# is allowed.
# (But they can still be excluded explicitly, at least in managed
# permissions).
attrs.update((u'entryusn', u'createtimestamp', u'modifytimestamp'))
attrs.difference_update(entry.get('ipapermexcludedattr', ()))
return sorted(attrs)

View File

@ -4018,3 +4018,47 @@ class test_permission_in_accounts(Declarative):
verify_permission_aci_missing(permission1, api.env.basedn),
]
class test_autoadd_operational_attrs(Declarative):
"""Test that read access to operational attributes is automatically added
"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermlocation=DN('cn=accounts', api.env.basedn),
ipapermright=u'read',
attrs=[u'ObjectClass'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
attrs=[u'ObjectClass', u'entryusn', u'createtimestamp',
u'modifytimestamp'],
ipapermright=[u'read'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[DN('cn=accounts', api.env.basedn)],
),
),
),
verify_permission_aci(
permission1, DN('cn=accounts', api.env.basedn),
'(targetattr = "ObjectClass || createtimestamp || entryusn || ' +
'modifytimestamp")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
]

View File

@ -66,7 +66,8 @@ class test_realmdomains(Declarative):
objectclass=objectclasses.realmdomains,
aci=[
u'(targetattr = "associateddomain || cn || '
u'objectclass")'
u'createtimestamp || entryusn || '
u'modifytimestamp || objectclass")'
u'(targetfilter = "(objectclass=domainrelatedobject)")'
u'(version 3.0;acl '
u'"permission:System: Read Realm Domains";'