IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
0708f603e2
freeipa/install/updates/30-provisioning.update
Florence Blanc-Renaud d647072642
ACI: grant access to admins group instead of admin user 
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

This commit also adds integration test for non-regression.

https://pagure.io/freeipa/issue/7342

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 15:51:44 +01:00

52 lines
2.6 KiB
Plaintext
Raw Blame History

# bootstrap the user life cycle DIT structure.
dn: cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: provisioning
dn: cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: accounts
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: staged users
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: deleted users
# This is used for the admin to know if credential are set for stage users
# We can do a query on a DN to see if an attribute exists or retrieve the value
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# This is used for the admin to reset the delete users credential
# No one is allowed to add entry in Delete container
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX
default: objectClass: top
default: objectClass: cosSuperDefinition
default: objectClass: cosPointerDefinition
default: objectClass: ldapSubEntry
default: costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
default: cosAttribute: nsaccountlock operational
default: cn: provisioning accounts lock
dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
default: objectClass: top
default: objectClass: extensibleObject
default: objectClass: cosTemplate
default: cosPriority: 1
default: cn: Inactivation cos template
default: nsAccountLock: true
Reference in New Issue View Git Blame Copy Permalink