mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-30 10:47:08 -06:00
37e3bf2a60
This fixes a regression. We don't need to allow enrolledBy to be modified because it gets written in the ipa_enrollment plugin which does internal operations so bypasses acis. https://fedorahosted.org/freeipa/ticket/302
803 lines
30 KiB
Plaintext
803 lines
30 KiB
Plaintext
############################################
|
|
# Configure the DIT
|
|
############################################
|
|
dn: cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: roles
|
|
|
|
# Permissions-based Access Control
|
|
dn: cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: pbac
|
|
|
|
dn: cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: privileges
|
|
|
|
dn: cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: permissions
|
|
|
|
############################################
|
|
# Add the default roles
|
|
############################################
|
|
dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: helpdesk
|
|
description: Helpdesk
|
|
|
|
dn: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Entitlement Management
|
|
description: Entitlements administrator
|
|
|
|
dn: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Entitlement Compliance
|
|
description: Verify entitlement compliance
|
|
member: fqdn=$FQHN,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
############################################
|
|
# Add the default privileges
|
|
############################################
|
|
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: User Administrators
|
|
description: User Administrators
|
|
|
|
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Group Administrators
|
|
description: Group Administrators
|
|
|
|
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Administrators
|
|
description: Host Administrators
|
|
|
|
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Group Administrators
|
|
description: Host Group Administrators
|
|
|
|
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Delegation Administrator
|
|
description: Role administration
|
|
|
|
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Service Administrators
|
|
description: Service Administrators
|
|
|
|
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Automount Administrators
|
|
description: Automount Administrators
|
|
|
|
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Netgroups Administrators
|
|
description: Netgroups Administrators
|
|
|
|
dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Certificate Administrators
|
|
description: Certificate Administrators
|
|
|
|
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Replication Administrators
|
|
description: Replication Administrators
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Enrollment
|
|
description: Host Enrollment
|
|
|
|
dn: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Register and Write Entitlements
|
|
description: Register and Write Entitlements
|
|
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Read Entitlements
|
|
description: Read Entitlements
|
|
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
|
|
|
|
|
|
############################################
|
|
# Default permissions.
|
|
############################################
|
|
|
|
# User administration
|
|
|
|
dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Change a user password
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add user to default group
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Unlock user accounts
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Group administration
|
|
|
|
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Group membership
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Host administration
|
|
|
|
dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroup membership
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Service administration
|
|
|
|
dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Delegation administration
|
|
|
|
dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Role membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify privilege membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Automount administration
|
|
|
|
dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Netgroup administration
|
|
|
|
dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroup membership
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Keytab access
|
|
|
|
dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Manage host keytab
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Manage service keytab
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
# DNS administration
|
|
|
|
# The permission and aci for this is in install/updates/dns.ldif
|
|
|
|
dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Enroll a host
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Replica administration
|
|
|
|
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Entitlement management
|
|
|
|
dn: cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Register Entitlements
|
|
member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Read Entitlements
|
|
member: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Write Entitlements
|
|
member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
############################################
|
|
# Default permissions (ACIs)
|
|
############################################
|
|
|
|
# User administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Group administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
# We need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
|
|
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Delegation administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Automount administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host keytab admin
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service keytab admin
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Add the ACI needed to do host enrollment. When this occurs we
|
|
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
|
|
# set enrolledBy to whoever ran join. enrolledBy is specifically
|
|
# not listed here, it is set by the plugin but we don't want an
|
|
# admin overriding it using --setattr or ldapmodify.
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Entitlement administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: retrieve certificate
|
|
|
|
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Retrieve Certificates from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: request certificate
|
|
|
|
dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate from different host virtual op
|
|
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: request certificate different host
|
|
|
|
dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificates from a different host
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: certificate status
|
|
|
|
dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Get Certificates status from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: revoke certificate
|
|
|
|
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Revoke Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: certificate remove hold
|
|
|
|
dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Certificate Remove Hold
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
|