mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-16 19:31:55 -06:00
b3c2197b7e
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9 based master, the PKI database is not updated and miss several ACLs which prevent some of the PKI functions, e.g. an ability to create other clones. Add an update file to do the database update. Content is based on recommendation from PKI team: * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9 This update file can be removed when Dogtag database upgrades are done in PKI component. Upstream tickets: * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) * https://fedorahosted.org/pki/ticket/906 (checking database version) Also make sure that PKI service is restarted in the end of the installation as the other services to make sure it picks changes done during LDAP updates. https://fedorahosted.org/freeipa/ticket/4243 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
19 lines
2.3 KiB
Plaintext
19 lines
2.3 KiB
Plaintext
# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
|
|
# based replica is being installed from a Dogtag 9 based replica,
|
|
# the database will miss ACLs added in Dogtag 10 resulting in limited
|
|
# functionality.
|
|
#
|
|
# This update file can be removed when Dogtag database upgrades are done
|
|
# in PKI component. Upstream tickets:
|
|
# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
|
|
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
|
|
|
|
dn: cn=aclResources,o=ipaca
|
|
addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
|
|
addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
|
|
addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
|
|
addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
|
|
addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
|
|
replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
|
|
replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
|