This patch adds ACI on cn=config to replicas too. Fixes: #617 Simo.
-- Simo Sorce * Red Hat, Inc * New York
>From f548921cea41f63ffcd6191bdd986a6416a8fc19 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Sat, 11 Dec 2010 11:02:08 -0500 Subject: [PATCH] Add replicatoin related acis to all replicas Fixes: https://fedorahosted.org/freeipa/ticket/617 --- install/share/Makefile.am | 1 + install/share/delegation.ldif | 12 ------------ install/share/replica-acis.ldif | 12 ++++++++++++ ipaserver/install/dsinstance.py | 5 +++++ 4 files changed, 18 insertions(+), 12 deletions(-) create mode 100644 install/share/replica-acis.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c7e1c5c5a25d42cb1a0fb8cc9aac99e36856700a..b11439ea9626cbcbe43dbd7bf605667be53cdd7b 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -17,6 +17,7 @@ app_DATA = \ default-keytypes.ldif \ default-pwpolicy.ldif \ delegation.ldif \ + replica-acis.ldif \ ds-nfiles.ldif \ dns.ldif \ kerberos.ldif \ diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7881a029d6409542f350f3816b22662872f44938..a388e84df691b03ab06a7904c4b129cf82f976e7 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -599,18 +599,6 @@ changetype: modify add: aci aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";;) -# Replica administration - -dn: cn="$SUFFIX",cn=mapping tree,cn=config -changetype: modify -add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";;) - -dn: cn="$SUFFIX",cn=mapping tree,cn=config -changetype: modify -add: aci -aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";;) - # Entitlement administration dn: $SUFFIX diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif new file mode 100644 index 0000000000000000000000000000000000000000..931163cfe8b5cf9ba5250bdfaa33097b1fc79590 --- /dev/null +++ b/install/share/replica-acis.ldif @@ -0,0 +1,12 @@ +# Replica administration + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=permissions,cn=accounts,$SUFFIX";;) + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +changetype: modify +add: aci +aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "Delete Replication Agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=permissions,cn=accounts,$SUFFIX";;) + diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 735c885aacbeda85b47aa75f2217a4d1606987e5..a175d7d31cd3b3ffa22d14f379473d01bd38f312 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -244,6 +244,7 @@ class DsInstance(service.Service): self.step("adding default layout", self.__add_default_layout) self.step("adding delegation layout", self.__add_delegation_layout) + self.step("adding replication acis", self.__add_replication_acis) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) @@ -277,6 +278,7 @@ class DsInstance(service.Service): self.__common_setup() self.step("Setting up initial replication", self.__setup_replica) + self.step("adding replication acis", self.__add_replication_acis) self.__common_post_setup() @@ -528,6 +530,9 @@ class DsInstance(service.Service): def __add_delegation_layout(self): self._ldap_mod("delegation.ldif", self.sub_dict) + def __add_replication_acis(self): + self._ldap_mod("replica-acis.ldif", self.sub_dict) + def __create_indices(self): self._ldap_mod("indices.ldif") -- 1.7.3.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
