URL: https://github.com/freeipa/freeipa/pull/1426 Author: flo-renaud Title: #1426: ACI: grant access to admins group instead of admin user Action: opened
PR body: """ The ACI needed for staged users and deleted users were granted only to the uid=admin user. They should rather be granted to cn=admins group, to make sure that all members of the admins group are able to call the command ipa user-del --preserve. https://pagure.io/freeipa/issue/7342 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1426/head:pr1426 git checkout pr1426
From e504db3090c46b737decede0d91da8b19eaff993 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 2 Jan 2018 16:28:24 +0100 Subject: [PATCH] ACI: grant access to admins group instead of admin user The ACI needed for staged users and deleted users were granted only to the uid=admin user. They should rather be granted to cn=admins group, to make sure that all members of the admins group are able to call the command ipa user-del --preserve. https://pagure.io/freeipa/issue/7342 --- install/updates/30-provisioning.update | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update index b8ec80e00f..46c589e518 100644 --- a/install/updates/30-provisioning.update +++ b/install/updates/30-provisioning.update @@ -23,12 +23,14 @@ default: cn: deleted users # This is used for the admin to know if credential are set for stage users # We can do a query on a DN to see if an attribute exists or retrieve the value dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";;) +remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";;) +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) # This is used for the admin to reset the delete users credential # No one is allowed to add entry in Delete container dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";;) +remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";;) +add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";;) dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
