mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-16 11:21:56 -06:00
0dfcf1d9db
https://fedorahosted.org/freeipa/ticket/5250 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
271 lines
13 KiB
Plaintext
271 lines
13 KiB
Plaintext
# IPA configuration
|
|
|
|
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: Write IPA Configuration
|
|
default:description: Write IPA Configuration
|
|
|
|
dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Write IPA Configuration
|
|
default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci: (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host-Based Access Control
|
|
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: HBAC Administrator
|
|
default:description: HBAC Administrator
|
|
|
|
# SUDO
|
|
|
|
dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Sudo Administrator
|
|
default:description: Sudo Administrator
|
|
|
|
# Password Policy
|
|
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Password Policy Administrator
|
|
default:description: Password Policy Administrator
|
|
|
|
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
add:member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
# The original DNS permissions lacked the tag.
|
|
dn: $SUFFIX
|
|
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# SELinux User Mapping
|
|
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: SELinux User Map Administrators
|
|
default:description: SELinux User Map Administrators
|
|
|
|
dn: cn=ipa,cn=etc,$SUFFIX
|
|
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
|
|
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
|
|
# to privilege "Host Administrators"
|
|
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=ipa,cn=etc,$SUFFIX
|
|
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
|
|
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
|
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
|
|
# Automember tasks
|
|
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Automember Task Administrator
|
|
default:description: Automember Task Administrator
|
|
|
|
dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Add Automember Rebuild Membership Task
|
|
default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
|
|
# Virtual operations
|
|
|
|
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: retrieve certificate
|
|
|
|
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate
|
|
|
|
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate different host
|
|
|
|
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: certificate status
|
|
|
|
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: revoke certificate
|
|
|
|
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: certificate remove hold
|
|
|
|
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate with subjectaltname
|
|
|
|
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Request Certificate with SubjectAltName
|
|
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate ignore caacl
|
|
|
|
dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Request Certificate ignoring CA ACLs
|
|
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
|
|
# Read privileges
|
|
dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: RBAC Readers
|
|
default:description: Read roles, privileges, permissions and ACIs
|
|
|
|
dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Password Policy Readers
|
|
default:description: Read password policies
|
|
|
|
dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Kerberos Ticket Policy Readers
|
|
default:description: Read global and per-user Kerberos ticket policy
|
|
|
|
dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Automember Readers
|
|
default:description: Read Automember definitions
|
|
|
|
dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: IPA Masters Readers
|
|
default:description: Read list of IPA masters
|
|
|
|
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
|
|
# PassSync
|
|
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: PassSync Service
|
|
default:description: PassSync Service
|
|
|
|
dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Read PassSync Managers Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Modify PassSync Managers Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Replication Administrators
|
|
dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Read LDBM Database Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Add Configuration Sub-Entries
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# CA Administrators
|
|
dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: CA Administrator
|
|
default:description: CA Administrator
|
|
|
|
# Vault Administrators
|
|
dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Vault Administrators
|
|
default:description: Vault Administrators
|