IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add several managed read permissions under cn=etc

Browse Source 
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-03-26 17:11:23 +01:00 committed by Martin Kosek
parent af3a4adc46
commit d893b77fb6
2 changed files with 84 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
install/updates/40-delegation.update
View File

@ -461,3 +461,10 @@ default:objectClass: groupofnames
default:objectClass: top default:objectClass: top
default:cn: Automember Readers default:cn: Automember Readers
default:description: Read Automember definitions default:description: Read Automember definitions
dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: IPA Masters Readers
default:description: Read list of IPA masters

79
ipaserver/install/plugins/update_managed_permissions.py
View File

@ -68,7 +68,7 @@ The template dictionary can have the following keys:
No other keys are allowed in the template No other keys are allowed in the template
""" """
from ipalib import errors from ipalib import api, errors
from ipapython.dn import DN from ipapython.dn import DN
from ipalib.plugable import Registry from ipalib.plugable import Registry
from ipalib.plugins import aci from ipalib.plugins import aci
@ -80,7 +80,82 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
register = Registry() register = Registry()
NONOBJECT_PERMISSIONS = {} NONOBJECT_PERMISSIONS = {
'System: Read IPA Masters': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=nscontainer)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'ipaconfigstring',
},
'default_privileges': {'IPA Masters Readers'},
},
'System: Read DNA Configuration': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=dnasharedconfig)'},
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'dnaHostname', 'dnaPortNum',
'dnaSecurePortNum', 'dnaRemoteBindMethod', 'dnaRemoteConnProtocol',
'dnaRemainingValues',
},
},
'System: Read CA Renewal Information': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=pkiuser)'},
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'usercertificate',
},
},
'System: Read CA Certificate': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=pkica)'},
'ipapermbindruletype': 'anonymous',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'cacertificate', 'certificaterevocationlist',
'authorityrevocationlist', 'crosscertificatepair',
},
},
'System: Read Replication Information': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=nsds5replica)'},
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'nsds5replicaroot', 'nsds5replicaid',
'nsds5replicacleanruv', 'nsds5replicaabortcleanruv',
'nsds5replicatype', 'nsds5replicabinddn', 'nsstate',
'nsds5replicaname', 'nsds5flags', 'nsds5task',
'nsds5replicareferral', 'nsds5replicaautoreferral',
'nsds5replicapurgedelay', 'nsds5replicatombstonepurgeinterval',
'nsds5replicachangecount', 'nsds5replicalegacyconsumer',
'nsds5replicaprotocoltimeout', 'nsds5replicabackoffmin',
'nsds5replicabackoffmax',
},
},
'System: Read AD Domains': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=etc', api.env.basedn),
'ipapermtarget': DN('cn=ad,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipantdomainattrs)'},
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'ipantsecurityidentifier', 'ipantflatname',
'ipantdomainguid', 'ipantfallbackprimarygroup',
},
},
}
@register() @register()