IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow Replication Administrators manipulate Winsync Agreements

Browse Source 
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.

To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.

https://fedorahosted.org/freeipa/ticket/4836

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Martin Kosek 2015-01-14 16:36:16 +01:00
parent 282d1ec2f9
commit 794c9e6c31
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/updates/20-aci.update
View File

@ -26,7 +26,7 @@ dn: $SUFFIX
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)' add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)' remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
# Read access to masters and their services # Read access to masters and their services
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX dn: cn=masters,cn=ipa,cn=etc,$SUFFIX

23
install/updates/40-delegation.update
View File

@ -214,3 +214,26 @@ default:ipapermissiontype: SYSTEM
dn: cn=config dn: cn=config
add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
# Replication Administrators
dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Read LDBM Database Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Configuration Sub-Entries
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: '(version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'