Imported Debian patch 4.8.10-2
This commit is contained in:
Timo Aaltonen
committed by
Mario Fetka
Mario Fetka
parent
8bc559c5a1
commit
358acdd85f
@@ -1,5 +1,6 @@
|
||||
# first
|
||||
plugin: update_managed_post_first
|
||||
plugin: update_changelog_maxage
|
||||
|
||||
# middle
|
||||
plugin: update_replica_attribute_lists
|
||||
|
||||
@@ -66,3 +66,10 @@ only:nsslapd-allow-hashed-passwords:on
|
||||
# Decrease default value for IO blocking to prevent server unresponsiveness
|
||||
dn: cn=config
|
||||
only:nsslapd-ioblocktimeout:10000
|
||||
|
||||
# 389-DS 1.4.1.6+ attempts to update passwords to new schema on LDAP bind.
|
||||
# IPa blocks hashed password updates and requires password changes to go
|
||||
# through proper APIs. This option disables password hashing schema updates
|
||||
# on LDAP bind, see https://pagure.io/freeipa/issue/8315
|
||||
dn: cn=config
|
||||
only: nsslapd-enable-upgrade-hash:off
|
||||
|
||||
10
install/updates/10-db-locks.update
Normal file
10
install/updates/10-db-locks.update
Normal file
@@ -0,0 +1,10 @@
|
||||
# Fix nsslapd-db-locks move
|
||||
# https://pagure.io/freeipa/issue/8515
|
||||
|
||||
# replace 389-DS default with 50000 locks
|
||||
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
replace: nsslapd-db-locks:10000::50000
|
||||
|
||||
# remove setting from old location
|
||||
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
remove: nsslapd-db-locks: 50000
|
||||
@@ -25,6 +25,10 @@ add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || i
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
||||
|
||||
# Read access to altSecurityIdentities to allow filter optimizations in 389-ds
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetattr="altSecurityIdentities")(version 3.0; acl "Authenticated read access to altSecurityIdentities information"; allow(read, search, compare) userdn = "ldap:///all";)
|
||||
|
||||
# Read access to containers
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
||||
@@ -72,6 +76,8 @@ add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || kr
|
||||
add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn=tasks,cn=config
|
||||
remove:add:aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "*")(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Allow hosts to read their replication agreements
|
||||
@@ -81,11 +87,15 @@ add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targe
|
||||
|
||||
# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
|
||||
dn: cn=mapping tree,cn=config
|
||||
add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "*")(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "*")(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
@@ -128,6 +138,14 @@ add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targe
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
|
||||
|
||||
# Allow member managers to modify members of user groups
|
||||
dn: cn=groups,cn=accounts,$SUFFIX
|
||||
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
|
||||
# Allow member managers to modify members of host groups
|
||||
dn: cn=hostgroups,cn=accounts,$SUFFIX
|
||||
add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
||||
|
||||
# Hosts can add and delete their own services
|
||||
dn: cn=services,cn=accounts,$SUFFIX
|
||||
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
@@ -164,3 +182,12 @@ dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
addifexist: objectclass: ipaAllowedOperations
|
||||
addifexist: aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
|
||||
addifexist: ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
|
||||
|
||||
# Fix targetattr syntax
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
remove:aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
remove:aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "nsslapd-readonly")(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
@@ -1,6 +1,9 @@
|
||||
# Default password policies for hosts, services and Kerberos services
|
||||
# Setting all attributes to zero effectively disables any password policy
|
||||
# We can do this because hosts and services uses keytabs instead of passwords
|
||||
# Default password policies for hosts, services, system accounts, and
|
||||
# Kerberos services
|
||||
# Setting all attributes to zero effectively disables any password policy.
|
||||
# We can do this because hosts and services uses keytabs instead of
|
||||
# passwords. System accounts with krbPrincipalAux objectClass also use
|
||||
# keytabs.
|
||||
|
||||
# hosts
|
||||
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
@@ -55,7 +58,24 @@ default:krbPwdMaxFailure: 0
|
||||
default:krbPwdFailureCountInterval: 0
|
||||
default:krbPwdLockoutDuration: 0
|
||||
|
||||
# default password policies for hosts, services and kerberos services
|
||||
# system accounts
|
||||
# Contrary to the other policies this policy has a minimum password length.
|
||||
dn: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default:objectClass: krbPwdPolicy
|
||||
default:objectClass: nsContainer
|
||||
default:objectClass: top
|
||||
default:cn: Default System Accounts Password Policy
|
||||
default:krbMinPwdLife: 0
|
||||
default:krbPwdMinDiffChars: 0
|
||||
default:krbPwdMinLength: 8
|
||||
default:krbPwdHistoryLength: 0
|
||||
default:krbMaxPwdLife: 0
|
||||
default:krbPwdMaxFailure: 0
|
||||
default:krbPwdFailureCountInterval: 0
|
||||
default:krbPwdLockoutDuration: 0
|
||||
|
||||
# default password policies for hosts, services, system accounts, and
|
||||
# kerberos services
|
||||
# cosPriority is set intentionally to higher number than FreeIPA API allows
|
||||
# to set to ensure that these password policies have always lower priority
|
||||
# than any defined by user.
|
||||
@@ -131,3 +151,27 @@ default:objectClass: cosSuperDefinition
|
||||
default:objectClass: cosPointerDefinition
|
||||
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:cosAttribute: krbPwdPolicyReference default
|
||||
|
||||
# system accounts
|
||||
dn: cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:cn: cosTemplates
|
||||
|
||||
dn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: cosTemplate
|
||||
default:objectclass: extensibleObject
|
||||
default:objectclass: krbContainer
|
||||
default:cn: Default Password Policy
|
||||
default:cosPriority: 10000000000
|
||||
default:krbPwdPolicyReference: cn=Default System Accounts Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=Default Password Policy,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default:description: Default Password Policy for System Accounts
|
||||
default:objectClass: top
|
||||
default:objectClass: ldapsubentry
|
||||
default:objectClass: cosSuperDefinition
|
||||
default:objectClass: cosPointerDefinition
|
||||
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default:cosAttribute: krbPwdPolicyReference default
|
||||
|
||||
@@ -151,6 +151,36 @@ default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
default:nsIndexType: eq
|
||||
add:nsIndexType: pres
|
||||
|
||||
dn: cn=automountMapName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: automountMapName
|
||||
default: ObjectClass: top
|
||||
default: ObjectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=ipaConfigString,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaConfigString
|
||||
default: objectClass:top
|
||||
default: objectClass:nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=ipaEnabledFlag,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaEnabledFlag
|
||||
default: objectClass:top
|
||||
default: objectClass:nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaKrbAuthzData
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
default: nsIndexType: sub
|
||||
|
||||
dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipakrbprincipalalias
|
||||
@@ -252,6 +282,7 @@ only: nsMatchingRule: caseIgnoreIA5Match
|
||||
only: nsMatchingRule: caseExactIA5Match
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: sub
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: krbCanonicalName
|
||||
@@ -308,3 +339,74 @@ default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
dn: cn=ipServicePort,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipServicePort
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=accessRuleType,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: accessRuleType
|
||||
default: objectClass:top
|
||||
default: objectClass:nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=hostCategory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: hostCategory
|
||||
default: objectClass:top
|
||||
default: objectClass:nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=idnsName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: idnsName
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=ipaCertmapData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaCertmapData
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=altSecurityIdentities,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: altSecurityIdentities
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=memberManager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: memberManager
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
default: nsIndexType: pres
|
||||
|
||||
dn: cn=krbPasswordExpiration,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: krbPasswordExpiration
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: eq
|
||||
|
||||
dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaNTTrustPartner
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: pres
|
||||
|
||||
dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: ipaNTSecurityIdentifier
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
default: nsSystemIndex: false
|
||||
default: nsIndexType: pres
|
||||
|
||||
@@ -62,7 +62,3 @@ default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
|
||||
default: nsslapd-pluginVersion: 1.0
|
||||
default: nsslapd-pluginVendor: none
|
||||
default: nsslapd-pluginDescription: none
|
||||
|
||||
# Set replication changelog limit (#5086)
|
||||
dn: cn=changelog5,cn=config
|
||||
addifnew: nsslapd-changelogmaxage: 7d
|
||||
|
||||
@@ -20,3 +20,4 @@ add: referint-membership-attr: ipaallowedtarget
|
||||
add: referint-membership-attr: ipamemberca
|
||||
add: referint-membership-attr: ipamembercertprofile
|
||||
add: referint-membership-attr: ipalocation
|
||||
add: referint-membership-attr: membermanager
|
||||
|
||||
6
install/updates/30-ipservices.update
Normal file
6
install/updates/30-ipservices.update
Normal file
@@ -0,0 +1,6 @@
|
||||
# container for RFC 2307 IP services
|
||||
|
||||
dn: cn=ipservices,cn=accounts,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: nsContainer
|
||||
default: cn: ipservices
|
||||
@@ -75,7 +75,8 @@ add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=ipa,cn=etc,$SUFFIX
|
||||
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = "cACertificate")(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
||||
remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
@@ -98,7 +99,8 @@ default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr = "*")(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
|
||||
# Virtual operations
|
||||
@@ -210,6 +212,28 @@ default:ipapermissiontype: SYSTEM
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Read Replication Changelog Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Read Replication Changelog Configuration
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "cn || objectclass || nsslapd-changelogmaxentries || nsslapd-changelogmaxage || nsslapd-changelogtrim-interval || nsslapd-encryptionalgorithm || nsSymmetricKey")(targetfilter = "cn=changelog")(target = "ldap:///cn=ldbm database,cn=plugins,cn=config")(version 3.0; acl "permission:Read Replication Changelog Configuration"; allow (read,search) groupdn = "ldap:///cn=Read Replication Changelog Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Write Replication Changelog Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Write Replication Changelog Configuration
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "nsslapd-changelogmaxentries || nsslapd-changelogmaxage || nsslapd-changelogtrim-interval || nsslapd-encryptionalgorithm || nsSymmetricKey")(targetfilter = "cn=changelog")(target = "ldap:///cn=ldbm database,cn=plugins,cn=config")(version 3.0; acl "permission:Write Replication Changelog Configuration"; allow (write) groupdn = "ldap:///cn=Write Replication Changelog Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
|
||||
@@ -5,7 +5,7 @@ addifexist: objectClass: idnsConfigObject
|
||||
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
|
||||
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
|
||||
addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
|
||||
addifexist: aci:(targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# replace DNS tree deny rule with managedBy enhanced allow rule
|
||||
dn: cn=dns, $SUFFIX
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
# Let a delegated user put the database into read-only mode when deleting
|
||||
# an agreement.
|
||||
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
add:aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "nsslapd-readonly")(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# Add rules to manage DNA ranges
|
||||
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
||||
@@ -13,7 +14,8 @@ default:ipapermissiontype: SYSTEM
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
@@ -24,4 +26,5 @@ default:ipapermissiontype: SYSTEM
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add:aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
@@ -1,7 +1,10 @@
|
||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||
add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
|
||||
replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
|
||||
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
|
||||
add:ipaUserObjectClasses: ipasshuser
|
||||
remove:ipaConfigString:AllowLMhash
|
||||
add:objectClass: ipaUserAuthTypeClass
|
||||
add:objectClass: ipaNameResolutionData
|
||||
addifnew:ipamaxhostnamelength: 64
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
dn: cn=$REALM,cn=kerberos,$SUFFIX
|
||||
add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
|
||||
add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
|
||||
add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
|
||||
add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special
|
||||
${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
|
||||
${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
|
||||
${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
|
||||
${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special
|
||||
add: krbSupportedEncSaltTypes: aes128-sha2:normal
|
||||
add: krbSupportedEncSaltTypes: aes128-sha2:special
|
||||
add: krbSupportedEncSaltTypes: aes256-sha2:normal
|
||||
add: krbSupportedEncSaltTypes: aes256-sha2:special
|
||||
|
||||
@@ -33,6 +33,7 @@ add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
|
||||
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || ipantsecurityidentifier || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "Allow reading POSIX information about trusted domain objects";allow (compare,read,search) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
|
||||
# Samba user should be able to read NT passwords to authenticate
|
||||
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
|
||||
@@ -40,6 +41,12 @@ dn: $SUFFIX
|
||||
add:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
remove:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
|
||||
# For Samba as a domain member setup we need to allow synchronizing ipaNTHash value
|
||||
dn: cn=services,cn=accounts,$SUFFIX
|
||||
add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX")(targetattr="ipaNTHash")(version 3.0; acl "CIFS service can modify own ipaNTHash"; allow(write) userdn="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX" or userattr="managedby#SELFDN";)
|
||||
add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX")(targattrfilters="add=objectClass:(objectClass=ipaNTUserAttrs)")(version 3.0; acl "CIFS service can add ipaNTUserAttrs to itself"; allow(write) userdn="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$SUFFIX" or userattr="managedby#SELFDN";)
|
||||
|
||||
|
||||
# Add the default PAC type to configuration
|
||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||
addifnew: ipaKrbAuthzData: MS-PAC
|
||||
|
||||
5
install/updates/75-user-trust-attributes.update
Normal file
5
install/updates/75-user-trust-attributes.update
Normal file
@@ -0,0 +1,5 @@
|
||||
# Add an explicit self-service ACI to allow writing to manage trust attributes
|
||||
# for the owner of the object
|
||||
dn: cn=users,cn=accounts,$SUFFIX
|
||||
add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
|
||||
@@ -11,6 +11,10 @@ plugin: update_sids
|
||||
plugin: update_default_range
|
||||
plugin: update_default_trust_view
|
||||
plugin: update_tdo_gidnumber
|
||||
plugin: update_tdo_to_new_layout
|
||||
plugin: update_host_cifs_keytabs
|
||||
plugin: update_tdo_default_read_keys_permissions
|
||||
plugin: update_adtrust_agents_members
|
||||
plugin: update_ca_renewal_master
|
||||
plugin: update_idrange_type
|
||||
plugin: update_pacs
|
||||
@@ -20,6 +24,7 @@ plugin: update_upload_cacrt
|
||||
# update_ra_cert_store has to be executed after update_ca_renewal_master
|
||||
plugin: update_ra_cert_store
|
||||
plugin: update_mapping_Guests_to_nobody
|
||||
plugin: fix_kra_people_entry
|
||||
|
||||
# last
|
||||
# DNS version 1
|
||||
@@ -34,3 +39,4 @@ plugin: update_passync_privilege_update
|
||||
plugin: update_dnsserver_configuration_into_ldap
|
||||
plugin: update_ldap_server_list
|
||||
plugin: update_dna_shared_config
|
||||
plugin: update_unhashed_password
|
||||
|
||||
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
05-pre_upgrade_plugins.update \
|
||||
10-config.update \
|
||||
10-db-locks.update \
|
||||
10-enable-betxn.update \
|
||||
10-ipapwd.update \
|
||||
10-selinuxusermap.update \
|
||||
@@ -30,6 +31,7 @@ app_DATA = \
|
||||
21-ca_renewal_container.update \
|
||||
21-certstore_container.update \
|
||||
25-referint.update \
|
||||
30-ipservices.update \
|
||||
30-provisioning.update \
|
||||
30-s4u2proxy.update \
|
||||
37-locations.update \
|
||||
@@ -51,7 +53,6 @@ app_DATA = \
|
||||
50-krbenctypes.update \
|
||||
50-nis.update \
|
||||
50-ipaconfig.update \
|
||||
50-externalmembers.update \
|
||||
55-pbacmemberof.update \
|
||||
59-trusts-sysacount.update \
|
||||
60-trusts.update \
|
||||
@@ -63,7 +64,9 @@ app_DATA = \
|
||||
73-custodia.update \
|
||||
73-winsync.update \
|
||||
73-certmap.update \
|
||||
80-schema_compat.update \
|
||||
75-user-trust-attributes.update \
|
||||
80-schema_compat.update \
|
||||
81-externalmembers.update \
|
||||
90-post_upgrade_plugins.update \
|
||||
$(NULL)
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Makefile.in generated by automake 1.16.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.16.2 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@@ -214,6 +214,8 @@ JSLINT = @JSLINT@
|
||||
KRAD_LIBS = @KRAD_LIBS@
|
||||
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
|
||||
KRB5_CFLAGS = @KRB5_CFLAGS@
|
||||
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
|
||||
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
|
||||
KRB5_LIBS = @KRB5_LIBS@
|
||||
LD = @LD@
|
||||
LDAP_CFLAGS = @LDAP_CFLAGS@
|
||||
@@ -256,11 +258,10 @@ NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
NSPR_CFLAGS = @NSPR_CFLAGS@
|
||||
NSPR_LIBS = @NSPR_LIBS@
|
||||
NSS_CFLAGS = @NSS_CFLAGS@
|
||||
NSS_LIBS = @NSS_LIBS@
|
||||
NUM_VERSION = @NUM_VERSION@
|
||||
OBJDUMP = @OBJDUMP@
|
||||
OBJEXT = @OBJEXT@
|
||||
ODS_GROUP = @ODS_GROUP@
|
||||
ODS_USER = @ODS_USER@
|
||||
OTOOL = @OTOOL@
|
||||
OTOOL64 = @OTOOL64@
|
||||
@@ -281,8 +282,6 @@ POPT_LIBS = @POPT_LIBS@
|
||||
POSUB = @POSUB@
|
||||
PYLINT = @PYLINT@
|
||||
PYTHON = @PYTHON@
|
||||
PYTHON2 = @PYTHON2@
|
||||
PYTHON3 = @PYTHON3@
|
||||
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
|
||||
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
|
||||
PYTHON_PLATFORM = @PYTHON_PLATFORM@
|
||||
@@ -370,7 +369,9 @@ program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
pyexecdir = @pyexecdir@
|
||||
pythondir = @pythondir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
selinux_makefile = @selinux_makefile@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
sysconfdir = @sysconfdir@
|
||||
@@ -386,6 +387,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
05-pre_upgrade_plugins.update \
|
||||
10-config.update \
|
||||
10-db-locks.update \
|
||||
10-enable-betxn.update \
|
||||
10-ipapwd.update \
|
||||
10-selinuxusermap.update \
|
||||
@@ -412,6 +414,7 @@ app_DATA = \
|
||||
21-ca_renewal_container.update \
|
||||
21-certstore_container.update \
|
||||
25-referint.update \
|
||||
30-ipservices.update \
|
||||
30-provisioning.update \
|
||||
30-s4u2proxy.update \
|
||||
37-locations.update \
|
||||
@@ -433,7 +436,6 @@ app_DATA = \
|
||||
50-krbenctypes.update \
|
||||
50-nis.update \
|
||||
50-ipaconfig.update \
|
||||
50-externalmembers.update \
|
||||
55-pbacmemberof.update \
|
||||
59-trusts-sysacount.update \
|
||||
60-trusts.update \
|
||||
@@ -445,7 +447,9 @@ app_DATA = \
|
||||
73-custodia.update \
|
||||
73-winsync.update \
|
||||
73-certmap.update \
|
||||
80-schema_compat.update \
|
||||
75-user-trust-attributes.update \
|
||||
80-schema_compat.update \
|
||||
81-externalmembers.update \
|
||||
90-post_upgrade_plugins.update \
|
||||
$(NULL)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user