Add an ACI to allow a host to add its own services. This only grants add access. It can't subsequently delete or modify the entry.

This requires 389-ds-1.3.4.0 GA.

rob
>From 752686fc4816f5c5702755b7a402e047de13731c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 9 Jun 2015 15:26:32 +0000
Subject: [PATCH] Add ACI to allow hosts to add their own services

Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.

Set required version of 389-ds-base to 1.3.4.0 GA.

https://fedorahosted.org/freeipa/ticket/4567
---
 freeipa.spec.in               | 6 +++---
 install/updates/20-aci.update | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e..6077ba9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -34,7 +34,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  389-ds-base-devel >= 1.3.4.0
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -109,7 +109,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.4.a1
+Requires: 389-ds-base >= 1.3.4.0
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -144,7 +144,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.4.a1
+Requires(pre): 389-ds-base >= 1.3.4.0
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 4a8b67c..0bdeeb6 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -83,3 +83,7 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
 # User certificates
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";;)
+
+# Hosts can add their own services
+dn: cn=services,cn=accounts,$SUFFIX
+add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to