[Freeipa-devel] [PATCH] 0024 Add missing permissions to Host Administrators privilege

Mon, 22 Apr 2013 13:23:28 -0700 

The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.


From cf01603d4b0c0d806619fc2d53ac7a65f4d12944 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Mon, 22 Apr 2013 21:43:12 +0200
Subject: [PATCH] Add missing permissions to Host Administrators privilege

The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585
---
 install/updates/40-delegation.update | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 5c14a703655e5de0c3b6a13e5b1a69a40ebfc13b..64a6432acc8605f3164d267d16609f51ce02a7ef 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -365,3 +365,11 @@ replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=account
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX";)(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)'
 add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX";)(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)'
+
+# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
+# to privilege "Host Administrators"
+dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
+add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
+
+dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
+add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
-- 
1.8.1.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to