From 853904459046dc2a548e20298780e3d578532345 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Feb 14 2012 03:23:49 +0000
Subject: Add LDAP ACIs for SSH public key schema.


https://fedorahosted.org/freeipa/ticket/754

---

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e02b1c2..add712d 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -16,6 +16,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype  || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)
+aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
 
 dn: cn=etc,$SUFFIX
 changetype: modify
@@ -52,6 +53,7 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)
+aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
 
 # Define which hosts can edit other hosts
 # The managedby attribute stores the DN of hosts that are allowed to manage
@@ -60,6 +62,7 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts can manage other host Certificates and kerberos keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
+aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
 
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index a3c6bd1..68b205e 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -221,6 +221,14 @@ objectClass: ipapermission
 cn: Modify Users
 member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
 
+dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: ipapermission
+cn: Manage User SSH Public Keys
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
+
 # Group administration
 
 dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
@@ -281,6 +289,14 @@ objectClass: ipapermission
 cn: Modify Hosts
 member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
+dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: ipapermission
+cn: Manage Host SSH Public Keys
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+
 # Hostgroup administration
 
 dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
@@ -554,6 +570,7 @@ aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:/
 aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Group administration
 
@@ -575,6 +592,7 @@ add: aci
 aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Hostgroup administration
 
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 41d35da..3f27eb8 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -6,3 +6,13 @@ add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(ver
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX
 add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+
+# SSH public keys
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)'
+
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'
+
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index cd5b498..6384f8e 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -305,3 +305,24 @@ add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(versio
 
 dn: $SUFFIX
 add:aci:'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
+
+# SSH public keys
+dn: cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage User SSH Public Keys
+default:member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage Host SSH Public Keys
+default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage User SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: $SUFFIX
+add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'