mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
e31d5fb1cf
There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
598 lines
22 KiB
Plaintext
598 lines
22 KiB
Plaintext
# Add the default roles
|
|
|
|
dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: helpdesk
|
|
add:description: Helpdesk
|
|
|
|
dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: useradmin
|
|
add:description: User Administrators
|
|
|
|
dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: groupadmin
|
|
add:description: Group Administrators
|
|
|
|
dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: hostadmin
|
|
add:description: Host Administrators
|
|
|
|
dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: hostgroupadmin
|
|
add:description: Host Group Administrators
|
|
|
|
dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: delegationadmin
|
|
add:description: Role administration
|
|
|
|
dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: serviceadmin
|
|
add:description: Service Administrators
|
|
|
|
dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: automountadmin
|
|
add:description: Automount Administrators
|
|
|
|
dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: netgroupadmin
|
|
add:description: Netgroups Administrators
|
|
|
|
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: dnsadmin
|
|
add:description: DNS Administrators
|
|
|
|
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: dnsserver
|
|
add:description: DNS Servers
|
|
|
|
dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: certadmin
|
|
add:description: Certificate Administrators
|
|
|
|
# Add the taskgroups referenced by the ACIs for user administration
|
|
|
|
dn: cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: nsContainer
|
|
add:objectClass: top
|
|
add:cn: taskgroups
|
|
|
|
dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addusers
|
|
add:description: Add Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: change_password
|
|
add:description: Change a user password
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: add_user_to_default_group
|
|
add:description: Add user to default group
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removeusers
|
|
add:description: Remove Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyusers
|
|
add:description: Modify Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for user administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
|
|
aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
|
|
te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
|
|
te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
|
|
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
|
|
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
|
|
manager || secretary || description || carLicense || labeledURI || inetUserHT
|
|
TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
|
|
//uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
|
|
s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,
|
|
$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for group administration
|
|
|
|
dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addgroups
|
|
add:description: Add Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removegroups
|
|
add:description: Remove Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifygroups
|
|
add:description: Modify Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifygroupmembership
|
|
add:description: Modify Group membership
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for group administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
# we need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted
|
|
add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target
|
|
= "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group
|
|
s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,
|
|
$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for host administration
|
|
|
|
dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addhosts
|
|
add:description: Add Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removehosts
|
|
add:description: Remove Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyhosts
|
|
add:description: Modify Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for host administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description || locality || location || platform
|
|
|| os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
|
|
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for hostgroup administration
|
|
|
|
dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addhostgroups
|
|
add:description: Add Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removehostgroups
|
|
add:description: Remove Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyhostgroups
|
|
add:description: Modify Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyhostgroupmembership
|
|
add:description: Modify Host Group membership
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=
|
|
removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
|
|
hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow
|
|
(write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for service administration
|
|
|
|
dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addservices
|
|
add:description: Add Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removeservices
|
|
add:description: Remove Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
|
|
=addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
|
|
:///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for delegation administration
|
|
# This just lets one manage taskgroup membership and create and delete roles
|
|
|
|
dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addhrole
|
|
add:description: Add Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removeroles
|
|
add:description: Remove Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyroles
|
|
add:description: Modify Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifyrolegroupmembership
|
|
add:description: Modify Role Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifytaskgroupmembership
|
|
add:description: Modify Task Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for delegation administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
|
|
ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
|
|
pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for automount administration
|
|
|
|
dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addautomount
|
|
add:description: Add Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removeautomount
|
|
add:description: Remove Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for netgroup administration
|
|
|
|
dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: addnetgroups
|
|
add:description: Add netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: removenetgroups
|
|
add:description: Remove netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifynetgroups
|
|
add:description: Modify netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: modifynetgroupmembership
|
|
add:description: Modify netgroup membership
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
|
|
removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
|
|
cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
|
|
= "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
|
|
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
|
|
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
|
|
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for retrieving host keytabs
|
|
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: manage_host_keytab
|
|
add:description: Manage host keytab
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACI needed to do host keytab admin
|
|
dn: $SUFFIX
|
|
add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
|
|
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
|
|
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for updating the DNS entries
|
|
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: manage_host_keytab
|
|
add:description: Updates DNS
|
|
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: retrieve certificate
|
|
|
|
# Taskgroup for retrieving certs
|
|
dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: retrieve_certs
|
|
add:description: Retrieve SSL Certificates
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=retrieve certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
|
|
cn=accounts,dc=greyoak,dc=com";)'
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=request certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: request certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: reqeust_certs
|
|
add:description: Request a SSL Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=request certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Request Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
|
|
cn=accounts,dc=greyoak,dc=com";)'
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=certificate status,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate status
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: reqeust_certs
|
|
add:description: Status of cert request
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate status,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
|
|
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: reqeust_certs
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: reqeust_certs
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate remove hold
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: groupofnames
|
|
add:cn: reqeust_certs
|
|
add:description: Certificate Remove Hold
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate remove hold,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
|
|
; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
|
|
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
|