103 lines
6.9 KiB
Diff
103 lines
6.9 KiB
Diff
From 4760c15cb2c8692b0e258ef62234aa18ab5fc193 Mon Sep 17 00:00:00 2001
|
|
From: Martin Kosek <mkosek@redhat.com>
|
|
Date: Tue, 10 Jul 2012 15:27:37 +0200
|
|
Subject: [PATCH 19/79] Add automount map/key update permissions
|
|
|
|
Add missing permissions that can be used to delegate write access
|
|
to existing automount maps or keys.
|
|
|
|
Since automount key RDN has been changed in the past from "automountkey"
|
|
to "description" and there can be LDAP entries with both RDNs,
|
|
structure of relevant ACI need to be changed to different scheme. Now,
|
|
it rather targets a DN of parent automount map object and uses
|
|
targetfilter to limit the target to automount key objects only.
|
|
|
|
https://fedorahosted.org/freeipa/ticket/2687
|
|
---
|
|
install/share/delegation.ldif | 22 ++++++++++++++++++++--
|
|
install/updates/40-delegation.update | 21 +++++++++++++++++++++
|
|
2 files changed, 41 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
|
|
index c612408412cdf1f4e2ec3b7e524fe1d7aa329fca..f62062fe498634d56128ebf78874c3ba91d7d09b 100644
|
|
--- a/install/share/delegation.ldif
|
|
+++ b/install/share/delegation.ldif
|
|
@@ -417,6 +417,14 @@ objectClass: ipapermission
|
|
cn: Remove Automount maps
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
+dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
+changetype: add
|
|
+objectClass: top
|
|
+objectClass: groupofnames
|
|
+objectClass: ipapermission
|
|
+cn: Modify Automount maps
|
|
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
+
|
|
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
@@ -425,6 +433,14 @@ objectClass: ipapermission
|
|
cn: Add Automount keys
|
|
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
|
|
+dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
+changetype: add
|
|
+objectClass: top
|
|
+objectClass: groupofnames
|
|
+objectClass: ipapermission
|
|
+cn: Modify Automount keys
|
|
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
+
|
|
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
changetype: add
|
|
objectClass: top
|
|
@@ -636,8 +652,10 @@ changetype: modify
|
|
add: aci
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
+aci: (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
|
|
+aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
+aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
+aci: (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
# Netgroup administration
|
|
|
|
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
|
|
index 09b8056871adbc44bf1430d54fc0b044dba11b38..de112d99d9a5bdbe553d9ec94016e852524494d6 100644
|
|
--- a/install/updates/40-delegation.update
|
|
+++ b/install/updates/40-delegation.update
|
|
@@ -306,6 +306,27 @@ add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(versio
|
|
dn: $SUFFIX
|
|
add:aci:'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
|
|
+# Automount maps and keys
|
|
+dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX
|
|
+default:objectClass: top
|
|
+default:objectClass: groupofnames
|
|
+default:objectClass: ipapermission
|
|
+default:cn: Modify Automount maps
|
|
+default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
+
|
|
+dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX
|
|
+default:objectClass: top
|
|
+default:objectClass: groupofnames
|
|
+default:objectClass: ipapermission
|
|
+default:cn: Modify Automount keys
|
|
+default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
|
+
|
|
+dn: $SUFFIX
|
|
+add:aci:'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
+add:aci:'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
+replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
+replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
|
|
+
|
|
# SSH public keys
|
|
dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
|
|
default:objectClass: top
|
|
--
|
|
1.7.11.2
|
|
|