IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
6652c4eb2e
freeipa/install/updates/40-delegation.update
Martin Kosek 6652c4eb2e Allow PassSync user to locate and update NT users 
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.

New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.

https://fedorahosted.org/freeipa/ticket/4837

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-19 16:49:27 +01:00

217 lines
11 KiB
Plaintext
Raw Blame History

# IPA configuration
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Write IPA Configuration
default:description: Write IPA Configuration
dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Write IPA Configuration
default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
# Host-Based Access Control
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: HBAC Administrator
default:description: HBAC Administrator
# SUDO
dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Sudo Administrator
default:description: Sudo Administrator
# Password Policy
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Password Policy Administrator
default:description: Password Policy Administrator
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
# The original DNS permissions lacked the tag.
dn: $SUFFIX
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
# SELinux User Mapping
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: SELinux User Map Administrators
default:description: SELinux User Map Administrators
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
# to privilege "Host Administrators"
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
# Automember tasks
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Automember Task Administrator
default:description: Automember Task Administrator
dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Automember Rebuild Membership Task
default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
# Virtual operations
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: retrieve certificate
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate different host
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate status
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: revoke certificate
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate remove hold
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate with subjectaltname
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Request Certificate with SubjectAltName
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:'(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)'
# Read privileges
dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: RBAC Readers
default:description: Read roles, privileges, permissions and ACIs
dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Password Policy Readers
default:description: Read password policies
dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Kerberos Ticket Policy Readers
default:description: Read global and per-user Kerberos ticket policy
dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Automember Readers
default:description: Read Automember definitions
dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: IPA Masters Readers
default:description: Read list of IPA masters
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
# PassSync
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: PassSync Service
default:description: PassSync Service
dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Read PassSync Managers Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify PassSync Managers Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
Reference in New Issue View Git Blame Copy Permalink