e3ffab
From 18e8a2c23dd05724867cd5da82f5fe20936e3df2 Mon Sep 17 00:00:00 2001
e3ffab
From: Martin Kosek <mkosek@redhat.com>
e3ffab
Date: Wed, 14 Jan 2015 16:36:16 +0100
e3ffab
Subject: [PATCH] Allow Replication Administrators manipulate Winsync
e3ffab
 Agreements
e3ffab
e3ffab
Replication Administrators members were not able to set up changelog5
e3ffab
entry in cn=config or list winsync agreements.
e3ffab
e3ffab
To allow reading winsync replicas, the original deny ACI cn=replica
e3ffab
had to be removed as it prevented admins from reading the entries,
e3ffab
but just anonymous/authenticated users.
e3ffab
e3ffab
https://fedorahosted.org/freeipa/ticket/4836
e3ffab
e3ffab
Reviewed-By: David Kupka <dkupka@redhat.com>
e3ffab
---
e3ffab
 install/updates/20-aci.update        |  2 +-
e3ffab
 install/updates/40-delegation.update | 23 +++++++++++++++++++++++
e3ffab
 2 files changed, 24 insertions(+), 1 deletion(-)
e3ffab
e3ffab
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
e3ffab
index 9bbb7e4bb8d51b3d957d1f63d2c889e793276598..b920ef83d8580911d9a9c577e3ed6a9356da69e2 100644
e3ffab
--- a/install/updates/20-aci.update
e3ffab
+++ b/install/updates/20-aci.update
e3ffab
@@ -26,7 +26,7 @@ dn: $SUFFIX
e3ffab
 add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
e3ffab
 
e3ffab
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
e3ffab
-add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
e3ffab
+remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
e3ffab
 
e3ffab
 # Read access to masters and their services
e3ffab
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
e3ffab
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
e3ffab
index a79f906ea3e29b8b6755a62ac84d318d6abdd6cc..32af498190a23ddfd202a5cad75409f60a70d78b 100644
e3ffab
--- a/install/updates/40-delegation.update
e3ffab
+++ b/install/updates/40-delegation.update
e3ffab
@@ -214,3 +214,26 @@ default:ipapermissiontype: SYSTEM
e3ffab
 
e3ffab
 dn: cn=config
e3ffab
 add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
e3ffab
+
e3ffab
+# Replication Administrators
e3ffab
+dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
e3ffab
+default:objectClass: groupofnames
e3ffab
+default:objectClass: ipapermission
e3ffab
+default:objectClass: top
e3ffab
+default:cn: Read LDBM Database Configuration
e3ffab
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
e3ffab
+default:ipapermissiontype: SYSTEM
e3ffab
+
e3ffab
+dn: cn=config
e3ffab
+add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
e3ffab
+
e3ffab
+dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
e3ffab
+default:objectClass: groupofnames
e3ffab
+default:objectClass: ipapermission
e3ffab
+default:objectClass: top
e3ffab
+default:cn: Add Configuration Sub-Entries
e3ffab
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
e3ffab
+default:ipapermissiontype: SYSTEM
e3ffab
+
e3ffab
+dn: cn=config
e3ffab
+add:aci: '(version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'
e3ffab
-- 
e3ffab
2.1.0
e3ffab