[Freeipa-devel] [PATCH] 594 display aci components separately
Adam Young
ayoung at redhat.com
Wed Nov 3 16:17:00 UTC 2010
On 11/03/2010 11:32 AM, Rob Crittenden wrote:
> Break out an ACI into components so it is easier to see what it does.
> This will be needed for UI support.
>
> I also filled more supported types and made the List parameter perform
> validation.
>
> rob
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
NACK. Doesn't run.
WIth a full install:
[ayoung at ipa freeipa]$ ipa aci-find
ipa: ERROR: no such entry
And on the lite server:
[ayoung at ipa freeipa]$ ipa aci-find
ipa: ERROR: non-public: ValueError: aci_find.validate_output(): missing
keys ['truncated'] in {'count': 53, 'result': (u'(targetattr !=
"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword
|| passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous
access";allow (read,search,compare) userdn = "ldap:///anyone";)',
u'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf
|| serverHostName || enrolledBy")(version 3.0;acl "Admin can manage any
entry";allow (all) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword")(version 3.0;acl "Self can write own password";allow
(write) userdn = "ldap:///self";)', u'(targetattr = "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword ||
passwordHistory")(version 3.0;acl "Admins can write passwords";allow
(add,delete,write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0;acl "Password change
service can read/write passwords";allow (read,write) userdn =
"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey ||
krbPasswordExpiration || sambaLMPassword || sambaNTPassword ||
passwordHistory")(version 3.0;acl "KDC System Account can access
passwords";allow (all) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth ||
krbLoginFailedCount")(version 3.0;acl "KDC System Account can update
some fields";allow (write) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled ||
krbMKey || krbTicketPolicyReference || krbPrincipalExpiration ||
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData
|| krbLastSuccessfulAuth || krbLastFailedAuth ||
krbLoginFailedCount")(version 3.0;acl "Only the KDC System Account has
access to kerberos material";allow (read,search,compare) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars ||
krbPwdMinLength || krbPwdHistoryLength")(targetfilter =
"(objectClass=krbPwdPolicy)")(version 3.0;acl "Admins can write password
policies";allow (read,search,compare,write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "givenName || sn || cn || displayName || title ||
initials || loginShell || gecos || homePhone || mobile || pager ||
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
|| st || postalCode || manager || secretary || description || carLicense
|| labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
businessCategory || ou")(version 3.0;acl "Self service";allow (write)
userdn = "ldap:///self";)', u'(targetattr = "objectClass")(target =
"ldap:///cn=certificate status,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Get Certificates status from the CA";allow (write) groupdn =
"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Users";allow (delete) groupdn =
"ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify group membership";allow (write) groupdn =
"ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Services";allow (add) groupdn =
"ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0;acl
"change_password";allow (write) groupdn =
"ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Groups";allow (add) groupdn =
"ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description")(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Hostgroups";allow (write) groupdn =
"ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description")(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Roles";allow (write) groupdn =
"ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "memberhost || externalhost || memberuser ||
member")(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify netgroup membership";allow (write) groupdn =
"ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userCertificate")(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Services";allow (write) groupdn =
"ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Hostgroups";allow (add) groupdn =
"ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove automount maps";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove automount keys";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Services";allow (delete) groupdn =
"ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Users";allow (add) groupdn =
"ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description || l || location ||
nshardwareplatform || nsosversion")(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Hosts";allow (write) groupdn =
"ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add user to default group";allow (write) groupdn =
"ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Hostgroups";allow (delete) groupdn =
"ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Remove entitlement entries";allow (delete) groupdn =
"ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(targetattr = "krbPrincipalName || enrolledBy || objectClass")(target
=
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Enroll a host";allow (write) groupdn =
"ldap:///cn=enroll_host,cn=taskgroups,
cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target
=
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Hosts";allow (add) groupdn =
"ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove netgroups";allow (delete) groupdn =
"ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "description")(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify netgroups";allow (write) groupdn =
"ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify role group membership";allow (write) groupdn =
"ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=request
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Request Certificates from the CA";allow (write) groupdn =
"ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userCertificate")(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Modify entitlements";allow (write) groupdn =
"ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify task group membership";allow (write) groupdn =
"ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Roles";allow (add) groupdn =
"ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=certificate remove
hold,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Certificate Remove Hold";allow (write) groupdn =
"ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Roles";allow (delete) groupdn =
"ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add automount maps";allow (add) groupdn =
"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "givenName || sn || cn || displayName || title ||
initials || loginShell || gecos || homePhone || mobile || pager ||
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
|| st || postalCode || manager || secretary || description || carLicense
|| labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
businessCategory || ou || mepManagedEntry || objectclass")(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Users";allow (write) groupdn =
"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add netgroups";allow (add) groupdn =
"ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Hosts";allow (delete) groupdn =
"ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Add entitlements";allow (add) groupdn =
"ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(target =
"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add automount keys";allow (add) groupdn =
"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Groups";allow (delete) groupdn =
"ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=retrieve
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Retrieve Certificates from the CA";allow (write) groupdn =
"ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=revoke
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Revoke Certificate";allow (write) groupdn =
"ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Manage host keytab";allow (write) groupdn =
"ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description || gidnumber || objectclass ||
mepManagedBy")(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Groups";allow (write) groupdn =
"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify host group membership";allow (write) groupdn =
"ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate
different host,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Request Certificates from a different host";allow (write)
groupdn =
"ldap:///cn=request_cert_different_host,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)'),
'summary': u'53 ACIs matched'}
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 125,
in execute
result = self.Command[_name](*args, **options)
File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 428,
in __call__
self.validate_output(ret)
File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 837,
in validate_output
nice, missing, output)
ValueError: aci_find.validate_output(): missing keys ['truncated'] in
{'count': 53, 'result': (u'(targetattr != "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory
|| krbMKey")(version 3.0;acl "Enable Anonymous access";allow
(read,search,compare) userdn = "ldap:///anyone";)', u'(targetattr !=
"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword
|| passwordHistory || krbMKey || ipaUniqueId || memberOf ||
serverHostName || enrolledBy")(version 3.0;acl "Admin can manage any
entry";allow (all) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword")(version 3.0;acl "Self can write own password";allow
(write) userdn = "ldap:///self";)', u'(targetattr = "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword ||
passwordHistory")(version 3.0;acl "Admins can write passwords";allow
(add,delete,write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0;acl "Password change
service can read/write passwords";allow (read,write) userdn =
"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey ||
krbPasswordExpiration || sambaLMPassword || sambaNTPassword ||
passwordHistory")(version 3.0;acl "KDC System Account can access
passwords";allow (all) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth ||
krbLoginFailedCount")(version 3.0;acl "KDC System Account can update
some fields";allow (write) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled ||
krbMKey || krbTicketPolicyReference || krbPrincipalExpiration ||
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType ||
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData
|| krbLastSuccessfulAuth || krbLastFailedAuth ||
krbLoginFailedCount")(version 3.0;acl "Only the KDC System Account has
access to kerberos material";allow (read,search,compare) userdn =
"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars ||
krbPwdMinLength || krbPwdHistoryLength")(targetfilter =
"(objectClass=krbPwdPolicy)")(version 3.0;acl "Admins can write password
policies";allow (read,search,compare,write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "givenName || sn || cn || displayName || title ||
initials || loginShell || gecos || homePhone || mobile || pager ||
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
|| st || postalCode || manager || secretary || description || carLicense
|| labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
businessCategory || ou")(version 3.0;acl "Self service";allow (write)
userdn = "ldap:///self";)', u'(targetattr = "objectClass")(target =
"ldap:///cn=certificate status,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Get Certificates status from the CA";allow (write) groupdn =
"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Users";allow (delete) groupdn =
"ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify group membership";allow (write) groupdn =
"ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Services";allow (add) groupdn =
"ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword || passwordHistory")(version 3.0;acl
"change_password";allow (write) groupdn =
"ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Groups";allow (add) groupdn =
"ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description")(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Hostgroups";allow (write) groupdn =
"ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description")(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Roles";allow (write) groupdn =
"ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "memberhost || externalhost || memberuser ||
member")(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify netgroup membership";allow (write) groupdn =
"ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userCertificate")(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Services";allow (write) groupdn =
"ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Hostgroups";allow (add) groupdn =
"ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove automount maps";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove automount keys";allow (delete) groupdn =
"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Services";allow (delete) groupdn =
"ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Users";allow (add) groupdn =
"ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description || l || location ||
nshardwareplatform || nsosversion")(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Hosts";allow (write) groupdn =
"ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add user to default group";allow (write) groupdn =
"ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Hostgroups";allow (delete) groupdn =
"ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Remove entitlement entries";allow (delete) groupdn =
"ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(targetattr = "krbPrincipalName || enrolledBy || objectClass")(target
=
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Enroll a host";allow (write) groupdn =
"ldap:///cn=enroll_host,cn=taskgroups,
cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)', u'(target
=
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Hosts";allow (add) groupdn =
"ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove netgroups";allow (delete) groupdn =
"ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "description")(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify netgroups";allow (write) groupdn =
"ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify role group membership";allow (write) groupdn =
"ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=request
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Request Certificates from the CA";allow (write) groupdn =
"ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "userCertificate")(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Modify entitlements";allow (write) groupdn =
"ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify task group membership";allow (write) groupdn =
"ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add Roles";allow (add) groupdn =
"ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=certificate remove
hold,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Certificate Remove Hold";allow (write) groupdn =
"ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Roles";allow (delete) groupdn =
"ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add automount maps";allow (add) groupdn =
"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "givenName || sn || cn || displayName || title ||
initials || loginShell || gecos || homePhone || mobile || pager ||
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l
|| st || postalCode || manager || secretary || description || carLicense
|| labeledURI || inetUserHTTPURL || seeAlso || employeeType ||
businessCategory || ou || mepManagedEntry || objectclass")(target =
"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Users";allow (write) groupdn =
"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add netgroups";allow (add) groupdn =
"ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Hosts";allow (delete) groupdn =
"ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com")(version 3.0;acl
"Add entitlements";allow (add) groupdn =
"ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)',
u'(target =
"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Add automount keys";allow (add) groupdn =
"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Remove Groups";allow (delete) groupdn =
"ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=retrieve
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Retrieve Certificates from the CA";allow (write) groupdn =
"ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=revoke
certificate,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Revoke Certificate";allow (write) groupdn =
"ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "krbPrincipalKey || krbLastPwdChange")(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Manage host keytab";allow (write) groupdn =
"ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "cn || description || gidnumber || objectclass ||
mepManagedBy")(target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify Groups";allow (write) groupdn =
"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "member")(target =
"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Modify host group membership";allow (write) groupdn =
"ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)',
u'(targetattr = "objectClass")(target = "ldap:///cn=request certificate
different host,cn=virtual
operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com")(version
3.0;acl "Request Certificates from a different host";allow (write)
groupdn =
"ldap:///cn=request_cert_different_host,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com";)'),
'summary': u'53 ACIs matched'}
ipa: ERROR: an internal error has occurred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101103/fe2a16f0/attachment.htm>
More information about the Freeipa-devel
mailing list