mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
1389567ec5
- Allow cn=etc,$SUFFIX with these exceptions: - cn=masters,cn=ipa,cn=etc,$SUFFIX - virtual operations - cn=replicas,cn=ipa,cn=etc,$SUFFIX - Disallow anonymous read access to Kerberos password policy Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
34 lines
2.3 KiB
Plaintext
34 lines
2.3 KiB
Plaintext
# Don't allow managed netgroups to be modified
|
|
dn: cn=ng,cn=alt,$SUFFIX
|
|
add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
|
|
|
|
# This is used for the host/service one-time passwordn and keytab indirectors.
|
|
# We can do a query on a DN to see if an attribute exists.
|
|
dn: cn=accounts,$SUFFIX
|
|
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
|
|
|
|
# SSH public keys
|
|
dn: $SUFFIX
|
|
add:aci:'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)'
|
|
|
|
dn: cn=computers,cn=accounts,$SUFFIX
|
|
add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'
|
|
|
|
dn: cn=computers,cn=accounts,$SUFFIX
|
|
add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
|
|
|
|
# Read access to $SUFFIX itself
|
|
dn: $SUFFIX
|
|
add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
|
# Read access to containers
|
|
dn: $SUFFIX
|
|
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
|
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
|
|
add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
|
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
|
|
dn: cn=kerberos,$SUFFIX
|
|
add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)'
|