mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-30 10:47:08 -06:00
d644d17adf
The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416
733 lines
27 KiB
Plaintext
733 lines
27 KiB
Plaintext
# Add the default roles
|
|
|
|
dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: helpdesk
|
|
add:description: Helpdesk
|
|
|
|
dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: useradmin
|
|
add:description: User Administrators
|
|
|
|
dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: groupadmin
|
|
add:description: Group Administrators
|
|
|
|
dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: hostadmin
|
|
add:description: Host Administrators
|
|
|
|
dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: hostgroupadmin
|
|
add:description: Host Group Administrators
|
|
|
|
dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: delegationadmin
|
|
add:description: Role administration
|
|
|
|
dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: serviceadmin
|
|
add:description: Service Administrators
|
|
|
|
dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: automountadmin
|
|
add:description: Automount Administrators
|
|
|
|
dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: netgroupadmin
|
|
add:description: Netgroups Administrators
|
|
|
|
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: dnsadmin
|
|
add:description: DNS Administrators
|
|
|
|
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: dnsserver
|
|
add:description: DNS Servers
|
|
|
|
dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certadmin
|
|
add:description: Certificate Administrators
|
|
|
|
dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: replicaadmin
|
|
add:description: Replication Administrators
|
|
add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: enrollhost
|
|
add:description: Host Enrollment
|
|
|
|
dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: entitlementadmin
|
|
add:description: Entitlement Administrators
|
|
|
|
# Add the taskgroups referenced by the ACIs for user administration
|
|
|
|
dn: cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: nsContainer
|
|
add:objectClass: top
|
|
add:cn: taskgroups
|
|
|
|
dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addusers
|
|
add:description: Add Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: change_password
|
|
add:description: Change a user password
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: add_user_to_default_group
|
|
add:description: Add user to default group
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeusers
|
|
add:description: Remove Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyusers
|
|
add:description: Modify Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for user administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
|
|
aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
|
|
te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
|
|
te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
|
|
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
|
|
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
|
|
manager || secretary || description || carLicense || labeledURI || inetUserHT
|
|
TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry
|
|
|| objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Modify Users";allow (write) groupdn =
|
|
"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for group administration
|
|
|
|
dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addgroups
|
|
add:description: Add Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removegroups
|
|
add:description: Remove Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifygroups
|
|
add:description: Modify Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifygroupmembership
|
|
add:description: Modify Group membership
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for group administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
# we need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted
|
|
add:aci: '(targetattr = "cn || description || gidnumber || objectclass ||
|
|
mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Modify Groups";allow (write) groupdn =
|
|
"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for host administration
|
|
|
|
dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhosts
|
|
add:description: Add Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removehosts
|
|
add:description: Remove Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhosts
|
|
add:description: Modify Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for host administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "description || l || nshostlocation ||
|
|
nshardwareplatform || nsosversion")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
|
|
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for hostgroup administration
|
|
|
|
dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhostgroups
|
|
add:description: Add Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removehostgroups
|
|
add:description: Remove Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhostgroups
|
|
add:description: Modify Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhostgroupmembership
|
|
add:description: Modify Host Group membership
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=
|
|
removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
|
|
hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow
|
|
(write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for service administration
|
|
|
|
dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addservices
|
|
add:description: Add Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeservices
|
|
add:description: Remove Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyservices
|
|
add:description: Modify Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
|
|
=addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
|
|
:///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal
|
|
name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services"
|
|
;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco
|
|
unts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for delegation administration
|
|
# This just lets one manage taskgroup membership and create and delete roles
|
|
|
|
dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhrole
|
|
add:description: Add Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeroles
|
|
add:description: Remove Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyroles
|
|
add:description: Modify Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyrolegroupmembership
|
|
add:description: Modify Role Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifytaskgroupmembership
|
|
add:description: Modify Task Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for delegation administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
|
|
ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
|
|
pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for automount administration
|
|
|
|
dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addautomount
|
|
add:description: Add Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeautomount
|
|
add:description: Remove Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for netgroup administration
|
|
|
|
dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addnetgroups
|
|
add:description: Add netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removenetgroups
|
|
add:description: Remove netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifynetgroups
|
|
add:description: Modify netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifynetgroupmembership
|
|
add:description: Modify netgroup membership
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
|
|
removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
|
|
cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
|
|
= "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
|
|
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
|
|
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
|
|
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for retrieving host keytabs
|
|
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: manage_host_keytab
|
|
add:description: Manage host keytab
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACI needed to do host keytab admin
|
|
dn: $SUFFIX
|
|
add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Manage host keytab";
|
|
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for enrolling hosts. Note that this also requires
|
|
# manage_host_keytab access
|
|
dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: enroll_host
|
|
add:description: Enroll a host
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACI needed to do host enrollment. When this occurs we
|
|
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
|
|
# set enrolledBy to whoever ran join.
|
|
dn: $SUFFIX
|
|
add:aci: '(targetattr = "enrolledBy || objectClass")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Enroll a host";
|
|
allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for updating the DNS entries
|
|
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: update_sn
|
|
add:description: Updates DNS
|
|
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: retrieve certificate
|
|
|
|
# Taskgroup for retrieving certs
|
|
dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: retrieve_certs
|
|
add:description: Retrieve SSL Certificates
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=retrieve certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=request certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: request certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: request_certs
|
|
add:description: Request a SSL Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=request certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Request Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Request Certificate from different host virtual op
|
|
dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: request certificate different host
|
|
|
|
# Taskgroup for requesting certs from a different host
|
|
dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: request_cert_different_host
|
|
add:description: Request a SSL Certificate from a different host
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=request certificate different host,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Request Certificates from a
|
|
different host" ; allow (write) groupdn = "ldap:///cn=request_cert
|
|
_different_host,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=certificate status,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate status
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certificate_status
|
|
add:description: Status of cert request
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate status,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: revoke_certificate
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: revoke_certificate
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate remove hold
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certificate_remove_hold
|
|
add:description: Certificate Remove Hold
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate remove hold,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
|
|
; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for managing replicas
|
|
dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: managereplica
|
|
add:description: Manage Replication Agreements
|
|
add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Taskgroup for deleting replicas
|
|
dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: deletereplica
|
|
add:description: Delete Replication Agreements
|
|
add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add acis allowing admins to read/write/delete replicas
|
|
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
|
add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)
|
|
(objectclass=nsds5replicationagreement)(objectclass=
|
|
nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage
|
|
replication agreements"; allow (read, write, search) groupdn =
|
|
"ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
|
add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
|
|
nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
|
|
))")(version 3.0;acl "Delete replication agreements";allow (delete)
|
|
groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Entitlement management
|
|
dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addentitlements
|
|
add:description: Add Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeentitlements
|
|
add:description: Remove Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyentitlements
|
|
add:description: Modify Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|