This should fix https://fedorahosted.org/freeipa/ticket/3829
-- PetrĀ³
From f5127411bdc21102022ed3d4849371501fc625f7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Mon, 28 Apr 2014 14:23:19 +0200 Subject: [PATCH] Replace "replica admins read access" ACI with a permission Add a 'Read Replication Agreements' permission to replace the read ACI for cn=config. https://fedorahosted.org/freeipa/ticket/3829 --- install/share/replica-acis.ldif | 5 -- install/updates/20-aci.update | 5 ++ .../install/plugins/update_managed_permissions.py | 61 ++++++++++++++++++++++ 3 files changed, 66 insertions(+), 5 deletions(-) diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index f4e96139f356826b1c6e07f7dfdfad2de42aafbd..8c0bc8ec3826a57ee531726cfeec2789484a3032 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,10 +1,5 @@ # Replica administration -dn: cn=config -changetype: modify -add: aci -aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index d9dcad2e572ab72ff793c41a4300562caead6c77..f31c2017796d17ab988f0426fa2e6617bbc50062 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -46,3 +46,8 @@ dn: $SUFFIX add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)' # Read-only add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)' + +# Removal of obsolete ACIs +dn: cn=config +# Replaced by 'System: Read Replication Agreements' +remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index bffd9bbf434e76c9c6d74d0167a718acc96a54b1..637e546498ca4ed843797198afa3b8bd89445980 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -155,6 +155,67 @@ 'ipantdomainguid', 'ipantfallbackprimarygroup', }, }, + 'System: Read Replication Agreements': { + 'ipapermlocation': DN('cn=config'), + 'ipapermtargetfilter': { + '(|' + '(objectclass=nsds5Replica)' + '(objectclass=nsds5replicationagreement)' + '(objectclass=nsDSWindowsReplicationAgreement)' + '(objectClass=nsMappingTree)' + ')' + }, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', 'objectclass', + # nsds5Replica + 'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv', + 'nsds5replicaabortcleanruv', 'nsds5replicatype', + 'nsds5replicabinddn', 'nsstate', 'nsds5replicaname', + 'nsds5flags', 'nsds5task', 'nsds5replicareferral', + 'nsds5replicaautoreferral', 'nsds5replicapurgedelay', + 'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount', + 'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout', + 'nsds5replicabackoffmin', 'nsds5replicabackoffmax', + # nsds5replicationagreement + 'nsds5replicacleanruvnotified', 'nsds5replicahost', + 'nsds5replicaport', 'nsds5replicatransportinfo', + 'nsds5replicabinddn', 'nsds5replicacredentials', + 'nsds5replicabindmethod', 'nsds5replicaroot', + 'nsds5replicatedattributelist', + 'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule', + 'nsds5beginreplicarefresh', 'description', 'nsds50ruv', + 'nsruvreplicalastmodified', 'nsds5replicatimeout', + 'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend', + 'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus', + 'nsds5replicaupdateinprogress', 'nsds5replicalastinitend', + 'nsds5replicaenabled', 'nsds5replicalastinitstart', + 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout', + 'nsds5replicabusywaittime', 'nsds5replicastripattrs', + 'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout', + # nsDSWindowsReplicationAgreement + 'nsds5replicahost', 'nsds5replicaport', + 'nsds5replicatransportinfo', 'nsds5replicabinddn', + 'nsds5replicacredentials', 'nsds5replicabindmethod', + 'nsds5replicaroot', 'nsds5replicatedattributelist', + 'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh', + 'description', 'nsds50ruv', 'nsruvreplicalastmodified', + 'nsds5replicatimeout', 'nsds5replicachangessentsincestartup', + 'nsds5replicalastupdateend', 'nsds5replicalastupdatestart', + 'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress', + 'nsds5replicalastinitend', 'nsds5replicalastinitstart', + 'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout', + 'nsds5replicabusywaittime', 'nsds5replicasessionpausetime', + 'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree', + 'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled', + 'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval', + 'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled', + 'winsyncdirectoryfilter', 'winsyncwindowsfilter', + 'winsyncsubtreepair', + }, + 'default_privileges': {'Replication Administrators'}, + } } -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
