IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow a client to enroll using principal when the host has a OTP

Browse Source 
If the host has a one-time password but krbPrincipalName wasn't set yet
then the enrollment would fail because writing the principal is not
allowed. This creates an ACI that only lets it be written if it is not
already set.

ticket 1075
This commit is contained in:
Rob Crittenden 2011-03-29 13:15:22 -04:00
parent 6fbe0e86e9
commit 8719336652
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
install/updates/40-delegation.update
View File

@ -240,3 +240,21 @@ add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
# Allow an admin to enroll a host that has a one-time password.
# When a host is created with a password no krbPrincipalName is set.
# This will let it be added if the client ends up enrolling with
# an administrator instead.
dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Add krbPrincipalName to a host
default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
default:member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'