Add group membership management

A group membership manager is a user or a group that can add members to a group or remove members from a group or host group. Fixes: https://pagure.io/freeipa/issue/8114 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-11-06 06:58:42 +01:00
parent 87c24ebd34
commit f0a1f084b6
17 changed files with 421 additions and 20 deletions
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -132,6 +132,14 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)

+# Allow member managers to modify members of user groups
+dn: cn=groups,cn=accounts,$SUFFIX
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
+
+# Allow member managers to modify members of host groups
+dn: cn=hostgroups,cn=accounts,$SUFFIX
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
+
 # Hosts can add and delete their own services
 dn: cn=services,cn=accounts,$SUFFIX
 remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -380,3 +380,11 @@ default: objectClass: top
 default: objectClass: nsIndex
 default: nsSystemIndex: false
 default: nsIndexType: eq
+
+dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default: cn: memberManager
+default: objectClass: top
+default: objectClass: nsIndex
+default: nsSystemIndex: false
+default: nsIndexType: eq
+default: nsIndexType: pres
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -20,3 +20,4 @@ add: referint-membership-attr: ipaallowedtarget
 add: referint-membership-attr: ipamemberca
 add: referint-membership-attr: ipamembercertprofile
 add: referint-membership-attr: ipalocation
+add: referint-membership-attr: membermanager