On 01/20/2015 05:58 PM, Martin Kosek wrote:
DUA profile(s) are consumed by Solaris clients.
https://fedorahosted.org/freeipa/ticket/4850
I forgot to add CN to the list (I only coppied all the MAY attributes). Fix
attached.
Martin
From 7c15c924c8d6035e2459c6dee2d397a79d317203 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 20 Jan 2015 17:57:07 +0100
Subject: [PATCH] Add anonymous read ACI for DUA profile
DUA profile(s) are consumed by Solaris clients.
https://fedorahosted.org/freeipa/ticket/4850
---
ACI.txt | 2 ++
.../install/plugins/update_managed_permissions.py| 20
2 files changed, 22 insertions(+)
diff --git a/ACI.txt b/ACI.txt
index fdef43e63595d6b5b38237991ff4fcdaa8225666..c5483ad4d3428c0449f3e099600e0384e573f17a 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -300,6 +300,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass)(targetfilter = (objectclass=ipacertificate))(version 3.0;acl permission:System: Read Certificate Store Entries;allow (compare,read,search) userdn = ldap:///anyone;;)
dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass)(targetfilter = (objectclass=dnasharedconfig))(version 3.0;acl permission:System: Read DNA Configuration;allow (compare,read,search) userdn = ldap:///all;;)
+dn: ou=profile,dc=ipa,dc=example
+aci: (targetattr = attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor)(targetfilter = (|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile)))(version 3.0;acl permission:System: Read DUA Profile;allow (compare,read,search) userdn = ldap:///anyone;;)
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass)(targetfilter = (objectclass=nscontainer))(version 3.0;acl permission:System: Read IPA Masters;allow (compare,read,search) groupdn = ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example;)
dn: cn=config
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 032485aac5b84b12b91464f16870c9940b18bc2d..430a2919a315bfd8d8e6174a915890d44b782c5c 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -320,6 +320,26 @@
'winsyncsubtreepair',
},
'default_privileges': {'Replication Administrators'},
+},
+'System: Read DUA Profile': {
+'ipapermlocation': DN('ou=profile', api.env.basedn),
+'ipapermtargetfilter': {
+'(|'
+'(objectclass=organizationalUnit)'
+'(objectclass=DUAConfigProfile)'
+')'
+},
+'ipapermbindruletype': 'anonymous',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'objectclass', 'ou', 'cn', 'defaultServerList',
+'preferredServerList', 'defaultSearchBase', 'defaultSearchScope',
+'searchTimeLimit', 'bindTimeLimit', 'credentialLevel',
+'authenticationMethod', 'followReferrals', 'dereferenceAliases',
+'serviceSearchDescriptor', 'serviceCredentialLevel',
+'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap',
+'profileTTL'
+},
}
}
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel