mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 08:51:50 -06:00
29a8615cf3
DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
293 lines
15 KiB
Plaintext
293 lines
15 KiB
Plaintext
# IPA configuration
|
|
|
|
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: Write IPA Configuration
|
|
default:description: Write IPA Configuration
|
|
|
|
dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Write IPA Configuration
|
|
default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci: (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Host-Based Access Control
|
|
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: HBAC Administrator
|
|
default:description: HBAC Administrator
|
|
|
|
# SUDO
|
|
|
|
dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Sudo Administrator
|
|
default:description: Sudo Administrator
|
|
|
|
# Password Policy
|
|
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Password Policy Administrator
|
|
default:description: Password Policy Administrator
|
|
|
|
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
|
add:member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
|
|
|
# The original DNS permissions lacked the tag.
|
|
dn: $SUFFIX
|
|
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# SELinux User Mapping
|
|
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: SELinux User Map Administrators
|
|
default:description: SELinux User Map Administrators
|
|
|
|
dn: cn=ipa,cn=etc,$SUFFIX
|
|
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
|
|
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
|
|
# to privilege "Host Administrators"
|
|
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
|
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
|
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: cn=ipa,cn=etc,$SUFFIX
|
|
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
|
|
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
|
remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
|
|
# Automember tasks
|
|
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Automember Task Administrator
|
|
default:description: Automember Task Administrator
|
|
|
|
dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Add Automember Rebuild Membership Task
|
|
default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
|
|
# Virtual operations
|
|
|
|
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: retrieve certificate
|
|
|
|
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate
|
|
|
|
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate different host
|
|
|
|
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: certificate status
|
|
|
|
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: revoke certificate
|
|
|
|
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: certificate remove hold
|
|
|
|
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate with subjectaltname
|
|
|
|
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Request Certificate with SubjectAltName
|
|
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: nsContainer
|
|
default:cn: request certificate ignore caacl
|
|
|
|
dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:cn: Request Certificate ignoring CA ACLs
|
|
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
dn: $SUFFIX
|
|
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
|
|
# Read privileges
|
|
dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: RBAC Readers
|
|
default:description: Read roles, privileges, permissions and ACIs
|
|
|
|
dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Password Policy Readers
|
|
default:description: Read password policies
|
|
|
|
dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Kerberos Ticket Policy Readers
|
|
default:description: Read global and per-user Kerberos ticket policy
|
|
|
|
dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Automember Readers
|
|
default:description: Read Automember definitions
|
|
|
|
dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: IPA Masters Readers
|
|
default:description: Read list of IPA masters
|
|
|
|
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
|
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
|
|
|
# PassSync
|
|
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: PassSync Service
|
|
default:description: PassSync Service
|
|
|
|
dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Read PassSync Managers Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Modify PassSync Managers Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Replication Administrators
|
|
dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Read LDBM Database Configuration
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: groupofnames
|
|
default:objectClass: ipapermission
|
|
default:objectClass: top
|
|
default:cn: Add Configuration Sub-Entries
|
|
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:ipapermissiontype: SYSTEM
|
|
|
|
dn: cn=config
|
|
add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# CA Administrators
|
|
dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: CA Administrator
|
|
default:description: CA Administrator
|
|
|
|
# Vault Administrators
|
|
dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: nestedgroup
|
|
default:objectClass: groupofnames
|
|
default:objectClass: top
|
|
default:cn: Vault Administrators
|
|
default:description: Vault Administrators
|
|
|
|
|
|
# Locations - always create DNS related privileges
|
|
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: DNS Administrators
|
|
default:description: DNS Administrators
|
|
|
|
dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
default:objectClass: groupofnames
|
|
default:objectClass: nestedgroup
|
|
default:cn: DNS Servers
|
|
default:description: DNS Servers
|