# IPA configuration dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX default:objectClass: top default:objectClass: groupofnames default:objectClass: nestedgroup default:cn: Write IPA Configuration default:description: Write IPA Configuration dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX default:objectClass: top default:objectClass: groupofnames default:objectClass: ipapermission default:cn: Write IPA Configuration default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX add:aci: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)' # Host-Based Access Control dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: HBAC Administrator default:description: HBAC Administrator # SUDO dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Sudo Administrator default:description: Sudo Administrator # Password Policy dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Password Policy Administrator default:description: Password Policy Administrator dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX' # The original DNS permissions lacked the tag. dn: $SUFFIX remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' # SELinux User Mapping dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX default:objectClass: top default:objectClass: groupofnames default:objectClass: nestedgroup default:cn: SELinux User Map Administrators default:description: SELinux User Map Administrators dn: cn=ipa,cn=etc,$SUFFIX add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' # Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate" # to privilege "Host Administrators" dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX' dn: cn=ipa,cn=etc,$SUFFIX add:aci:'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' # Automember tasks dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Automember Task Administrator default:description: Automember Task Administrator dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX default:objectClass: groupofnames default:objectClass: ipapermission default:objectClass: top default:cn: Add Automember Rebuild Membership Task default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX default:ipapermissiontype: SYSTEM dn: cn=config add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)' # Virtual operations dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: retrieve certificate dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: request certificate dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: request certificate different host dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: certificate status dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: revoke certificate dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer default:cn: request certificate with subjectaltname dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX default:objectClass: top default:objectClass: groupofnames default:objectClass: ipapermission default:cn: Request Certificate with SubjectAltName default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX add:aci:'(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)' # Read privileges dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: RBAC Readers default:description: Read roles, privileges, permissions and ACIs dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Password Policy Readers default:description: Read password policies dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Kerberos Ticket Policy Readers default:description: Read global and per-user Kerberos ticket policy dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: Automember Readers default:description: Read Automember definitions dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX default:objectClass: nestedgroup default:objectClass: groupofnames default:objectClass: top default:cn: IPA Masters Readers default:description: Read list of IPA masters