[Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From 19b460c4154becd801f71d14b84c8ad72033c6db Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 20 Jan 2015 17:57:07 +0100 Subject: [PATCH] Add anonymous read ACI for DUA profile DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 --- ACI.txt | 2 ++ .../install/plugins/update_managed_permissions.py | 19 +++ 2 files changed, 21 insertions(+) diff --git a/ACI.txt b/ACI.txt index fdef43e63595d6b5b38237991ff4fcdaa8225666..daa4652e157ab8531117fb047e2c80ba046b117f 100644 --- a/ACI.txt +++ b/ACI.txt @@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass)(targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Read Certificate Store Entries;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=dnasharedconfig))(version 3.0;acl permission:System: Read DNA Configuration;allow (compare,read,search) userdn = ldap:///all;;) +dn: ou=profile,dc=ipa,dc=example +aci: (targetattr = attributemap || authenticationmethod || bindtimelimit || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || followreferrals || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor)(targetfilter = (|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile)))(version 3.0;acl permission:System: Read DUA Profile;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass)(targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Read IPA Masters;allow (compare,read,search) groupdn = ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=config diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 032485aac5b84b12b91464f16870c9940b18bc2d..a34ba08cb0ab719c91b19830f5b5e3124ef9d742 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -320,6 +320,25 @@ 'winsyncsubtreepair', }, 'default_privileges': {'Replication Administrators'}, +}, +'System: Read DUA Profile': { +'ipapermlocation': DN('ou=profile', api.env.basedn), +'ipapermtargetfilter': { +'(|' +'(objectclass=organizationalUnit)' +'(objectclass=DUAConfigProfile)' +')' +}, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'ou', 'defaultServerList', 'preferredServerList', +'defaultSearchBase', 'defaultSearchScope', 'searchTimeLimit', +'bindTimeLimit', 'credentialLevel', 'authenticationMethod', +'followReferrals', 'dereferenceAliases', 'serviceSearchDescriptor', +'serviceCredentialLevel', 'serviceAuthenticationMethod', +'objectclassMap', 'attributeMap', 'profileTTL' +}, } } -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
On 01/20/2015 05:58 PM, Martin Kosek wrote: DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 I forgot to add CN to the list (I only coppied all the MAY attributes). Fix attached. Martin From 7c15c924c8d6035e2459c6dee2d397a79d317203 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 20 Jan 2015 17:57:07 +0100 Subject: [PATCH] Add anonymous read ACI for DUA profile DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 --- ACI.txt | 2 ++ .../install/plugins/update_managed_permissions.py| 20 2 files changed, 22 insertions(+) diff --git a/ACI.txt b/ACI.txt index fdef43e63595d6b5b38237991ff4fcdaa8225666..c5483ad4d3428c0449f3e099600e0384e573f17a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass)(targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Read Certificate Store Entries;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=dnasharedconfig))(version 3.0;acl permission:System: Read DNA Configuration;allow (compare,read,search) userdn = ldap:///all;;) +dn: ou=profile,dc=ipa,dc=example +aci: (targetattr = attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor)(targetfilter = (|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile)))(version 3.0;acl permission:System: Read DUA Profile;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass)(targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Read IPA Masters;allow (compare,read,search) groupdn = ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=config diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 032485aac5b84b12b91464f16870c9940b18bc2d..430a2919a315bfd8d8e6174a915890d44b782c5c 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -320,6 +320,26 @@ 'winsyncsubtreepair', }, 'default_privileges': {'Replication Administrators'}, +}, +'System: Read DUA Profile': { +'ipapermlocation': DN('ou=profile', api.env.basedn), +'ipapermtargetfilter': { +'(|' +'(objectclass=organizationalUnit)' +'(objectclass=DUAConfigProfile)' +')' +}, +'ipapermbindruletype': 'anonymous', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'objectclass', 'ou', 'cn', 'defaultServerList', +'preferredServerList', 'defaultSearchBase', 'defaultSearchScope', +'searchTimeLimit', 'bindTimeLimit', 'credentialLevel', +'authenticationMethod', 'followReferrals', 'dereferenceAliases', +'serviceSearchDescriptor', 'serviceCredentialLevel', +'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap', +'profileTTL' +}, } } -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 492 Add anonymous read ACI for DUA profile
Hi, Dne 20.1.2015 v 18:05 Martin Kosek napsal(a): On 01/20/2015 05:58 PM, Martin Kosek wrote: DUA profile(s) are consumed by Solaris clients. https://fedorahosted.org/freeipa/ticket/4850 I forgot to add CN to the list (I only coppied all the MAY attributes). Fix attached. Martin Works for me, ACK. Pushed to: master: 0a7a8d66040f7a5f0e55da4b01e614dd9b569a00 ipa-4-1: b54b740f7903a0722930cc281ccb5a2bece45aef Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel