From 93b58fdbcf1da0a952386e6c8f4e20c344db903c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>

Date: Wed, 21 Nov 2018 00:01:02 +0100

Subject: [PATCH] Add a "Find enabled services" ACI in 20-aci.update so that

 all users can find IPA servers and services. ACI suggested by Christian

 Heimes.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Fixes: https://pagure.io/freeipa/issue/7691

Signed-off-by: François Cami <fcami@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

 install/updates/20-aci.update | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update

index 184749d78106c30fdf542c1fe1c52cb11b53a83e..7650cb48101d866b3a094ec9ab11378de4f68232 100644

--- a/install/updates/20-aci.update

+++ b/install/updates/20-aci.update

@@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea

 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX

 add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)

+# Allow users to discover enabled services

+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX

+add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)

+

 # Allow hosts to read masters service configuration

 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX

 add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)

-- 

2.17.2