On 01/14/2015 03:58 PM, Martin Kosek wrote:
> On 01/14/2015 03:34 PM, Simo Sorce wrote:
>> On Wed, 14 Jan 2015 13:41:54 +0100
>> thierry bordaz <tbor...@redhat.com> wrote:
>>
>>> On 01/14/2015 12:03 PM, Martin Kosek wrote:
>>>> On 01/14/2015 10:58 AM, thierry bordaz wrote:
>>>>> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>>>>>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>>>>>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>>>>>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>>>>>>>> Martin Kosek <mko...@redhat.com> wrote:
>>>>>>>>
>>>>>>>>> This is crude first version of the (working) fixes to fix
>>>>>>>>> Winsync/Passsync problems caused by the PermissionV2
>>>>>>>>> refactoring.
>>>>>>>>>
>>>>>>>>> Simo/Petr3 or others, any concerns?
>>>>>>>>>
>>>>>>>> The first patch looks good
>>>>>>>> the second looks .. broad ?
>>>>>>>>
>>>>>>>> Shouldn't you explicitly allow specific attributes ?
>>>>>>> You mean for:
>>>>>>>
>>>>>>> + 'System: Read LDBM database config': {
>>>>>>> + 'ipapermlocation': DN('cn=config'),
>>>>>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>>>>>>> database,cn=plugins,cn=config'),
>>>>>>> + 'ipapermbindruletype': 'permission',
>>>>>>> + 'ipapermright': {'read', 'search', 'compare'},
>>>>>>> + 'default_privileges': {'Replication Administrators'},
>>>>>>> + 'ipapermdefaultattr': {'*'},
>>>>>>> + },
>>>>>>>
>>>>>>> ? I did that as my first try, but then the ACI was not accepted
>>>>>>> as the attribute I was looking for (nsslapd-changelogdir) is not
>>>>>>> in the schema as the config is just an extensibleObject. But as
>>>>>>> I was going through the attributes, I did not see anything
>>>>>>> super-secret.
>>>>>>>
>>>>>>> Petr, is there any way to make permission plugin accept unknown
>>>>>>> attribute in the permission attribute list, or do we need to use
>>>>>>> "*" in this case?
>>>>>> The ACL Syntax Error comes straight from the DS, so there's not
>>>>>> much IPA can do. The error suggests adding nsslapd-changelogdir
>>>>>> to the schema, but I'm not sure that's the right solution here.
>>>>>> Thierry, any comments? See the attached LDIF.
>>>>>>
>>>>> Actually this limitation was added with the bug
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
>>>>> I do not see in the bug, if the ability to define non schema
>>>>> attribute was creating a problem for IPA
>>>> Not before, but with PermissionV2 and especially these patches, we
>>>> may need to control access to unknown attributes in
>>>> extensibleObject objects.
>>> One possibility is to revert that fix (with or without configuration
>>> toggle). But then in a topology with mixed versions of DS, old DS
>>> will skipped those aci.
>>>
>>> Using '*' char is not nice but will guaranty a same evaluation on all
>>> servers.
>>
>> We requested attribute validation when adding ACIs, w/o it it was very
>> simple to make typos, which would be fatal for DENY ACIs.
>>
>> The problem here is in using extensibleObject and not defining a
>> schema IMO.
>>
>> That said I am ok with the targetattr with appended asterisk to the
>> undefined attribute name.
>>
>> Simo.
>
> After some thoughts, I agree with this path also. I will soon send the revised
> patches, with this and other improvements.
Attaching new, clean version of the patches, following this path. The ACIs are
now not as broad as before.
Originally, I added all new ACIs as V2 permissions, but then I realized it
would not work on replicas, as cn=config is not replicas and the ACIs stored
there would not be created as PermissionV2 object would already exist, when the
replica is being installed.
With attached patch set, "admin" user or "Replication Administrators" privilege
members should be able to create a winsync connection and PassSync user, e.g.:
[root@ipa ~]# ipa-replica-manage connect --winsync
--cacert=/home/mkosek/mkad2012.crt
--binddn='cn=Administrator,cn=users,dc=mkad2012,dc=test' --bindpw=Secret123
mkdc2012.mkad2012.test --passsync Secret123 -v
...
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test
Adding Windows PassSync system account
...
Connected 'ipa.mkosek-f21.test' to 'mkdc2012.mkad2012.test'
This should just complete and not crash. admin user should then also able to
list the winsync replica with
# ipa-replica-manage list
This fixes one bug. For testing the second ticket, PassSync one, either test
with PassSync software directly or verify that passsync system user can see NT
attribute and change user passwords:
# ldapsearch -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test
"(ntuserdomainid=testuser)" ntuserdomainid
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=mkosek-f21,dc=test> with scope subtree
# filter: (ntuserdomainid=testuser)
# requesting: ntuserdomainid
#
# testuser, users, accounts, mkosek-f21.test
dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test
ntuserdomainid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# ldappasswd -D "uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test" -x
-w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s
newPassword
[root@ipa ~]# echo $?
0
Martin
From d5ed6d551d92bbf31e1407c8a525a0508146575c Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 13 Jan 2015 18:09:17 +0100
Subject: [PATCH 1/2] Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
---
ACI.txt | 2 +
install/updates/40-delegation.update | 30 +++++++++++
ipalib/plugins/user.py | 12 +++++
ipaserver/install/plugins/Makefile.am | 1 +
ipaserver/install/plugins/update_passsync.py | 78 ++++++++++++++++++++++++++++
ipaserver/install/replication.py | 52 ++++++++++---------
6 files changed, 151 insertions(+), 24 deletions(-)
create mode 100644 ipaserver/install/plugins/update_passsync.py
diff --git a/ACI.txt b/ACI.txt
index e4b4032d4e021bed6ade8a6cb66e39621bedfb85..fdef43e63595d6b5b38237991ff4fcdaa8225666 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -269,6 +269,8 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ntuniqueid || ntuseracctexpires || ntusercodepage || ntuserdeleteaccount || ntuserdomainid || ntuserlastlogoff || ntuserlastlogon")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User NT Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User NT Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 988de5e1962fabc6787f5914522b8f133e71a8ff..a79f906ea3e29b8b6755a62ac84d318d6abdd6cc 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -184,3 +184,33 @@ dn: cn=IPA Masters
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)'
add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)'
+
+# PassSync
+dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: PassSync Service
+default:description: PassSync Service
+
+dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:objectClass: top
+default:cn: Read PassSync Managers Configuration
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:ipapermissiontype: SYSTEM
+
+dn: cn=config
+add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config";)(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:objectClass: top
+default:cn: Modify PassSync Managers Configuration
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:ipapermissiontype: SYSTEM
+
+dn: cn=config
+add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config";)(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e206289248dfe9ae79bd87271ff2c7672fb98b4f..56585b9f86593c0c5879139103bc71707b88e15f 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -373,10 +373,12 @@ class user(LDAPObject):
'replaces': [
'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)',
+ '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX";;)',
],
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
+ 'PassSync Service',
},
},
'System: Manage User SSH Public Keys': {
@@ -446,6 +448,16 @@ class user(LDAPObject):
'homedirectory', 'loginshell',
},
},
+ 'System: Read User NT Attributes': {
+ 'ipapermbindruletype': 'permission',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires',
+ 'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff',
+ 'ntuserlastlogon',
+ },
+ 'default_privileges': {'PassSync Service'},
+ },
}
label = _('Users')
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index d651297ac141b0f05831e7fabbb9b561cdd239c7..ead1d8f7d972c1b016bac8f2b8f7fd1f9a71b563 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -14,6 +14,7 @@ app_PYTHON = \
update_referint.py \
ca_renewal_master.py \
update_uniqueness.py \
+ update_passsync.py \
$(NULL)
EXTRA_DIST = \
diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py
new file mode 100644
index 0000000000000000000000000000000000000000..d6595a06f4deb62b853d716012a8c594c6a76451
--- /dev/null
+++ b/ipaserver/install/plugins/update_passsync.py
@@ -0,0 +1,78 @@
+#
+# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.plugins import MIDDLE, LAST
+from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import root_logger
+from ipaserver.install import sysupgrade
+
+class update_passync_privilege_check(PreUpdate):
+ order = MIDDLE
+
+ def execute(self, **options):
+ update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
+ if update_done:
+ root_logger.debug("PassSync privilege update pre-check not needed")
+ return False, False, []
+
+ root_logger.debug("Check if there is existing PassSync privilege")
+
+ passsync_privilege_dn = DN(('cn','PassSync Service'),
+ self.api.env.container_privilege,
+ self.api.env.basedn)
+
+ ldap = self.obj.backend
+ try:
+ ldap.get_entry(passsync_privilege_dn, [''])
+ except errors.NotFound:
+ root_logger.debug("PassSync privilege not found, this is a new update")
+ sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False)
+ else:
+ root_logger.debug("PassSync privilege found, skip updating PassSync")
+ sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+
+ return False, False, []
+
+api.register(update_passync_privilege_check)
+
+class update_passync_privilege_update(PostUpdate):
+ """
+ Add PassSync user as a member of PassSync privilege, if it exists
+ """
+
+ order = LAST
+
+ def execute(self, **options):
+ update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
+ if update_done:
+ root_logger.debug("PassSync privilege update not needed")
+ return False, False, []
+
+ root_logger.debug("Add PassSync user as a member of PassSync privilege")
+ ldap = self.obj.backend
+ passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'),
+ api.env.basedn)
+ passsync_privilege_dn = DN(('cn','PassSync Service'),
+ self.api.env.container_privilege,
+ self.api.env.basedn)
+
+ try:
+ entry = ldap.get_entry(passsync_dn, [''])
+ except errors.NotFound:
+ root_logger.debug("PassSync user not found, no update needed")
+ sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+ return False, False, []
+ else:
+ root_logger.debug("PassSync user found, do update")
+
+ update = {'dn': passsync_privilege_dn,
+ 'updates': ["add:member:'%s'" % passsync_dn]}
+ updates = {passsync_privilege_dn: update}
+
+ sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+ return (False, True, [updates])
+
+api.register(update_passync_privilege_update)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 5778cab036ad87ccb5b69254aa307a6bc8dec871..66764c22f69328942fe2e4581cfafb3806438d7c 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -528,39 +528,43 @@ def add_passsync_user(self, conn, password):
print "The user for the Windows PassSync service is %s" % pass_dn
try:
conn.get_entry(pass_dn)
- print "Windows PassSync entry exists, not resetting password"
- return
+ print "Windows PassSync system account exists, not resetting password"
except errors.NotFound:
- pass
+ # The user doesn't exist, add it
+ print "Adding Windows PassSync system account"
+ entry = conn.make_entry(
+ pass_dn,
+ objectclass=["account", "simplesecurityobject"],
+ uid=["passsync"],
+ userPassword=[password],
+ )
+ conn.add_entry(entry)
- # The user doesn't exist, add it
- entry = conn.make_entry(
- pass_dn,
- objectclass=["account", "simplesecurityobject"],
- uid=["passsync"],
- userPassword=[password],
- )
- conn.add_entry(entry)
-
- # Add it to the list of users allowed to bypass password policy
+ # Add the user to the list of users allowed to bypass password policy
extop_dn = DN(('cn', 'ipa_pwd_extop'), ('cn', 'plugins'), ('cn', 'config'))
entry = conn.get_entry(extop_dn)
- pass_mgrs = entry.get('passSyncManagersDNs')
- if not pass_mgrs:
- pass_mgrs = []
- if not isinstance(pass_mgrs, list):
- pass_mgrs = [pass_mgrs]
+ pass_mgrs = entry.get('passSyncManagersDNs', [])
pass_mgrs.append(pass_dn)
mod = [(ldap.MOD_REPLACE, 'passSyncManagersDNs', pass_mgrs)]
- conn.modify_s(extop_dn, mod)
+ try:
+ conn.modify_s(extop_dn, mod)
+ except ldap.TYPE_OR_VALUE_EXISTS:
+ root_logger.debug("Plugin '%s' already '%s' in passSyncManagersDNs",
+ extop_dn, pass_dn)
- # And finally grant it permission to write passwords
- mod = [(ldap.MOD_ADD, 'aci',
- ['(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///%s";;)' % pass_dn])]
+ # And finally add it is a member of PassSync privilege to allow
+ # displaying user NT attributes and reset passwords
+ passsync_privilege_dn = DN(('cn','PassSync Service'),
+ api.env.container_privilege,
+ api.env.basedn)
+ members = entry.get('member', [])
+ members.append(pass_dn)
+ mod = [(ldap.MOD_REPLACE, 'member', members)]
try:
- conn.modify_s(self.suffix, mod)
+ conn.modify_s(passsync_privilege_dn, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
- root_logger.debug("passsync aci already exists in suffix %s on %s" % (self.suffix, conn.host))
+ root_logger.debug("PassSync service '%s' already have '%s' as member",
+ passsync_privilege_dn, pass_dn)
def setup_winsync_agmt(self, entry, win_subtree=None):
if win_subtree is None:
--
1.9.3
From c3b6962dc4a9d2777111156b060d243d131d7b03 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 14 Jan 2015 16:36:16 +0100
Subject: [PATCH 2/2] Allow Replication Administrators manipulate Winsync
Agreements
Replication Administrators members were not able to set up changelog5
entry in cn=config or list winsync agreements.
To allow reading winsync replicas, the original deny ACI cn=replica
had to be removed as it prevented admins from reading the entries,
but just anonymous/authenticated users.
https://fedorahosted.org/freeipa/ticket/4836
---
install/updates/20-aci.update | 2 +-
install/updates/40-delegation.update | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 9bbb7e4bb8d51b3d957d1f63d2c889e793276598..b920ef83d8580911d9a9c577e3ed6a9356da69e2 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -26,7 +26,7 @@ dn:
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
-add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
+remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
# Read access to masters and their services
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index a79f906ea3e29b8b6755a62ac84d318d6abdd6cc..32af498190a23ddfd202a5cad75409f60a70d78b 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -214,3 +214,26 @@ dn: cn=Modify PassSync Managers
dn: cn=config
add:aci: '(targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config";)(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
+
+# Replication Administrators
+dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:objectClass: top
+default:cn: Read LDBM Database Configuration
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:ipapermissiontype: SYSTEM
+
+dn: cn=config
+add:aci: '(targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:objectClass: top
+default:cn: Add Configuration Sub-Entries
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:ipapermissiontype: SYSTEM
+
+dn: cn=config
+add:aci: '(version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
