mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 00:20:04 -06:00
9005b9bc8a
Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
17 lines
944 B
Plaintext
17 lines
944 B
Plaintext
# Let a delegated user put the database into read-only mode when deleting
|
|
# an agreement.
|
|
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
|
add:aci: '(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
|
|
# Add rules to manage DNA ranges
|
|
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Modify DNA Range
|
|
default:ipapermissiontype: SYSTEM
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
|
add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
|