|
|
e3ffab |
From 18e8a2c23dd05724867cd5da82f5fe20936e3df2 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
e3ffab |
Date: Wed, 14 Jan 2015 16:36:16 +0100
|
|
|
e3ffab |
Subject: [PATCH] Allow Replication Administrators manipulate Winsync
|
|
|
e3ffab |
Agreements
|
|
|
e3ffab |
|
|
|
e3ffab |
Replication Administrators members were not able to set up changelog5
|
|
|
e3ffab |
entry in cn=config or list winsync agreements.
|
|
|
e3ffab |
|
|
|
e3ffab |
To allow reading winsync replicas, the original deny ACI cn=replica
|
|
|
e3ffab |
had to be removed as it prevented admins from reading the entries,
|
|
|
e3ffab |
but just anonymous/authenticated users.
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4836
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
install/updates/20-aci.update | 2 +-
|
|
|
e3ffab |
install/updates/40-delegation.update | 23 +++++++++++++++++++++++
|
|
|
e3ffab |
2 files changed, 24 insertions(+), 1 deletion(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
|
e3ffab |
index 9bbb7e4bb8d51b3d957d1f63d2c889e793276598..b920ef83d8580911d9a9c577e3ed6a9356da69e2 100644
|
|
|
e3ffab |
--- a/install/updates/20-aci.update
|
|
|
e3ffab |
+++ b/install/updates/20-aci.update
|
|
|
e3ffab |
@@ -26,7 +26,7 @@ dn: $SUFFIX
|
|
|
e3ffab |
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
e3ffab |
|
|
|
e3ffab |
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
|
|
|
e3ffab |
-add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
e3ffab |
+remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
|
|
|
e3ffab |
|
|
|
e3ffab |
# Read access to masters and their services
|
|
|
e3ffab |
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
|
e3ffab |
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
|
|
|
e3ffab |
index a79f906ea3e29b8b6755a62ac84d318d6abdd6cc..32af498190a23ddfd202a5cad75409f60a70d78b 100644
|
|
|
e3ffab |
--- a/install/updates/40-delegation.update
|
|
|
e3ffab |
+++ b/install/updates/40-delegation.update
|
|
|
e3ffab |
@@ -214,3 +214,26 @@ default:ipapermissiontype: SYSTEM
|
|
|
e3ffab |
|
|
|
e3ffab |
dn: cn=config
|
|
|
e3ffab |
add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+# Replication Administrators
|
|
|
e3ffab |
+dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
|
|
|
e3ffab |
+default:objectClass: groupofnames
|
|
|
e3ffab |
+default:objectClass: ipapermission
|
|
|
e3ffab |
+default:objectClass: top
|
|
|
e3ffab |
+default:cn: Read LDBM Database Configuration
|
|
|
e3ffab |
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
e3ffab |
+default:ipapermissiontype: SYSTEM
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+dn: cn=config
|
|
|
e3ffab |
+add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
|
|
|
e3ffab |
+default:objectClass: groupofnames
|
|
|
e3ffab |
+default:objectClass: ipapermission
|
|
|
e3ffab |
+default:objectClass: top
|
|
|
e3ffab |
+default:cn: Add Configuration Sub-Entries
|
|
|
e3ffab |
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
e3ffab |
+default:ipapermissiontype: SYSTEM
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+dn: cn=config
|
|
|
e3ffab |
+add:aci: '(version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|