# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
allow (r
ead, search, compare) userdn
="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci: (target ="ldap:///cn=automember rebuild
membership,cn=tasks,cn=config")(
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
Membership T
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
Membership Task
,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ob
jectclass || passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,cn=plu
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
Configura
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
PassSync Manager
s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
Managers C
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ns
slapd-directory* || objectclass")(target =
"ldap:///cn=config,cn=ldbm databas
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
Database Confi
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
LDBM Databas
e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration
Sub-Entries";allow (add) g
roupdn = "ldap:///cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,dc=
ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn
|| modify
timestamp || nsds50ruv || nsds5beginreplicarefresh ||
nsds5debugreplicatimeou
t || nsds5flags || nsds5replicaabortcleanruv ||
nsds5replicaautoreferral || n
sds5replicabackoffmax || nsds5replicabackoffmin ||
nsds5replicabinddn || nsds
5replicabindmethod || nsds5replicabusywaittime ||
nsds5replicachangecount ||
nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
nsds5replicacl
eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
nsds5repl
icahost || nsds5replicaid || nsds5replicalastinitend ||
nsds5replicalastinits
tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
nsds5repli
calastupdatestart || nsds5replicalastupdatestatus ||
nsds5replicalegacyconsum
er || nsds5replicaname || nsds5replicaport ||
nsds5replicaprotocoltimeout ||
nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot
|| nsds5re
plicasessionpausetime || nsds5replicastripattrs ||
nsds5replicatedattributeli
st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
nsds5replic
atombstonepurgeinterval || nsds5replicatransportinfo ||
nsds5replicatype || n
sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
nsds5task || nsd
s7directoryreplicasubtree || nsds7dirsynccookie ||
nsds7newwingroupsyncenable
d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
nsds7windowsreplicas
ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
onewaysync ||
winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
winsyncsub
treepair || winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl
"permission:System: R
ead Replication Agreements";allow (compare,read,search) groupdn =
"ldap:///cn
=System: Read Replication
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
n,dc=net";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
re-initializatio
n"; allow (add) groupdn = "ldap:///cn=Modify Replication
Agreements,cn=permis
sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
replica re
-initialization"; allow (add) userdn =
"ldap:///uid=pkidbuser,ou=people,o=ipa
ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
allow (read
, compare, search) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
membershi
p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
Automember Ta
sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
Automembe
r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage
replication use
rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
allow( rea
d, search ) userdn ="ldap:///all";)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
allow (read,
search, compare, proxy) userdn ="ldap:///anyone"; )
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication
Agreements,cn=permissions,cn=
pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify
Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
Replication Ag
reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
"permission:Rem
ove Replication Agreements";allow (delete) groupdn =
"ldap:///cn=Remove Repli
cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
Agreements"
;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
Replication Agre
ements"; allow (read, write, search) userdn =
"ldap:///uid=pkidbuser,ou=peopl
e,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
manager:
Remove Replication Agreements";allow (delete) userdn =
"ldap:///uid=pkidbuser
,ou=people,o=ipaca";)
# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
searches"; a
llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn =
"ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
|| dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read
DNA Range";
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
Range,cn=permiss
ions,cn=pbac,dc=ipatestdomain,dc=net";)
# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
the databas
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
Agreement
s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11
============================================================================
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there
is now a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference
that the CentOS ACL hasn't changed yet)
============================================================================
================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3
=========================
[root@dc1 ~]# ldapsearch -b "cn=config" -D
"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
Enter LDAP Password:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
allow (r
ead, search, compare) userdn
="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci: (target ="ldap:///cn=automember rebuild
membership,cn=tasks,cn=config")(
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
Membership T
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
Membership Task
,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ob
jectclass || passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,cn=plu
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
Configura
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
PassSync Manager
s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
Managers C
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ns
slapd-directory* || objectclass")(target =
"ldap:///cn=config,cn=ldbm databas
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
Database Confi
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
LDBM Databas
e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration
Sub-Entries";allow (add) g
roupdn = "ldap:///cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,dc=
ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn
|| modify
timestamp || nsds50ruv || nsds5beginreplicarefresh ||
nsds5debugreplicatimeou
t || nsds5flags || nsds5replicaabortcleanruv ||
nsds5replicaautoreferral || n
sds5replicabackoffmax || nsds5replicabackoffmin ||
nsds5replicabinddn || nsds
5replicabindmethod || nsds5replicabusywaittime ||
nsds5replicachangecount ||
nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
nsds5replicacl
eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
nsds5repl
icahost || nsds5replicaid || nsds5replicalastinitend ||
nsds5replicalastinits
tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
nsds5repli
calastupdatestart || nsds5replicalastupdatestatus ||
nsds5replicalegacyconsum
er || nsds5replicaname || nsds5replicaport ||
nsds5replicaprotocoltimeout ||
nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot
|| nsds5re
plicasessionpausetime || nsds5replicastripattrs ||
nsds5replicatedattributeli
st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
nsds5replic
atombstonepurgeinterval || nsds5replicatransportinfo ||
nsds5replicatype || n
sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
nsds5task || nsd
s7directoryreplicasubtree || nsds7dirsynccookie ||
nsds7newwingroupsyncenable
d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
nsds7windowsreplicas
ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
onewaysync ||
winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
winsyncsub
treepair || winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl
"permission:System: R
ead Replication Agreements";allow (compare,read,search) groupdn =
"ldap:///cn
=System: Read Replication
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
n,dc=net";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
re-initializatio
n"; allow (add) groupdn = "ldap:///cn=Modify Replication
Agreements,cn=permis
sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
replica re
-initialization"; allow (add) userdn =
"ldap:///uid=pkidbuser,ou=people,o=ipa
ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
allow (read
, compare, search) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild
membershi
p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read
Automember Ta
sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read
Automembe
r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage
replication use
rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
allow( rea
d, search ) userdn ="ldap:///all";)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
allow (read,
search, compare, proxy) userdn ="ldap:///anyone"; )
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication
Agreements,cn=permissions,cn=
pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify
Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
Replication Ag
reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
"permission:Rem
ove Replication Agreements";allow (delete) groupdn =
"ldap:///cn=Remove Repli
cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
Agreements"
;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
Replication Agre
ements"; allow (read, write, search) userdn =
"ldap:///uid=pkidbuser,ou=peopl
e,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
manager:
Remove Replication Agreements";allow (delete) userdn =
"ldap:///uid=pkidbuser
,ou=people,o=ipaca";)
# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
searches"; a
llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn =
"ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
|| dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read
DNA Range";
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
Range,cn=permiss
ions,cn=pbac,dc=ipatestdomain,dc=net";)
# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
the databas
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
Agreement
s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11
============================================================================
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the
replica file was made from dc1 which is a CentOS server that still
has the acls(missing some stuff)
============================================================================
aci list on dc2
[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config"
"(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
allow (r
ead, search, compare) userdn
="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci: (target ="ldap:///cn=automember rebuild
membership,cn=tasks,cn=config")(
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
Membership T
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
Membership Task
,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ob
jectclass || passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,cn=plu
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
Configura
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
PassSync Manager
s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
Managers C
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ns
slapd-directory* || objectclass")(target =
"ldap:///cn=config,cn=ldbm databas
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
Database Confi
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
LDBM Databas
e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration
Sub-Entries";allow (add) g
roupdn = "ldap:///cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,dc=
ipatestdomain,dc=net";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
re-initializatio
n"; allow (add) groupdn = "ldap:///cn=Modify Replication
Agreements,cn=permis
sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
replica re
-initialization"; allow (add) userdn =
"ldap:///uid=pkidbuser,ou=people,o=ipa
ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
allow (read
, compare, search) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
atestdomain,dc=net";)
# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage
replication use
rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
allow( rea
d, search ) userdn ="ldap:///all";)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
allow (read,
search, compare, proxy) userdn ="ldap:///anyone"; )
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication
Agreements,cn=permissions,cn=
pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify
Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
Replication Ag
reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
"permission:Rem
ove Replication Agreements";allow (delete) groupdn =
"ldap:///cn=Remove Repli
cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
Agreements"
;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
Replication Agre
ements"; allow (read, write, search) userdn =
"ldap:///uid=pkidbuser,ou=peopl
e,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
manager:
Remove Replication Agreements";allow (delete) userdn =
"ldap:///uid=pkidbuser
,ou=people,o=ipaca";)
# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
searches"; a
llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn =
"ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
|| dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read
DNA Range";
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
Range,cn=permiss
ions,cn=pbac,dc=ipatestdomain,dc=net";)
# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
the databas
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
Agreement
s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11
============================================================================
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now
missing some stuff)
============================================================================
[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b
"cn=config" "(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access";
allow (r
ead, search, compare) userdn
="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci: (target ="ldap:///cn=automember rebuild
membership,cn=tasks,cn=config")(
targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild
Membership T
ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild
Membership Task
,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ob
jectclass || passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,cn=plu
gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers
Configura
tion";allow (compare,read,search) groupdn = "ldap:///cn=Read
PassSync Manager
s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target =
"ldap:///cn=ipa_pwd_extop,
cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync
Managers C
onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync
Managers Co
nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn ||
modifytimestamp || ns
slapd-directory* || objectclass")(target =
"ldap:///cn=config,cn=ldbm databas
e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM
Database Confi
guration";allow (compare,read,search) groupdn = "ldap:///cn=Read
LDBM Databas
e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration
Sub-Entries";allow (add) g
roupdn = "ldap:///cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,dc=
ipatestdomain,dc=net";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn ="ldap:///anyone");)
# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica
re-initializatio
n"; allow (add) groupdn = "ldap:///cn=Modify Replication
Agreements,cn=permis
sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after
replica re
-initialization"; allow (add) userdn =
"ldap:///uid=pkidbuser,ou=people,o=ipa
ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks";
allow (read
, compare, search) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
atestdomain,dc=net";)
# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage
replication use
rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control";
allow( rea
d, search ) userdn ="ldap:///all";)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control";
allow (read,
search, compare, proxy) userdn ="ldap:///anyone"; )
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication
Agreements";al
low (add) groupdn = "ldap:///cn=Add Replication
Agreements,cn=permissions,cn=
pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify
Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify
Replication Ag
reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl
"permission:Rem
ove Replication Agreements";allow (delete) groupdn =
"ldap:///cn=Remove Repli
cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication
Agreements"
;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify
Replication Agre
ements"; allow (read, write, search) userdn =
"ldap:///uid=pkidbuser,ou=peopl
e,o=ipaca";)
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert
manager:
Remove Replication Agreements";allow (delete) userdn =
"ldap:///uid=pkidbuser
,ou=people,o=ipaca";)
# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV
searches"; a
llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";)
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn =
"ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue
|| dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read
DNA Range";
allow (read, search, compare) groupdn = "ldap:///cn=Read DNA
Range,cn=permiss
ions,cn=pbac,dc=ipatestdomain,dc=net";)
# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking
the databas
e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication
Agreement
s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 11