From d4adbc8052faf18fb31e7b1865037aa107067d4b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 21 Jul 2010 15:44:49 -0400 Subject: [PATCH] Add container and initial ACIs for entitlement support The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27 --- install/share/bootstrap-template.ldif | 6 +++++ install/updates/40-delegation.update | 37 +++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 0d16d1dfd..f1f36a64d 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,6 +64,12 @@ objectClass: nsContainer objectClass: top cn: sysaccounts +dn: cn=entitlements,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: entitlements + dn: cn=ipa,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index fa8d2af1a..f63534c8d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -85,6 +85,12 @@ add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment +dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: entitlementadmin +add:description: Entitlement Administrators + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Entitlement management +dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: addentitlements +add:description: Add Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: removeentitlements +add:description: Remove Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: modifyentitlements +add:description: Modify Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'