diff --git a/server/lib/src/constants/entries.rs b/server/lib/src/constants/entries.rs index 019d678ba..08b563777 100644 --- a/server/lib/src/constants/entries.rs +++ b/server/lib/src/constants/entries.rs @@ -743,6 +743,7 @@ lazy_static! { /// Builtin System Admin account. pub static ref BUILTIN_ACCOUNT_IDM_ADMIN: BuiltinAccount = BuiltinAccount { account_type: AccountType::ServiceAccount, + entry_managed_by: None, name: "idm_admin", uuid: UUID_IDM_ADMIN, description: "Builtin IDM Admin account.", @@ -778,6 +779,7 @@ Attribute::Description, /// Built in accounts such as anonymous, idm_admin and admin pub struct BuiltinAccount { pub account_type: kanidm_proto::v1::AccountType, + pub entry_managed_by: Option, pub name: &'static str, pub uuid: Uuid, pub description: &'static str, @@ -788,6 +790,7 @@ impl Default for BuiltinAccount { fn default() -> Self { BuiltinAccount { account_type: AccountType::ServiceAccount, + entry_managed_by: None, name: "", uuid: Uuid::new_v4(), description: "", @@ -818,6 +821,10 @@ impl From for EntryInitNew { entry.add_ava(Attribute::Description, Value::new_utf8s(value.description)); entry.add_ava(Attribute::DisplayName, Value::new_utf8s(value.displayname)); + if let Some(entry_manager) = value.entry_managed_by { + entry.add_ava(Attribute::EntryManagedBy, Value::Refer(entry_manager)); + } + entry.set_ava( Attribute::Class, vec![ @@ -840,13 +847,29 @@ lazy_static! { /// Builtin System Admin account. pub static ref BUILTIN_ACCOUNT_ADMIN: BuiltinAccount = BuiltinAccount { account_type: AccountType::ServiceAccount, + entry_managed_by: None, name: "admin", uuid: UUID_ADMIN, description: "Builtin System Admin account.", displayname: "System Administrator", }; +} + +lazy_static! { pub static ref BUILTIN_ACCOUNT_ANONYMOUS_V1: BuiltinAccount = BuiltinAccount { account_type: AccountType::ServiceAccount, + entry_managed_by: None, + name: "anonymous", + uuid: UUID_ANONYMOUS, + description: "Anonymous access account.", + displayname: "Anonymous", + }; +} + +lazy_static! { + pub static ref BUILTIN_ACCOUNT_ANONYMOUS_DL6: BuiltinAccount = BuiltinAccount { + account_type: AccountType::ServiceAccount, + entry_managed_by: Some(UUID_IDM_ADMINS), name: "anonymous", uuid: UUID_ANONYMOUS, description: "Anonymous access account.", diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs index dea0dd0cb..b340bce2c 100644 --- a/server/lib/src/server/migrations.rs +++ b/server/lib/src/server/migrations.rs @@ -880,11 +880,13 @@ impl<'a> QueryServerWriteTransaction<'a> { self.reload()?; - // Update access controls. let idm_access_controls = [ + // Update access controls. IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL6.clone().into(), IDM_ACP_PEOPLE_CREATE_DL6.clone().into(), IDM_ACP_GROUP_MANAGE_DL6.clone().into(), + // Update anonymous with the correct entry manager, + BUILTIN_ACCOUNT_ANONYMOUS_DL6.clone().into(), ]; idm_access_controls