mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
733 lines
28 KiB
Plaintext
733 lines
28 KiB
Plaintext
# Add the default roles
|
|
|
|
dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: helpdesk
|
|
add:description: Helpdesk
|
|
|
|
dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: useradmin
|
|
add:description: User Administrators
|
|
|
|
dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: groupadmin
|
|
add:description: Group Administrators
|
|
|
|
dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: hostadmin
|
|
add:description: Host Administrators
|
|
|
|
dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: hostgroupadmin
|
|
add:description: Host Group Administrators
|
|
|
|
dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: delegationadmin
|
|
add:description: Role administration
|
|
|
|
dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: serviceadmin
|
|
add:description: Service Administrators
|
|
|
|
dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: automountadmin
|
|
add:description: Automount Administrators
|
|
|
|
dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: netgroupadmin
|
|
add:description: Netgroups Administrators
|
|
|
|
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: dnsadmin
|
|
add:description: DNS Administrators
|
|
|
|
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: dnsserver
|
|
add:description: DNS Servers
|
|
|
|
dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certadmin
|
|
add:description: Certificate Administrators
|
|
|
|
dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: replicaadmin
|
|
add:description: Replication Administrators
|
|
add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: enrollhost
|
|
add:description: Host Enrollment
|
|
|
|
dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: entitlementadmin
|
|
add:description: Entitlement Administrators
|
|
|
|
# Add the taskgroups referenced by the ACIs for user administration
|
|
|
|
dn: cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: nsContainer
|
|
add:objectClass: top
|
|
add:cn: taskgroups
|
|
|
|
dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addusers
|
|
add:description: Add Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: change_password
|
|
add:description: Change a user password
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: add_user_to_default_group
|
|
add:description: Add user to default group
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeusers
|
|
add:description: Remove Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyusers
|
|
add:description: Modify Users
|
|
add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for user administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
|
|
aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
|
|
te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
|
|
";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
|
|
te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials
|
|
|| loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
|
|
umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
|
|
manager || secretary || description || carLicense || labeledURI || inetUserHT
|
|
TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry
|
|
|| objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Modify Users";allow (write) groupdn =
|
|
"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for group administration
|
|
|
|
dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addgroups
|
|
add:description: Add Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removegroups
|
|
add:description: Remove Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifygroups
|
|
add:description: Modify Groups
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifygroupmembership
|
|
add:description: Modify Group membership
|
|
add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for group administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t
|
|
askgroups,cn=accounts,$SUFFIX";)'
|
|
# we need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted
|
|
add:aci: '(targetattr = "cn || description || gidnumber || objectclass ||
|
|
mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Modify Groups";allow (write) groupdn =
|
|
"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for host administration
|
|
|
|
dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhosts
|
|
add:description: Add Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removehosts
|
|
add:description: Remove Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhosts
|
|
add:description: Modify Hosts
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for host administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description || l || nshostlocation ||
|
|
nshardwareplatform || nsosversion")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
|
|
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for hostgroup administration
|
|
|
|
dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhostgroups
|
|
add:description: Add Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removehostgroups
|
|
add:description: Remove Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhostgroups
|
|
add:description: Modify Host Groups
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyhostgroupmembership
|
|
add:description: Modify Host Group membership
|
|
add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=
|
|
removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=
|
|
hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow
|
|
(write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for service administration
|
|
|
|
dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addservices
|
|
add:description: Add Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeservices
|
|
add:description: Remove Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyservices
|
|
add:description: Modify Services
|
|
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn
|
|
=addservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
|
|
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
|
|
:///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal
|
|
name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services"
|
|
;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco
|
|
unts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for delegation administration
|
|
# This just lets one manage taskgroup membership and create and delete roles
|
|
|
|
dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addhrole
|
|
add:description: Add Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeroles
|
|
add:description: Remove Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyroles
|
|
add:description: Modify Roles
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyrolegroupmembership
|
|
add:description: Modify Role Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifytaskgroupmembership
|
|
add:description: Modify Task Group membership
|
|
add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for delegation administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups
|
|
,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version
|
|
3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro
|
|
ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou
|
|
pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun
|
|
ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri
|
|
te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts
|
|
,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for automount administration
|
|
|
|
dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addautomount
|
|
add:description: Add Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeautomount
|
|
add:description: Remove Automount maps/keys
|
|
add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for service administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap
|
|
:///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,
|
|
$SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn =
|
|
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Add the taskgroups referenced by the ACIs for netgroup administration
|
|
|
|
dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addnetgroups
|
|
add:description: Add netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removenetgroups
|
|
add:description: Remove netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifynetgroups
|
|
add:description: Modify netgroups
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifynetgroupmembership
|
|
add:description: Modify netgroup membership
|
|
add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACIs that grant these permissions for netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=
|
|
taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version
|
|
3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn=
|
|
removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,
|
|
cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn
|
|
= "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
add:aci: '(targetattr = "memberhost || externalhost || memberuser || member")
|
|
(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo
|
|
dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou
|
|
pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for retrieving host keytabs
|
|
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: manage_host_keytab
|
|
add:description: Manage host keytab
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACI needed to do host keytab admin
|
|
dn: $SUFFIX
|
|
add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Manage host keytab";
|
|
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for enrolling hosts. Note that this also requires
|
|
# manage_host_keytab access
|
|
dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: enroll_host
|
|
add:description: Enroll a host
|
|
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add the ACI needed to do host enrollment. When this occurs we
|
|
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
|
|
# set enrolledBy to whoever ran join.
|
|
dn: $SUFFIX
|
|
add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass")
|
|
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
|
|
(version 3.0;acl "Enroll a host";
|
|
allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for updating the DNS entries
|
|
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: update_sn
|
|
add:description: Updates DNS
|
|
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: retrieve certificate
|
|
|
|
# Taskgroup for retrieving certs
|
|
dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: retrieve_certs
|
|
add:description: Retrieve SSL Certificates
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=retrieve certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=request certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: request certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: request_certs
|
|
add:description: Request a SSL Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=request certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Request Certificates from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
|
|
cn=accounts,$SUFFIX";)'
|
|
|
|
# Request Certificate from different host virtual op
|
|
dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: request certificate different host
|
|
|
|
# Taskgroup for requesting certs from a different host
|
|
dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: request_cert_different_host
|
|
add:description: Request a SSL Certificate from a different host
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=request certificate different host,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Request Certificates from a
|
|
different host" ; allow (write) groupdn = "ldap:///cn=request_cert
|
|
_different_host,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=certificate status,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate status
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certificate_status
|
|
add:description: Status of cert request
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate status,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
|
|
CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: revoke_certificate
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: revoke certificate
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: revoke_certificate
|
|
add:description: Revoke Certificate
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=revoke certificate,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
|
|
; allow (write) groupdn = "ldap:///cn=revoke_certificate,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nsContainer
|
|
add:cn: certificate remove hold
|
|
|
|
# Taskgroup for requesting certs
|
|
dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: certificate_remove_hold
|
|
add:description: Certificate Remove Hold
|
|
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "objectClass")(target =
|
|
"ldap:///cn=certificate remove hold,cn=virtual operations,
|
|
$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
|
|
; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
|
|
cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Taskgroup for managing replicas
|
|
dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: managereplica
|
|
add:description: Manage Replication Agreements
|
|
add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Taskgroup for deleting replicas
|
|
dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: deletereplica
|
|
add:description: Delete Replication Agreements
|
|
add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
# Add acis allowing admins to read/write/delete replicas
|
|
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
|
add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)
|
|
(objectclass=nsds5replicationagreement)(objectclass=
|
|
nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage
|
|
replication agreements"; allow (read, write, search) groupdn =
|
|
"ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
|
add: aci: '(targetattr=*)(targetfilter="(|(objectclass=
|
|
nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement
|
|
))")(version 3.0;acl "Delete replication agreements";allow (delete)
|
|
groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
# Entitlement management
|
|
dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: addentitlements
|
|
add:description: Add Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: removeentitlements
|
|
add:description: Remove Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX
|
|
add:objectClass: top
|
|
add:objectClass: nestedgroup
|
|
add:cn: modifyentitlements
|
|
add:description: Modify Entitlements
|
|
add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|
|
|
|
dn: $SUFFIX
|
|
add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'
|