From f123b01d81696c52e9a4008d46e549864e4a8069 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 3 May 2023 10:47:19 +0300 Subject: [PATCH] updates: add ACIs for RBCD self-management Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy Reviewed-By: Rob Crittenden Reviewed-By: Julien Rische --- install/updates/73-service-rbcd.update | 5 +++++ install/updates/Makefile.am | 1 + 2 files changed, 6 insertions(+) create mode 100644 install/updates/73-service-rbcd.update diff --git a/install/updates/73-service-rbcd.update b/install/updates/73-service-rbcd.update new file mode 100644 index 00000000000..08a8b0f84a7 --- /dev/null +++ b/install/updates/73-service-rbcd.update @@ -0,0 +1,5 @@ +dn: $SUFFIX +add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Kerberos principals can manage resource-based constrained delegation for themselves";allow (write) userdn = "ldap:///self";) +add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Managing principals can manage resource-based constrained delegation for other principals";allow (write) userattr = "managedby#GROUPDN" or userattr = "managedby#USERDN";) +add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Delegated permission to manage resource-based constrained delegation for other principals";allow (write) userattr="ipaAllowedToPerform;write_delegation#GROUPDN" or userattr="ipaAllowedToPerform;write_delegation#USERDN" ;) + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fbc1b76ae4e..fd96831d8fd 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -66,6 +66,7 @@ app_DATA = \ 73-subid.update \ 73-winsync.update \ 73-certmap.update \ + 73-service-rbcd.update \ 75-user-trust-attributes.update \ 80-schema_compat.update \ 81-externalmembers.update \