From d4adbc8052faf18fb31e7b1865037aa107067d4b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jul 29 2010 14:50:29 +0000 Subject: Add container and initial ACIs for entitlement support The entitlement entries themselves will be rather simple, consisting of the objectClasses ipaObject and pkiUser. We will just store userCertificate in it. The DN will contain the UUID of the entitlement. ticket #27 --- diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 0d16d1d..f1f36a6 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,6 +64,12 @@ objectClass: nsContainer objectClass: top cn: sysaccounts +dn: cn=entitlements,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: entitlements + dn: cn=ipa,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index fa8d2af..f63534c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -85,6 +85,12 @@ add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment +dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: entitlementadmin +add:description: Entitlement Administrators + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -693,3 +699,34 @@ add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Entitlement management +dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: addentitlements +add:description: Add Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: removeentitlements +add:description: Remove Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: modifyentitlements +add:description: Modify Entitlements +add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)' + +dn: $SUFFIX +add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'