IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move permissions and privileges to their own container, cn=pbac,$SUFFIX

Browse Source 
ticket 638
This commit is contained in:
Rob Crittenden 2010-12-22 11:11:29 -05:00
parent 07e55f44b2
commit d84ffd9e54
9 changed files with 241 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
install/share/delegation.ldif
View File

@ -7,13 +7,20 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: roles cn: roles
dn: cn=privileges,cn=accounts,$SUFFIX # Permissions-based Access Control
dn: cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: pbac
dn: cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: privileges cn: privileges
dn: cn=permissions,cn=accounts,$SUFFIX dn: cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: nsContainer objectClass: nsContainer
@ -33,7 +40,7 @@ description: Helpdesk
############################################ ############################################
# Add the default privileges # Add the default privileges
############################################ ############################################
dn: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -41,7 +48,7 @@ objectClass: nestedgroup
cn: useradmin cn: useradmin
description: User Administrators description: User Administrators
dn: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -49,7 +56,7 @@ objectClass: nestedgroup
cn: groupadmin cn: groupadmin
description: Group Administrators description: Group Administrators
dn: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -57,7 +64,7 @@ objectClass: nestedgroup
cn: hostadmin cn: hostadmin
description: Host Administrators description: Host Administrators
dn: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -65,7 +72,7 @@ objectClass: nestedgroup
cn: hostgroupadmin cn: hostgroupadmin
description: Host Group Administrators description: Host Group Administrators
dn: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -73,7 +80,7 @@ objectClass: nestedgroup
cn: delegationadmin cn: delegationadmin
description: Role administration description: Role administration
dn: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -81,7 +88,7 @@ objectClass: nestedgroup
cn: serviceadmin cn: serviceadmin
description: Service Administrators description: Service Administrators
dn: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -89,7 +96,7 @@ objectClass: nestedgroup
cn: automountadmin cn: automountadmin
description: Automount Administrators description: Automount Administrators
dn: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -97,7 +104,7 @@ objectClass: nestedgroup
cn: netgroupadmin cn: netgroupadmin
description: Netgroups Administrators description: Netgroups Administrators
dn: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -105,7 +112,7 @@ objectClass: nestedgroup
cn: certadmin cn: certadmin
description: Certificate Administrators description: Certificate Administrators
dn: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -114,7 +121,7 @@ cn: replicaadmin
description: Replication Administrators description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX
dn: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -122,7 +129,7 @@ objectClass: nestedgroup
cn: enrollhost cn: enrollhost
description: Host Enrollment description: Host Enrollment
dn: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -136,360 +143,360 @@ description: Entitlement Administrators
# User administration # User administration
dn: cn=addusers,cn=permissions,cn=accounts,$SUFFIX dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addusers cn: addusers
description: Add Users description: Add Users
member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=change_password,cn=permissions,cn=accounts,$SUFFIX dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: change_password cn: change_password
description: Change a user password description: Change a user password
member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: add_user_to_default_group cn: add_user_to_default_group
description: Add user to default group description: Add user to default group
member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeusers,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeusers cn: removeusers
description: Remove Users description: Remove Users
member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyusers cn: modifyusers
description: Modify Users description: Modify Users
member: cn=useradmin,cn=privileges,cn=accounts,$SUFFIX member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
# Group administration # Group administration
dn: cn=addgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addgroups cn: addgroups
description: Add Groups description: Add Groups
member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removegroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removegroups cn: removegroups
description: Remove Groups description: Remove Groups
member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifygroups cn: modifygroups
description: Modify Groups description: Modify Groups
member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifygroupmembership cn: modifygroupmembership
description: Modify Group membership description: Modify Group membership
member: cn=groupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
# Host administration # Host administration
dn: cn=addhosts,cn=permissions,cn=accounts,$SUFFIX dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addhosts cn: addhosts
description: Add Hosts description: Add Hosts
member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removehosts,cn=permissions,cn=accounts,$SUFFIX dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removehosts cn: removehosts
description: Remove Hosts description: Remove Hosts
member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyhosts cn: modifyhosts
description: Modify Hosts description: Modify Hosts
member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
# Hostgroup administration # Hostgroup administration
dn: cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addhostgroups cn: addhostgroups
description: Add Hostgroups description: Add Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removehostgroups cn: removehostgroups
description: Remove Hostgroups description: Remove Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyhostgroups cn: modifyhostgroups
description: Modify Hostgroups description: Modify Hostgroups
member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyhostgroupmembership cn: modifyhostgroupmembership
description: Modify Hostgroup membership description: Modify Hostgroup membership
member: cn=hostgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
# Service administration # Service administration
dn: cn=addservices,cn=permissions,cn=accounts,$SUFFIX dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addservices cn: addservices
description: Add Services description: Add Services
member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeservices,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeservices cn: removeservices
description: Remove Services description: Remove Services
member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyservices cn: modifyservices
description: Modify Services description: Modify Services
member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
# Delegation administration # Delegation administration
dn: cn=addroles,cn=permissions,cn=accounts,$SUFFIX dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addroles cn: addroles
description: Add Roles description: Add Roles
member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeroles,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeroles cn: removeroles
description: Remove Roles description: Remove Roles
member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyroles cn: modifyroles
description: Modify Roles description: Modify Roles
member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyrolemembership cn: modifyrolemembership
description: Modify Role Group membership description: Modify Role Group membership
member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: nestedgroup objectClass: nestedgroup
cn: modifyprivilegemembership cn: modifyprivilegemembership
description: Modify privilege membership description: Modify privilege membership
member: cn=delegationadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
# Automount administration # Automount administration
dn: cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addautomountmaps cn: addautomountmaps
description: Add Automount maps description: Add Automount maps
member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeautomountmaps cn: removeautomountmaps
description: Remove Automount maps description: Remove Automount maps
member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addautomountkeys cn: addautomountkeys
description: Add Automount keys description: Add Automount keys
member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeautomountkeys cn: removeautomountkeys
description: Remove Automount keys description: Remove Automount keys
member: cn=automountadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
# Netgroup administration # Netgroup administration
dn: cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addnetgroups cn: addnetgroups
description: Add netgroups description: Add netgroups
member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removenetgroups cn: removenetgroups
description: Remove netgroups description: Remove netgroups
member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifynetgroups cn: modifynetgroups
description: Modify netgroups description: Modify netgroups
member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifynetgroupmembership cn: modifynetgroupmembership
description: Modify netgroup membership description: Modify netgroup membership
member: cn=netgroupadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
# Keytab access # Keytab access
dn: cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: manage_host_keytab cn: manage_host_keytab
description: Manage host keytab description: Manage host keytab
member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
dn: cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: manage_service_keytab cn: manage_service_keytab
description: Manage service keytab description: Manage service keytab
member: cn=serviceadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=privileges,cn=accounts,$SUFFIX member: cn=admins,cn=privileges,cn=pbac,$SUFFIX
# DNS administration # DNS administration
# The permission and aci for this is in install/updates/dns.ldif # The permission and aci for this is in install/updates/dns.ldif
dn: cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: enroll_host cn: enroll_host
description: Enroll a host description: Enroll a host
member: cn=hostadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=enrollhost,cn=privileges,cn=accounts,$SUFFIX member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
# Replica administration # Replica administration
dn: cn=addreplica,cn=permissions,cn=accounts,$SUFFIX dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addreplica cn: addreplica
description: Add Replication Agreements description: Add Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyreplica cn: modifyreplica
description: Modify Replication Agreements description: Modify Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removereplica,cn=permissions,cn=accounts,$SUFFIX dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removereplica cn: removereplica
description: Remove Replication Agreements description: Remove Replication Agreements
member: cn=replicaadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management # Entitlement management
dn: cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: addentitlements cn: addentitlements
description: Add Entitlements description: Add Entitlements
member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX dn: cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: removeentitlements cn: removeentitlements
description: Remove Entitlements description: Remove Entitlements
member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX dn: cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: modifyentitlements cn: modifyentitlements
description: Modify Entitlements description: Modify Entitlements
member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
############################################ ############################################
# Default permissions (ACIs) # Default permissions (ACIs)
@ -500,96 +507,96 @@ member: cn=entitlementadmin,cn=privileges,cn=accounts,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)
# Group administration # Group administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be # We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration # Host administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration # Hostgroup administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration # Service administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration # Delegation administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=accounts,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "Modify privilege membership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration # Automount administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add Automount maps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration # Netgroup administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Modify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin # Host keytab admin
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin # Service keytab admin
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we # Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and # set the krbPrincipalName, add krbPrincipalAux to objectClass and
@ -598,24 +605,24 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration # Entitlement administration
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add Entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove Entitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";)
# Create virtual operations entry. This is used to control access to # Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly. # operations that don't rely on LDAP directly.
@ -632,18 +639,18 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: retrieve certificate cn: retrieve certificate
dn: cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: retrieve_certs cn: retrieve_certs
description: Retrieve Certificates from the CA description: Retrieve Certificates from the CA
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate virtual op # Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,$SUFFIX dn: cn=request certificate,cn=virtual operations,$SUFFIX
@ -652,18 +659,18 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: request certificate cn: request certificate
dn: cn=request_certs,cn=permissions,cn=accounts,$SUFFIX dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: request_certs cn: request_certs
description: Request Certificates from the CA description: Request Certificates from the CA
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate from different host virtual op # Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,$SUFFIX dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
@ -672,18 +679,18 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: request certificate different host cn: request certificate different host
dn: cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: request_cert_different_host cn: request_cert_different_host
description: Request Certificates from a different host description: Request Certificates from a different host
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Status virtual op # Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,$SUFFIX dn: cn=certificate status,cn=virtual operations,$SUFFIX
@ -692,18 +699,18 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: certificate status cn: certificate status
dn: cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: certificate_status cn: certificate_status
description: Get Certificates status from the CA description: Get Certificates status from the CA
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)
# Revoke Certificate virtual op # Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
@ -712,18 +719,18 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: revoke certificate cn: revoke certificate
dn: cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: revoke_certificate cn: revoke_certificate
description: Revoke Certificate description: Revoke Certificate
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Remove Hold virtual op # Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
@ -732,15 +739,15 @@ objectClass: top
objectClass: nsContainer objectClass: nsContainer
cn: certificate remove hold cn: certificate remove hold
dn: cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
cn: certificate_remove_hold cn: certificate_remove_hold
description: Certificate Remove Hold description: Certificate Remove Hold
member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)

28
install/share/dns.ldif
View File

@ -4,41 +4,41 @@ objectClass: nsContainer
objectClass: top objectClass: top
cn: dns cn: dns
dn: cn=add dns entries,cn=permissions,cn=accounts,$SUFFIX dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: groupofnames objectClass: groupofnames
objectClass: top objectClass: top
cn: add dns entries cn: add dns entries
description: Add DNS entries description: Add DNS entries
member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
dn: cn=remove dns entries,cn=permissions,cn=accounts,$SUFFIX dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: groupofnames objectClass: groupofnames
objectClass: top objectClass: top
cn: remove dns entries cn: remove dns entries
description: Remove DNS entries description: Remove DNS entries
member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
dn: cn=update dns entries,cn=permissions,cn=accounts,$SUFFIX dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: groupofnames objectClass: groupofnames
objectClass: top objectClass: top
cn: update dns entries cn: update dns entries
description: Update DNS entries description: Update DNS entries
member: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
member: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
add: aci add: aci
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=dnsadmin,cn=privileges,cn=accounts,$SUFFIX dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames
@ -46,7 +46,7 @@ objectClass: nestedgroup
cn: dnsadmin cn: dnsadmin
description: DNS Administrators description: DNS Administrators
dn: cn=dnsserver,cn=privileges,cn=accounts,$SUFFIX dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top
objectClass: groupofnames objectClass: groupofnames

8
install/share/replica-acis.ldif
View File

@ -3,19 +3,19 @@
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Add Replication Agreements";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config dn: cn=tasks,cn=config
changetype: modify changetype: modify
add: aci add: aci
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)

10
install/static/test/data/ipa_init.json
View File

@ -4490,7 +4490,7 @@
] ]
}, },
"bindable": false, "bindable": false,
"container_dn": "cn=permissions,cn=accounts", "container_dn": "cn=permissions,cn=pbac",
"default_attributes": [ "default_attributes": [
"cn", "cn",
"description", "description",
@ -4783,7 +4783,7 @@
] ]
}, },
"bindable": false, "bindable": false,
"container_dn": "cn=privileges,cn=accounts", "container_dn": "cn=privileges,cn=pbac",
"default_attributes": [ "default_attributes": [
"cn", "cn",
"description", "description",
@ -7248,11 +7248,11 @@
"container_host": "cn=computers,cn=accounts", "container_host": "cn=computers,cn=accounts",
"container_hostgroup": "cn=hostgroups,cn=accounts", "container_hostgroup": "cn=hostgroups,cn=accounts",
"container_netgroup": "cn=ng,cn=alt", "container_netgroup": "cn=ng,cn=alt",
"container_permission": "cn=permissions,cn=accounts", "container_permission": "cn=permissions,cn=pbac",
"container_policies": "cn=policies", "container_policies": "cn=policies",
"container_policygroups": "cn=policygroups,cn=configs,cn=policies", "container_policygroups": "cn=policygroups,cn=configs,cn=policies",
"container_policylinks": "cn=policylinks,cn=configs,cn=policies", "container_policylinks": "cn=policylinks,cn=configs,cn=policies",
"container_privilege": "cn=privileges,cn=accounts", "container_privilege": "cn=privileges,cn=pbac",
"container_rolegroup": "cn=roles,cn=accounts", "container_rolegroup": "cn=roles,cn=accounts",
"container_roles": "cn=roles,cn=policies", "container_roles": "cn=roles,cn=policies",
"container_service": "cn=services,cn=accounts", "container_service": "cn=services,cn=accounts",
@ -7300,4 +7300,4 @@
} }
] ]
} }
} }

4
install/static/test/data/permission_add.json
View File

@ -9,7 +9,7 @@
"description": [ "description": [
"description" "description"
], ],
"dn": "cn=testperm,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=testperm,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"objectclass": [ "objectclass": [
"groupofnames", "groupofnames",
"top" "top"
@ -23,4 +23,4 @@
"summary": "Added permission \"testperm\"", "summary": "Added permission \"testperm\"",
"value": "testperm" "value": "testperm"
} }
} }

98
install/static/test/data/permission_find.json
View File

@ -11,7 +11,7 @@
"description": [ "description": [
"Add Users" "Add Users"
], ],
"dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"useradmin" "useradmin"
], ],
@ -34,7 +34,7 @@
"description": [ "description": [
"Change a user password" "Change a user password"
], ],
"dn": "cn=change_password,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=change_password,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"useradmin" "useradmin"
], ],
@ -52,7 +52,7 @@
"description": [ "description": [
"Add user to default group" "Add user to default group"
], ],
"dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=add_user_to_default_group,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"useradmin" "useradmin"
], ],
@ -68,7 +68,7 @@
"description": [ "description": [
"Remove Users" "Remove Users"
], ],
"dn": "cn=removeusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"useradmin" "useradmin"
], ],
@ -116,7 +116,7 @@
"description": [ "description": [
"Modify Users" "Modify Users"
], ],
"dn": "cn=modifyusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyusers,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"useradmin" "useradmin"
], ],
@ -132,7 +132,7 @@
"description": [ "description": [
"Add Groups" "Add Groups"
], ],
"dn": "cn=addgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"groupadmin" "groupadmin"
], ],
@ -148,7 +148,7 @@
"description": [ "description": [
"Remove Groups" "Remove Groups"
], ],
"dn": "cn=removegroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removegroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"groupadmin" "groupadmin"
], ],
@ -172,7 +172,7 @@
"description": [ "description": [
"Modify Groups" "Modify Groups"
], ],
"dn": "cn=modifygroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifygroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"groupadmin" "groupadmin"
], ],
@ -191,7 +191,7 @@
"description": [ "description": [
"Modify Group membership" "Modify Group membership"
], ],
"dn": "cn=modifygroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifygroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"groupadmin" "groupadmin"
], ],
@ -207,7 +207,7 @@
"description": [ "description": [
"Add Hosts" "Add Hosts"
], ],
"dn": "cn=addhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addhosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostadmin" "hostadmin"
], ],
@ -223,7 +223,7 @@
"description": [ "description": [
"Remove Hosts" "Remove Hosts"
], ],
"dn": "cn=removehosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removehosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostadmin" "hostadmin"
], ],
@ -246,7 +246,7 @@
"description": [ "description": [
"Modify Hosts" "Modify Hosts"
], ],
"dn": "cn=modifyhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyhosts,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostadmin" "hostadmin"
], ],
@ -262,7 +262,7 @@
"description": [ "description": [
"Add Hostgroups" "Add Hostgroups"
], ],
"dn": "cn=addhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addhostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostgroupadmin" "hostgroupadmin"
], ],
@ -278,7 +278,7 @@
"description": [ "description": [
"Remove Hostgroups" "Remove Hostgroups"
], ],
"dn": "cn=removehostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removehostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostgroupadmin" "hostgroupadmin"
], ],
@ -298,7 +298,7 @@
"description": [ "description": [
"Modify Hostgroups" "Modify Hostgroups"
], ],
"dn": "cn=modifyhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyhostgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostgroupadmin" "hostgroupadmin"
], ],
@ -317,7 +317,7 @@
"description": [ "description": [
"Modify Hostgroup membership" "Modify Hostgroup membership"
], ],
"dn": "cn=modifyhostgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyhostgroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostgroupadmin" "hostgroupadmin"
], ],
@ -333,7 +333,7 @@
"description": [ "description": [
"Add Services" "Add Services"
], ],
"dn": "cn=addservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"serviceadmin" "serviceadmin"
], ],
@ -349,7 +349,7 @@
"description": [ "description": [
"Remove Services" "Remove Services"
], ],
"dn": "cn=removeservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"serviceadmin" "serviceadmin"
], ],
@ -368,7 +368,7 @@
"description": [ "description": [
"Modify Services" "Modify Services"
], ],
"dn": "cn=modifyservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyservices,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"serviceadmin" "serviceadmin"
], ],
@ -384,7 +384,7 @@
"description": [ "description": [
"Add Roles" "Add Roles"
], ],
"dn": "cn=addroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"delegationadmin" "delegationadmin"
], ],
@ -400,7 +400,7 @@
"description": [ "description": [
"Remove Roles" "Remove Roles"
], ],
"dn": "cn=removeroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"delegationadmin" "delegationadmin"
], ],
@ -420,7 +420,7 @@
"description": [ "description": [
"Modify Roles" "Modify Roles"
], ],
"dn": "cn=modifyroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyroles,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"delegationadmin" "delegationadmin"
], ],
@ -439,7 +439,7 @@
"description": [ "description": [
"Modify Role Group membership" "Modify Role Group membership"
], ],
"dn": "cn=modifyrolemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyrolemembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"delegationadmin" "delegationadmin"
], ],
@ -458,14 +458,14 @@
"description": [ "description": [
"Modify privilege membership" "Modify privilege membership"
], ],
"dn": "cn=modifyprivilegemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyprivilegemembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"delegationadmin" "delegationadmin"
], ],
"permissions": [ "permissions": [
"write" "write"
], ],
"subtree": "ldap:///cn=*,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" "subtree": "ldap:///cn=*,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com"
}, },
{ {
"cn": [ "cn": [
@ -474,7 +474,7 @@
"description": [ "description": [
"Add Automount maps" "Add Automount maps"
], ],
"dn": "cn=addautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addautomountmaps,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"automountadmin" "automountadmin"
], ],
@ -490,7 +490,7 @@
"description": [ "description": [
"Remove Automount maps" "Remove Automount maps"
], ],
"dn": "cn=removeautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeautomountmaps,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"automountadmin" "automountadmin"
], ],
@ -506,7 +506,7 @@
"description": [ "description": [
"Add Automount keys" "Add Automount keys"
], ],
"dn": "cn=addautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addautomountkeys,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"automountadmin" "automountadmin"
], ],
@ -522,7 +522,7 @@
"description": [ "description": [
"Remove Automount keys" "Remove Automount keys"
], ],
"dn": "cn=removeautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeautomountkeys,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"automountadmin" "automountadmin"
], ],
@ -538,7 +538,7 @@
"description": [ "description": [
"Add netgroups" "Add netgroups"
], ],
"dn": "cn=addnetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addnetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"netgroupadmin" "netgroupadmin"
], ],
@ -554,7 +554,7 @@
"description": [ "description": [
"Remove netgroups" "Remove netgroups"
], ],
"dn": "cn=removenetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removenetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"netgroupadmin" "netgroupadmin"
], ],
@ -573,7 +573,7 @@
"description": [ "description": [
"Modify netgroups" "Modify netgroups"
], ],
"dn": "cn=modifynetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifynetgroups,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"netgroupadmin" "netgroupadmin"
], ],
@ -595,7 +595,7 @@
"description": [ "description": [
"Modify netgroup membership" "Modify netgroup membership"
], ],
"dn": "cn=modifynetgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifynetgroupmembership,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"netgroupadmin" "netgroupadmin"
], ],
@ -615,7 +615,7 @@
"description": [ "description": [
"Manage host keytab" "Manage host keytab"
], ],
"dn": "cn=manage_host_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=manage_host_keytab,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostadmin", "hostadmin",
"enrollhost" "enrollhost"
@ -636,7 +636,7 @@
"description": [ "description": [
"Manage service keytab" "Manage service keytab"
], ],
"dn": "cn=manage_service_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=manage_service_keytab,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"serviceadmin", "serviceadmin",
"admins" "admins"
@ -657,7 +657,7 @@
"description": [ "description": [
"Enroll a host" "Enroll a host"
], ],
"dn": "cn=enroll_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=enroll_host,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"hostadmin", "hostadmin",
"enrollhost" "enrollhost"
@ -674,7 +674,7 @@
"description": [ "description": [
"Manage Replication Agreements" "Manage Replication Agreements"
], ],
"dn": "cn=managereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=managereplica,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"replicaadmin" "replicaadmin"
], ],
@ -690,7 +690,7 @@
"description": [ "description": [
"Delete Replication Agreements" "Delete Replication Agreements"
], ],
"dn": "cn=deletereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=deletereplica,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"replicaadmin" "replicaadmin"
], ],
@ -706,7 +706,7 @@
"description": [ "description": [
"Add Entitlements" "Add Entitlements"
], ],
"dn": "cn=addentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"entitlementadmin" "entitlementadmin"
], ],
@ -722,7 +722,7 @@
"description": [ "description": [
"Remove Entitlements" "Remove Entitlements"
], ],
"dn": "cn=removeentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=removeentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"entitlementadmin" "entitlementadmin"
], ],
@ -741,7 +741,7 @@
"description": [ "description": [
"Modify Entitlements" "Modify Entitlements"
], ],
"dn": "cn=modifyentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=modifyentitlements,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"entitlementadmin" "entitlementadmin"
], ],
@ -760,7 +760,7 @@
"description": [ "description": [
"Retrieve Certificates from the CA" "Retrieve Certificates from the CA"
], ],
"dn": "cn=retrieve_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=retrieve_certs,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -779,7 +779,7 @@
"description": [ "description": [
"Request Certificates from the CA" "Request Certificates from the CA"
], ],
"dn": "cn=request_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=request_certs,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -798,7 +798,7 @@
"description": [ "description": [
"Request Certificates from a different host" "Request Certificates from a different host"
], ],
"dn": "cn=request_cert_different_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=request_cert_different_host,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -817,7 +817,7 @@
"description": [ "description": [
"Get Certificates status from the CA" "Get Certificates status from the CA"
], ],
"dn": "cn=certificate_status,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=certificate_status,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -836,7 +836,7 @@
"description": [ "description": [
"Revoke Certificate" "Revoke Certificate"
], ],
"dn": "cn=revoke_certificate,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=revoke_certificate,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -855,7 +855,7 @@
"description": [ "description": [
"Certificate Remove Hold" "Certificate Remove Hold"
], ],
"dn": "cn=certificate_remove_hold,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=certificate_remove_hold,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"certadmin" "certadmin"
], ],
@ -871,7 +871,7 @@
"description": [ "description": [
"DNS Servers Updates" "DNS Servers Updates"
], ],
"dn": "cn=update_dns,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=update_dns,cn=permissions,cn=pbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member_privilege": [ "member_privilege": [
"dnsadmin", "dnsadmin",
"dnsserver" "dnsserver"
@ -884,4 +884,4 @@
"summary": "47 permissions matched", "summary": "47 permissions matched",
"truncated": false "truncated": false
} }
} }

4
install/static/test/data/permission_show.json
View File

@ -22,7 +22,7 @@
"description": [ "description": [
"Add Users" "Add Users"
], ],
"dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "dn": "cn=addusers,cn=permissions,cn=hbac,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"member": [ "member": [
"cn=useradmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" "cn=useradmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com"
], ],
@ -38,4 +38,4 @@
"summary": null, "summary": null,
"value": "addusers" "value": "addusers"
} }
} }

4
ipalib/constants.py
View File

@ -85,8 +85,8 @@ DEFAULT_CONFIG = (
('container_host', 'cn=computers,cn=accounts'), ('container_host', 'cn=computers,cn=accounts'),
('container_hostgroup', 'cn=hostgroups,cn=accounts'), ('container_hostgroup', 'cn=hostgroups,cn=accounts'),
('container_rolegroup', 'cn=roles,cn=accounts'), ('container_rolegroup', 'cn=roles,cn=accounts'),
('container_permission', 'cn=permissions,cn=accounts'), ('container_permission', 'cn=permissions,cn=pbac'),
('container_privilege', 'cn=privileges,cn=accounts'), ('container_privilege', 'cn=privileges,cn=pbac'),
('container_automount', 'cn=automount'), ('container_automount', 'cn=automount'),
('container_policies', 'cn=policies'), ('container_policies', 'cn=policies'),
('container_configs', 'cn=configs,cn=policies'), ('container_configs', 'cn=configs,cn=policies'),

2
ipaserver/install/bindinstance.py
View File

@ -368,7 +368,7 @@ class BindInstance(service.Service):
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e raise e
dns_group = "cn=dnsserver,cn=privileges,cn=accounts,%s" % self.suffix dns_group = "cn=dnsserver,cn=privileges,cn=pbac,%s" % self.suffix
if isinstance(dns_principal, unicode): if isinstance(dns_principal, unicode):
dns_principal = dns_principal.encode('utf-8') dns_principal = dns_principal.encode('utf-8')
mod = [(ldap.MOD_ADD, 'member', dns_principal)] mod = [(ldap.MOD_ADD, 'member', dns_principal)]