aci-update: Add ACI for read-only admin attributes

Most admin access is granted with the "Admin can manage any entry" ACI, but before the global anonymous read ACI is removed, read-only admin access must be explicitly given. Add an ACI for read-only attributes. https://fedorahosted.org/freeipa/ticket/4319 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-04-25 13:14:47 +02:00 · 2014-04-25 13:14:47 +02:00 · 99691d1171
commit 99691d1171
parent 223e6dc3f7
1 changed files with 2 additions and 0 deletions
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@ -44,3 +44,5 @@ add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || s
 remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+# Read-only
+add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'