mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
8a5110305f
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
573 lines
21 KiB
Plaintext
573 lines
21 KiB
Plaintext
############################################
|
|
# Configure the DIT
|
|
############################################
|
|
dn: cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: roles
|
|
|
|
# Permissions-based Access Control
|
|
dn: cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: pbac
|
|
|
|
dn: cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: privileges
|
|
|
|
dn: cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: permissions
|
|
|
|
############################################
|
|
# Add the default roles
|
|
############################################
|
|
dn: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: helpdesk
|
|
description: Helpdesk
|
|
|
|
############################################
|
|
# Add the default privileges
|
|
############################################
|
|
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: User Administrators
|
|
description: User Administrators
|
|
|
|
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Group Administrators
|
|
description: Group Administrators
|
|
|
|
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Administrators
|
|
description: Host Administrators
|
|
|
|
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Group Administrators
|
|
description: Host Group Administrators
|
|
|
|
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Delegation Administrator
|
|
description: Role administration
|
|
|
|
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Service Administrators
|
|
description: Service Administrators
|
|
|
|
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Automount Administrators
|
|
description: Automount Administrators
|
|
|
|
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Netgroups Administrators
|
|
description: Netgroups Administrators
|
|
|
|
dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Certificate Administrators
|
|
description: Certificate Administrators
|
|
|
|
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Replication Administrators
|
|
description: Replication Administrators
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: nestedgroup
|
|
cn: Host Enrollment
|
|
description: Host Enrollment
|
|
|
|
############################################
|
|
# Default permissions.
|
|
############################################
|
|
|
|
# Group administration
|
|
|
|
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Groups
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Group membership
|
|
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroups
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Hostgroup membership
|
|
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Service administration
|
|
|
|
dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Services
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Delegation administration
|
|
|
|
dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Roles
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Role membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify privilege membership
|
|
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Automount administration
|
|
|
|
dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
# Netgroup administration
|
|
|
|
dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroups
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify netgroup membership
|
|
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Manage service keytab
|
|
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
# DNS administration
|
|
|
|
# The permission and aci for this is in install/updates/dns.ldif
|
|
|
|
# Replica administration
|
|
|
|
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Add Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Remove Replication Agreements
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Modify DNA Range
|
|
ipapermissiontype: SYSTEM
|
|
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
############################################
|
|
# Default permissions (ACIs)
|
|
############################################
|
|
|
|
# Group administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
# We need objectclass and gidnumber in modify so a non-posix group can be
|
|
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
|
|
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Hostgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Delegation administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Automount administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Netgroup administration
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Service keytab admin
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Create virtual operations entry. This is used to control access to
|
|
# operations that don't rely on LDAP directly.
|
|
dn: cn=virtual operations,cn=etc,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: nsContainer
|
|
cn: virtual operations
|
|
|
|
# Retrieve Certificate virtual op
|
|
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Retrieve Certificates from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate virtual op
|
|
dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Request Certificate from different host virtual op
|
|
dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Request Certificates from a different host
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Status virtual op
|
|
dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Get Certificates status from the CA
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Revoke Certificate virtual op
|
|
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Revoke Certificate
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Certificate Remove Hold virtual op
|
|
dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
objectClass: groupofnames
|
|
objectClass: ipapermission
|
|
cn: Certificate Remove Hold
|
|
member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
changetype: modify
|
|
add: aci
|
|
aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
|