freeipa/install/updates/40-delegation.update
Rob Crittenden e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00

598 lines
22 KiB
Plaintext

# Add the default roles
dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: helpdesk
add:description: Helpdesk
dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: useradmin
add:description: User Administrators
dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: groupadmin
add:description: Group Administrators
dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: hostadmin
add:description: Host Administrators
dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: hostgroupadmin
add:description: Host Group Administrators
dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: delegationadmin
add:description: Role administration
dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: serviceadmin
add:description: Service Administrators
dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: automountadmin
add:description: Automount Administrators
dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: netgroupadmin
add:description: Netgroups Administrators
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: dnsadmin
add:description: DNS Administrators
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: dnsserver
add:description: DNS Servers
dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: certadmin
add:description: Certificate Administrators
# Add the taskgroups referenced by the ACIs for user administration
dn: cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: nsContainer
add:objectClass: top
add:cn: taskgroups
dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addusers
add:description: Add Users
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: change_password
add:description: Change a user password
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: add_user_to_default_group
add:description: Add user to default group
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeusers
add:description: Remove Users
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyusers
add:description: Modify Users
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for user administration
dn: $SUFFIX
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
,$SUFFIX";)'
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
askgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
manager || secretary || description || carLicense || labeledURI || inetUserHT
TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
//uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,
$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for group administration
dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addgroups
add:description: Add Groups
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removegroups
add:description: Remove Groups
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifygroups
add:description: Modify Groups
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifygroupmembership
add:description: Modify Group membership
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for group administration
dn: $SUFFIX
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
askgroups,cn=accounts,$SUFFIX";)'
# we need objectclass and gidnumber in modify so a non-posix group can be
# promoted
add:aci: '(targetattr = "cn || description || gidnumber || objectclass")(target
= "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Group
s";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,
$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for host administration
dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addhosts
add:description: Add Hosts
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removehosts
add:description: Remove Hosts
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhosts
add:description: Modify Hosts
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for host administration
dn: $SUFFIX
add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "cn || description || locality || location || platform
|| os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for hostgroup administration
dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addhostgroups
add:description: Add Host Groups
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removehostgroups
add:description: Remove Host Groups
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhostgroups
add:description: Modify Host Groups
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyhostgroupmembership
add:description: Modify Host Group membership
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for hostgroup administration
dn: $SUFFIX
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=
removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow
(write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for service administration
dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addservices
add:description: Add Services
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeservices
add:description: Remove Services
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for service administration
dn: $SUFFIX
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
=addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
:///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for delegation administration
# This just lets one manage taskgroup membership and create and delete roles
dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addhrole
add:description: Add Roles
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeroles
add:description: Remove Roles
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyroles
add:description: Modify Roles
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyrolegroupmembership
add:description: Modify Role Group membership
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifytaskgroupmembership
add:description: Modify Task Group membership
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for delegation administration
dn: $SUFFIX
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for automount administration
dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addautomount
add:description: Add Automount maps/keys
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeautomount
add:description: Remove Automount maps/keys
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for service administration
dn: $SUFFIX
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for netgroup administration
dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addnetgroups
add:description: Add netgroups
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removenetgroups
add:description: Remove netgroups
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifynetgroups
add:description: Modify netgroups
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifynetgroupmembership
add:description: Modify netgroup membership
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACIs that grant these permissions for netgroup administration
dn: $SUFFIX
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
= "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
# Taskgroup for retrieving host keytabs
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:description: Manage host keytab
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACI needed to do host keytab admin
dn: $SUFFIX
add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,$SUFFIX";)'
# Taskgroup for updating the DNS entries
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:description: Updates DNS
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.
dn: cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: virtual operations
# Retrieve Certificate virtual op
dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: retrieve certificate
# Taskgroup for retrieving certs
dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: retrieve_certs
add:description: Retrieve SSL Certificates
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=retrieve certificate,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
cn=accounts,dc=greyoak,dc=com";)'
# Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: request certificate
# Taskgroup for requesting certs
dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: reqeust_certs
add:description: Request a SSL Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=request certificate,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Request Certificates from the
CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
cn=accounts,dc=greyoak,dc=com";)'
# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: certificate status
# Taskgroup for requesting certs
dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: reqeust_certs
add:description: Status of cert request
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=certificate status,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: revoke certificate
# Taskgroup for requesting certs
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: reqeust_certs
add:description: Revoke Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=revoke certificate,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: revoke certificate
# Taskgroup for requesting certs
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: reqeust_certs
add:description: Revoke Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=revoke certificate,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
# Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: certificate remove hold
# Taskgroup for requesting certs
dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: reqeust_certs
add:description: Certificate Remove Hold
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
dn: $SUFFIX
add: aci: '(targetattr = "objectClass")(target =
"ldap:///cn=certificate remove hold,cn=virtual operations,
$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'