freeipa/install/updates/40-vault.update
Jan Cholasta 2f3450249d vault: fix private service vault creation
https://fedorahosted.org/freeipa/ticket/5361

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-10-13 14:34:00 +02:00

25 lines
5.5 KiB
Plaintext

dn: cn=vaults,cn=kra,$SUFFIX
remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)