Access Control List - dogtagpki/pki GitHub Wiki
The default ACL for each PKI subsystem is defined in the following files:
When the subsystem is installed, the ACL will be stored in the following LDAP entry:
dn: cn=aclResources,dc=<subsystem>,dc=pki,dc=example,dc=com objectClass: top objectClass: CertACLS cn: aclResources resourceACLS: ... resourceACLS: ... resourceACLS: ... ...
To display the current ACL, execute an ldapsearch
command. For example:
$ ldapsearch -H ldap://$HOSTNAME:389 -x -D "cn=Directory Manager" -w Secret.123 \ -b "cn=aclResources,dc=tps,dc=pki,dc=example,dc=com"
To modify the ACL, execute an ldapmodify
command to remove the old resourceACLS
attribute and add the new one. For example:
$ ldapmodify -H ldap://$HOSTNAME:389 -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: cn=aclResources,dc=tps,dc=pki,dc=example,dc=com changetype: modify delete: resourceACLS resourceACLS: certServer.tps.profile-mappings:read,change-status,add,modify,remo ve:allow (read,change-status,add,modify,remove) group="Administrators" :Only ad mins can access profile mappings. - add: resourceACLS resourceACLS: certServer.tps.profile-mappings:read,change-status,add,modify,remo ve:allow (read,change-status) group="Administrators" || group="TPS Agents";allo w (add,modify,remove) group="Administrators":Admins and agents can read and cha nge status, but only admins can add, modify, and remove. - EOF
Then restart the server.