enrolledBy represents the DN of the entry that enrolled a host. We don't
want an admin to manipulate this but an aci allowed it. This was a
regression.
ticket 302
rob
>From c9525eeba3a423f3f376a2492fea5f2f89a1250d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 1 Jul 2011 10:41:42 -0400
Subject: [PATCH] Disallow direct modifications to enrolledBy.
This fixes a regression.
We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.
https://fedorahosted.org/freeipa/ticket/302
---
install/share/delegation.ldif | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 5d4949a..21c6749 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -647,12 +647,14 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
-# set enrolledBy to whoever ran join.
+# set enrolledBy to whoever ran join. enrolledBy is specifically
+# not listed here, it is set by the plugin but we don't want an
+# admini overriding it using --setaddr or ldapmodify.
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration
--
1.7.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
