Hi,

this is from a discussion on the user-list, there is a difference in acis on 4.2.0 and 4.2.3


this is the aci which is present in 4.2.0 and is missing in 4.2.3:

aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
 n,dc=net";)

does anybody know if and why this was changed ?



On 01/24/2016 03:22 AM, Nathan Peters wrote:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read  PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify  PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
  calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
  er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
  plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
  st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
  atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
  sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
  s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
  d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
  ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
   winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
  treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
  a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
  greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
  ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
  =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication Agreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
  -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
  , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember  rebuild membershi
  p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
  sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication Agreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  Replication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
  ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove  Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
  ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
  Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify  DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA Range,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove  Replication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11


============================================================================
2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now a 
Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS ACL 
hasn't changed yet)
============================================================================
================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 
=========================

[root@dc1 ~]# ldapsearch -b "cn=config" -D 
"uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
Enter LDAP Password:
# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read  PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify  PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
  calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
  er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
  plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
  st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
  atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
  sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
  s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
  d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
  ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
   winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
  treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
  a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
  greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: R
  ead Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn
  =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
  n,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication Agreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
  -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
  , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember  rebuild membershi
  p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Ta
  sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automembe
  r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication Agreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  Replication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
  ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove  Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
  ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
  Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify  DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA Range,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove  Replication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11



============================================================================
3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica 
file was made from dc1 which is a CentOS server that still has the acls(missing 
some stuff)
============================================================================
aci list on dc2

[root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" 
aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read  PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify  PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication Agreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
  -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
  , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication Agreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  Replication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
  ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove  Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
  ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
  Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify  DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA Range,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove  Replication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11

============================================================================
4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing some 
stuff)
============================================================================
[root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
"(aci=*)" aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read  PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify  PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
  "snmp";allow (read, search, compare)(userdn ="ldap:///anyone";);)

# tasks, config
dn: cn=tasks,cn=config
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
  n"; allow (add) groupdn = "ldap:///cn=Modify  Replication Agreements,cn=permis
  sions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
  -initialization"; allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipa
  ca";)
aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
  , compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
  atestdomain,dc=net";)

# csusers, config
dn: ou=csusers,cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
  rs"; allow (all) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
  d, search ) userdn ="ldap:///all";;)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
   search, compare, proxy) userdn ="ldap:///anyone";; )

# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
  low (add) groupdn = "ldap:///cn=Add  Replication Agreements,cn=permissions,cn=
  pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
  nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify  Replication Ag
  reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Rem
  ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove  Repli
  cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
  ;allow (add) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
  s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
  ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agre
  ements"; allow (read, write, search) userdn = "ldap:///uid=pkidbuser,ou=peopl
  e,o=ipaca";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
  jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
  Remove Replication Agreements";allow (delete) userdn = "ldap:///uid=pkidbuser
  ,ou=people,o=ipaca";)

# ldbm database, plugins, config
dn: cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
  llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
  "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify  DNA
  Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
  shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
  allow (read, search, compare) groupdn = "ldap:///cn=Read  DNA Range,cn=permiss
  ions,cn=pbac,dc=ipatestdomain,dc=net";)

# userRoot, ldbm database, plugins, config
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
  e readonly"; allow (write) groupdn = "ldap:///cn=Remove  Replication Agreement
  s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)

# search result
search: 2
result: 0 Success

# numResponses: 12
# numEntries: 11

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to