From 235b19ba7f9807ecf10436d1a5b28518b4475a70 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Jun 30 2016 14:44:56 +0000 Subject: service: Added permissions for auth. indicators read/modify Added permissions for Kerberos authentication indicators reading and modifying to service objects. Reviewed-By: Petr Vobornik --- diff --git a/ACI.txt b/ACI.txt index 86955c5..09e4ee7 100644 --- a/ACI.txt +++ b/ACI.txt @@ -249,9 +249,9 @@ aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objec dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Service Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=services,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbprincipalauthind || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=services,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index bead94d..c44ad7a 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -410,7 +410,7 @@ class service(LDAPObject): 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', 'krbprincipalexpiration', 'krbpasswordexpiration', 'krblastpwdchange', 'ipakrbauthzdata', 'ipakrbprincipalalias', - 'krbobjectreferences', + 'krbobjectreferences', 'krbprincipalauthind', }, }, 'System: Add Services': { @@ -438,7 +438,7 @@ class service(LDAPObject): }, 'System: Modify Services': { 'ipapermright': {'write'}, - 'ipapermdefaultattr': {'usercertificate'}, + 'ipapermdefaultattr': {'usercertificate', 'krbprincipalauthind'}, 'replaces': [ '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)', ],