mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 17:01:14 -06:00
275998f6bd
Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
798 lines
29 KiB
Plaintext
798 lines
29 KiB
Plaintext
############################################
|
|
# Configure the DIT
|
|
############################################
|
|
dn: cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: roles
|
|
|
|
# Permissions-based Access Control
|
|
dn: cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: pbac
|
|
|
|
dn: cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: privileges
|
|
|
|
dn: cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: permissions
|
|
|
|
############################################
|
|
# Add the default roles
|
|
############################################
|
|
dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: helpdesk
|
|
description: Helpdesk
|
|
|
|
dn: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: entitlements
|
|
description: Entitlements administrator
|
|
|
|
dn: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Entitlement Compliance
|
|
description: Verify entitlement compliance
|
|
member: fqdn=$FQHN,cn=computers,cn=accounts,$SUFFIX
|
|
|
|
############################################
|
|
# Add the default privileges
|
|
############################################
|
|
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: User Administrators
|
|
description: User Administrators
|
|
|
|
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Group Administrators
|
|
description: Group Administrators
|
|
|
|
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Administrators
|
|
description: Host Administrators
|
|
|
|
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Group Administrators
|
|
description: Host Group Administrators
|
|
|
|
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Delegation Administrator
|
|
description: Role administration
|
|
|
|
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Service Administrators
|
|
description: Service Administrators
|
|
|
|
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Automount Administrators
|
|
description: Automount Administrators
|
|
|
|
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Netgroups Administrators
|
|
description: Netgroups Administrators
|
|
|
|
dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Certificate Administrators
|
|
description: Certificate Administrators
|
|
|
|
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Replication Administrators
|
|
description: Replication Administrators
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Enrollment
|
|
description: Host Enrollment
|
|
|
|
dn: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Register and Write Entitlements
|
|
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Read Entitlements
|
|
member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
|
|
member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
|
|
|
|
|
|
############################################
|
|
# Default permissions.
|
|
############################################
|
|
|
|
# User administration
|
|
|
|
dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Change a user password
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add user to default group
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Unlock user accounts
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Users
|
|
member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Group administration
|
|
|
|
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Group membership
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Host administration
|
|
|
|
dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hosts
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroup membership
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Service administration
|
|
|
|
dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Delegation administration
|
|
|
|
dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Role membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify privilege membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Automount administration
|
|
|
|
dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Netgroup administration
|
|
|
|
dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroup membership
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Keytab access
|
|
|
|
dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Manage host keytab
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Manage service keytab
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
# DNS administration
|
|
|
|
# The permission and aci for this is in install/updates/dns.ldif
|
|
|
|
dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Enroll a host
|
|
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Replica administration
|
|
|
|
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Entitlement management
|
|
|
|
dn: cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Read Entitlements
|
|
member: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Write Entitlements
|
|
member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
############################################
|
|
# Default permissions (ACIs)
|
|
############################################
|
|
|
|
# User administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Group administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
# We need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
|
|
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Delegation administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Automount administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host keytab admin
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service keytab admin
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Add the ACI needed to do host enrollment. When this occurs we
|
|
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
|
|
# set enrolledBy to whoever ran join.
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Entitlement administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: retrieve certificate
|
|
|
|
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Retrieve Certificates from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: request certificate
|
|
|
|
dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate from different host virtual op
|
|
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: request certificate different host
|
|
|
|
dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificates from a different host
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: certificate status
|
|
|
|
dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Get Certificates status from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: revoke certificate
|
|
|
|
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Revoke Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: certificate remove hold
|
|
|
|
dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Certificate Remove Hold
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
|