forked from freeipa/freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
Creating ACIs for Admin
Endi S. Dewata edited this page Feb 24, 2023
·
1 revision
This step is defined in DogtagInstance.add_ipaca_aci().
It adds ACI to allow ipaca users to read their own group information.
Dogtag users aren’t allowed to enumerate their own groups.
The setup_admin()
method needs the permission to wait, until all group information has been replicated.
dn: ou=groups,o=ipaca changetype: modify add: aci aci: (targetfilter="(objectClass=groupOfUniqueNames)") (targetattr="cn || description || objectclass || uniquemember") (version 3.0; acl "Allow users from o=ipaca to read groups"; allow (read, search, compare) userdn="ldap:///uid=*,ou=people,o=ipaca";)