IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNS permissions and membership in privileges

Browse Source 
This resolves two issues:

1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
   values weren't calculated properly

For updates we need to add in the members and recalculate memberof via
a DS task.

https://fedorahosted.org/freeipa/ticket/1898
This commit is contained in:
Rob Crittenden
2011-10-05 17:16:05 -04:00
parent ae65c01932
commit 7bd3b3e121
6 changed files with 67 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
install/updates/40-delegation.update
View File

@@ -262,3 +262,9 @@ add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
# Don't allow admins to update enrolledBy
dn: $SUFFIX
replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)'
# The original DNS permissions lacked the tag.
dn: $SUFFIX
replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'

22
install/updates/40-dns.update Normal file
View File

@@ -0,0 +1,22 @@
# Add missing member values to attach permissions to their respective
# privileges and run a memberOf task.
dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
add: objectClass: top
add: objectClass: extensibleObject
add: cn: IPA PBAC memberOf $TIME
add: basedn: 'cn=privileges,cn=pbac,$SUFFIX'
add: filter: (objectclass=*)
add: ttl: 10

1
install/updates/Makefile.am
View File

@@ -19,6 +19,7 @@ app_DATA = \
20-winsync_index.update \
21-replicas_container.update \
40-delegation.update \
40-dns.update \
45-roles.update \
50-lockout-policy.update \
50-groupuuid.update \