IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Rename permissions and privileges to be more readable.

Browse Source 
This also drops description from permissions since it seems redundant and
fixes up the help text a little.

ticket 792
This commit is contained in:
Rob Crittenden
2011-01-31 11:01:56 -05:00
parent c281e786c8
commit bf4f77d985
7 changed files with 239 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
API.txt
View File

@@ -1586,9 +1586,8 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
output: Output('result', <type 'bool'>, 'True means the operation was successful')
output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
command: permission_add
args: 1,13,3
args: 1,12,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, required=True)
option: Str('description', attribute=True, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, required=True)
option: List('permissions', attribute=True, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, required=True)
option: List('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', alwaysask=True, attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))
@@ -1622,10 +1621,9 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
output: Output('result', <type 'dict'>, 'list of deletions that failed')
output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
command: permission_find
args: 1,14,4
args: 1,13,4
arg: Str('criteria?')
option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
option: List('permissions', attribute=True, autofill=False, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, query=True, required=False)
option: List('attrs', attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))
@@ -1643,9 +1641,8 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('count', <type 'int'>, 'Number of entries returned')
output: Output('truncated', <type 'bool'>, 'True if not all results were returned')
command: permission_mod
args: 1,15,3
args: 1,14,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=True)
option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, required=False)
option: List('permissions', attribute=True, autofill=False, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, required=False)
option: List('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', alwaysask=True, attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))

449
install/share/delegation.ldif
View File

@@ -40,93 +40,93 @@ description: Helpdesk
############################################
# Add the default privileges
############################################
dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: useradmin
cn: User Administrators
description: User Administrators
dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: groupadmin
cn: Group Administrators
description: Group Administrators
dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: hostadmin
cn: Host Administrators
description: Host Administrators
dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: hostgroupadmin
cn: Host Group Administrators
description: Host Group Administrators
dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: delegationadmin
cn: Delegation Administrator
description: Role administration
dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: serviceadmin
cn: Service Administrators
description: Service Administrators
dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: automountadmin
cn: Automount Administrators
description: Automount Administrators
dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: netgroupadmin
cn: Netgroups Administrators
description: Netgroups Administrators
dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: certadmin
cn: Certificate Administrators
description: Certificate Administrators
dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: replicaadmin
cn: Replication Administrators
description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: enrollhost
cn: Host Enrollment
description: Host Enrollment
dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -143,343 +143,304 @@ description: Entitlement Administrators
# User administration
dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Change a user password
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add user to default group
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
cn: unlock_user
description: Unlock user accounts
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Unlock user accounts
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Users
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
# Group administration
dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Group membership
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Host administration
dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
# Hostgroup administration
dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
description: Add Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
description: Remove Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
description: Modify Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
description: Modify Hostgroup membership
member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Hostgroup membership
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Service administration
dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyservices
description: Modify Services
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
# Delegation administration
dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addroles
description: Add Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyrolemembership
description: Modify Role Group membership
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Role membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyprivilegemembership
description: Modify privilege membership
member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify privilege membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
# Automount administration
dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addautomountmaps
description: Add Automount maps
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeautomountmaps
description: Remove Automount maps
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addautomountkeys
description: Add Automount keys
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeautomountkeys
description: Remove Automount keys
member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
# Netgroup administration
dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify netgroup membership
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
# Keytab access
dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
cn: Manage host keytab
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_service_keytab
description: Manage service keytab
member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=privileges,cn=pbac,$SUFFIX
cn: Manage service keytab
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
# DNS administration
# The permission and aci for this is in install/updates/dns.ldif
dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: enroll_host
description: Enroll a host
member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
cn: Enroll a host
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
# Replica administration
dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addreplica
description: Add Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Add Replication Agreements
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyreplica
description: Modify Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Modify Replication Agreements
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removereplica
description: Remove Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Remove Replication Agreements
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management
@@ -516,52 +477,52 @@ member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
# Group administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration
@@ -573,45 +534,45 @@ aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(ve
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
@@ -620,7 +581,7 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration
@@ -654,18 +615,17 @@ objectClass: top
objectClass: nsContainer
cn: retrieve certificate
dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: retrieve_certs
description: Retrieve Certificates from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Retrieve Certificates from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -674,18 +634,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate
dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: request_certs
description: Request Certificates from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Request Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
@@ -694,18 +653,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate different host
dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: request_cert_different_host
description: Request Certificates from a different host
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Request Certificates from a different host
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
@@ -714,18 +672,17 @@ objectClass: top
objectClass: nsContainer
cn: certificate status
dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: certificate_status
description: Get Certificates status from the CA
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Get Certificates status from the CA
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -734,18 +691,17 @@ objectClass: top
objectClass: nsContainer
cn: revoke certificate
dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: revoke_certificate
description: Revoke Certificate
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Revoke Certificate
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
@@ -754,15 +710,14 @@ objectClass: top
objectClass: nsContainer
cn: certificate remove hold
dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX
dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: certificate_remove_hold
description: Certificate Remove Hold
member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
cn: Certificate Remove Hold
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)

20
install/share/dns.ldif
View File

@@ -10,8 +10,8 @@ objectClass: groupofnames
objectClass: top
cn: add dns entries
description: Add DNS entries
member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -19,8 +19,8 @@ objectClass: groupofnames
objectClass: top
cn: remove dns entries
description: Remove DNS entries
member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -28,8 +28,8 @@ objectClass: groupofnames
objectClass: top
cn: update dns entries
description: Update DNS entries
member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
@@ -38,18 +38,18 @@ aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS ent
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: dnsadmin
cn: DNS Administrators
description: DNS Administrators
dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: dnsserver
cn: DNS Servers
description: DNS Servers

8
install/share/replica-acis.ldif
View File

@@ -3,19 +3,19 @@
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "permission:addreplica";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:modifyreplica"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:removereplica";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)

36
ipalib/plugins/permission.py
View File

@@ -33,9 +33,8 @@ A permission may not be members of other permissions.
A permission is made up of a number of different parts:
1. The name of the permission.
2. The description of the permission.
3. The target of the permission.
4. The permissions granted by the permission.
2. The target of the permission.
3. The permissions granted by the permission.
The permissions define what operations are allowed and are one or more of:
1. write - write one or more attributes
@@ -44,24 +43,29 @@ The permissions define what operations are allowed and are one or more of:
4. delete - delete an existing entry
5. all - all permissions are granted
Read permission is granted for most attributes by default so the read
permission is not expected to be used very often.
Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editabe.
There are a number of allowed targets:
1. type: a type of object (user, group, etc).
2. memberof: a memberof a group or hostgroup
2. memberof: a member of a group or hostgroup
3. filter: an LDAP filter
4. subtree: an LDAP filter specifying part of the LDAP DIT
5. targetgroup
4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a
super-set of the type option.
5. targetgroup: grant access to modify a specific group (such as granting
the rights to manage group membership)
EXAMPLES:
Add a permission that grants the creation of users:
ipa permission-add --desc="Add a User" --type=user --permissions=add adduser
ipa permission-add --type=user --permissions=add "Add Users"
Add a permission that grants the ability to manage group membership:
ipa permission-add --desc='Manage group members' --attrs=member --permissions=write --type=group manage_group_members
ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
"""
import copy
@@ -80,7 +84,7 @@ class permission(LDAPObject):
object_name = 'permission'
object_name_plural = 'permissions'
object_class = ['groupofnames']
default_attributes = ['cn', 'description', 'member', 'memberof',
default_attributes = ['cn', 'member', 'memberof',
'memberindirect',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
@@ -88,7 +92,6 @@ class permission(LDAPObject):
]
attribute_members = {
'member': ['privilege'],
# 'memberindirect': ['user', 'group', 'role'],
}
rdnattr='cn'
@@ -101,11 +104,6 @@ class permission(LDAPObject):
primary_key=True,
normalizer=lambda value: value.lower(),
),
Str('description',
cli_name='desc',
label=_('Description'),
doc=_('Permission description'),
),
List('permissions',
cli_name='permissions',
label=_('Permissions'),
@@ -165,7 +163,6 @@ class permission_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# Test the ACI before going any further
opts = copy.copy(options)
del opts['description']
opts['test'] = True
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -177,7 +174,7 @@ class permission_add(LDAPCreate):
# Clear the aci attributes out of the permission entry
for o in options:
try:
if o not in ['description', 'objectclass']:
if o not in ['objectclass']:
del entry_attrs[o]
except:
pass
@@ -186,7 +183,6 @@ class permission_add(LDAPCreate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
# Now actually add the aci.
opts = copy.copy(options)
del opts['description']
opts['test'] = False
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -263,7 +259,7 @@ class permission_mod(LDAPUpdate):
pass # permission may be renamed, continue
opts = copy.copy(options)
for o in ['all', 'raw', 'rights', 'description', 'rename']:
for o in ['all', 'raw', 'rights', 'rename']:
if o in opts:
del opts[o]
setattr(context, 'aciupdate', False)
@@ -389,7 +385,7 @@ class permission_show(LDAPRetrieve):
if attr in aci:
entry_attrs[attr] = aci[attr]
except errors.NotFound:
self.debug('ACI not found for %s' % entry_attrs['description'][0])
self.debug('ACI not found for %s' % entry_attrs['cn'][0])
return dn
api.register(permission_show)

20
tests/test_xmlrpc/test_permission_plugin.py
View File

@@ -68,7 +68,7 @@ class test_permission(Declarative):
dict(
desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(description=u'Foo')),
command=('permission_mod', [permission1], dict(permissions=u'all')),
expected=errors.NotFound(reason='no such entry'),
),
@@ -96,7 +96,6 @@ class test_permission(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
description=u'Test desc 1',
type=u'user',
permissions=u'write',
)
@@ -107,7 +106,6 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
description=[u'Test desc 1'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
@@ -120,7 +118,6 @@ class test_permission(Declarative):
desc='Try to create duplicate %r' % permission1,
command=(
'permission_add', [permission1], dict(
description=u'Test desc 1',
type=u'user',
permissions=u'write',
),
@@ -178,7 +175,6 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -198,7 +194,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -219,7 +214,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -233,7 +227,6 @@ class test_permission(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
description=u'Test desc 2',
type=u'user',
permissions=u'write',
)
@@ -244,7 +237,6 @@ class test_permission(Declarative):
result=dict(
dn=permission2_dn,
cn=[permission2],
description=[u'Test desc 2'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
@@ -264,7 +256,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -272,7 +263,6 @@ class test_permission(Declarative):
{
'dn': permission2_dn,
'cn': [permission2],
'description': [u'Test desc 2'],
'type': u'user',
'permissions': [u'write'],
},
@@ -303,7 +293,7 @@ class test_permission(Declarative):
dict(
desc='Update %r' % permission1,
command=(
'permission_mod', [permission1], dict(description=u'New desc 1')
'permission_mod', [permission1], dict(permissions=u'read')
),
expected=dict(
value=permission1,
@@ -311,10 +301,9 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
description=[u'New desc 1'],
member_privilege=[privilege1],
type=u'user',
permissions=[u'write'],
permissions=[u'read'],
),
),
),
@@ -329,10 +318,9 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
'description': [u'New desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
'permissions': [u'read'],
},
),
),

4
tests/test_xmlrpc/test_privilege_plugin.py
View File

@@ -89,7 +89,6 @@ class test_privilege(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
description=u'Test desc 1',
type=u'user',
permissions=u'add, delete',
)
@@ -100,7 +99,6 @@ class test_privilege(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
description=[u'Test desc 1'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'add', u'delete'],
@@ -207,7 +205,6 @@ class test_privilege(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
description=u'Test desc 2',
type=u'user',
permissions=u'write',
)
@@ -218,7 +215,6 @@ class test_privilege(Declarative):
result=dict(
dn=permission2_dn,
cn=[permission2],
description=[u'Test desc 2'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],