mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for the domain and CA suffixes into a single set suitable for replication agreements for both suffixes. This makes the replication agreement permissions behave correctly during CA replica install, so that any non-admin user with the proper permissions (such as members of the ipaservers host group) can set up replication for the CA suffix. https://fedorahosted.org/freeipa/ticket/5399 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Jan Cholasta
Martin Basti
parent
38861428e7
commit
6ea868e172
@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf
|
||||
default: ipaReplTopoConfRoot: o=ipaca
|
||||
default: cn: ca
|
||||
|
||||
# Update CA replication settings
|
||||
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
|
||||
add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
|
||||
onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
# Replica administration
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
dn: cn=mapping tree,cn=config
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
dn: cn=mapping tree,cn=config
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
dn: cn=mapping tree,cn=config
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
|
||||
dn: cn=mapping tree,cn=config
|
||||
add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "
|
||||
|
||||
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# Removal of obsolete ACIs
|
||||
dn: cn=config
|
||||
# Replaced by 'System: Read Replication Agreements'
|
||||
|
||||
Loading…
Reference in New Issue
Block a user