websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
install/updates/05-pre_upgrade_plugins.update Normal file
View File

@@ -0,0 +1,10 @@
# first
plugin: update_managed_post_first
# middle
plugin: update_replica_attribute_lists
plugin: update_passync_privilege_check
plugin: update_referint
plugin: update_uniqueness_plugins_to_new_syntax
# last

74
install/updates/10-config.update Normal file
View File

@@ -0,0 +1,74 @@
# Enforce matching SSL certificate host names when 389-ds acts as an SSL
# client. A restart is necessary for this to take effect, we do one when
# upgrading.
dn: cn=config
only:nsslapd-ssl-check-hostname: on
# Remove incorrect placement
dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config
remove: nsslapd-pluginPrecedence: 60
# Set the precedence of the ipa-modrdn plugin so it runs after other
# plugins (the default is 50).
dn: cn=IPA MODRDN,cn=plugins,cn=config
only: nsslapd-pluginPrecedence: 60
# Set limits to suite better IPA deployment sizes, defaults are too
# conservative
dn: cn=config
default: nsslapd-sizelimit:100000
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
replace: nsslapd-lookthroughlimit:5000::100000
replace: nsslapd-idlistscanlimit:4000::100000
#Set much lower limits for anonymous searhes
dn: cn=anonymous-limits,cn=etc,$SUFFIX
default:objectclass:nsContainer
default:objectclass:top
default:cn: anonymous-limits
default:nsSizeLimit: 5000
default:nsLookThroughLimit: 5000
dn: cn=config
only:nsslapd-anonlimitsdn:cn=anonymous-limits,cn=etc,$SUFFIX
# Add a defaultNamingContext if one hasn't already been set. This was
# introduced in 389-ds-base-1.2.10-0.9.a8. Adding this to a server that
# doesn't support it generates a non-fatal error.
dn: cn=config
add:nsslapd-defaultNamingContext:$SUFFIX
# Allow the root DSE to be searched even with minssf set
dn: cn=config
only:nsslapd-minssf-exclude-rootdse:on
# Set the IPA winsync precedence so it will run after the DS
# POSIX winsync plugin
dn: cn=ipa-winsync,cn=plugins,cn=config
only: nsslapd-pluginPrecedence: 60
# Enable SASL mapping fallback
dn: cn=config
only:nsslapd-sasl-mapping-fallback: on
dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
addifnew:nsSaslMapPriority: 10
dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
addifnew:nsSaslMapPriority: 10
# Default SASL buffer size was too small and could lead for example to
# migration errors
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
dn: cn=config
only:nsslapd-sasl-max-buffer-size:2097152
# Allow hashed passwords to be added by non-DM users. Without this
# setting, password migration fails
dn: cn=config
only:nsslapd-allow-hashed-passwords:on
# Decrease default value for IO blocking to prevent server unresponsiveness
dn: cn=config
only:nsslapd-ioblocktimeout:10000

49
install/updates/10-enable-betxn.update Normal file
View File

@@ -0,0 +1,49 @@
# Enable transactions in 389-ds-base
dn: cn=7-bit check,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=attribute uniqueness,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=Auto Membership Plugin,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=Linked Attributes,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=Managed Entries,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=MemberOf Plugin,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpostoperation
dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
only: nsslapd-pluginbetxn: on
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpreoperation
dn: cn=referential integrity postoperation,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpostoperation
dn: cn=Roles Plugin,cn=plugins,cn=config
only: nsslapd-pluginbetxn: on
dn: cn=State Change Plugin,cn=plugins,cn=config
only: nsslapd-pluginType: betxnpostoperation
dn: cn=USN,cn=plugins,cn=config
only: nsslapd-pluginbetxn: on
dn: cn=IPA MODRDN,cn=plugins,cn=config
only: nsslapd-plugintype: betxnpostoperation
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
only: nsslapd-pluginbetxn: on
dn: cn=Schema Compatibility, cn=plugins, cn=config
onlyifexist: nsslapd-pluginbetxn: on
dn: cn=NIS Server, cn=plugins, cn=config
onlyifexist: nsslapd-pluginbetxn: on

9
install/updates/10-ipapwd.update Normal file
View File

@@ -0,0 +1,9 @@
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
# DS core server provides a default plugin (passwd_modify_extop) to handle
# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
# the pluginprecedence of the passwd_modify_extop is 50 (default value)
#
# IPA delivers ipa_pwd_extop plugin to handle that extended op
# we need to make sure ipa_pwd_extop is called and so to set a lower
# precedence value
add:nsslapd-pluginprecedence: 49

9
install/updates/10-rootdse.update Normal file
View File

@@ -0,0 +1,9 @@
# Set the default attributes to be returned by RootDSE
dn:
add:nsslapd-return-default-opattr:namingContexts
add:nsslapd-return-default-opattr:supportedControl
add:nsslapd-return-default-opattr:supportedExtension
add:nsslapd-return-default-opattr:supportedLDAPVersion
add:nsslapd-return-default-opattr:supportedSASLMechanisms
add:nsslapd-return-default-opattr:vendorName
add:nsslapd-return-default-opattr:vendorVersion

10
install/updates/10-selinuxusermap.update Normal file
View File

@@ -0,0 +1,10 @@
# Create the SELinux User map container
dn: cn=selinux,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: selinux
dn: cn=usermap,cn=selinux,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: usermap

94
install/updates/10-uniqueness.update Normal file
View File

@@ -0,0 +1,94 @@
dn: cn=sudorule name uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
default:objectClass: extensibleObject
default:cn: sudorule name uniqueness
default:nsslapd-pluginDescription: Enforce unique attribute values
default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
default:uniqueness-attribute-name: cn
default:uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
default:objectClass: extensibleObject
default:cn: certificate store subject uniqueness
default:nsslapd-pluginDescription: Enforce unique attribute values
default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
default:uniqueness-attribute-name: ipaCertSubject
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
dn: cn=certificate store issuer/serial uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
default:objectClass: extensibleObject
default:cn: certificate store issuer/serial uniqueness
default:nsslapd-pluginDescription: Enforce unique attribute values
default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
default:uniqueness-attribute-name: ipaCertIssuerSerial
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
dn: cn=uid uniqueness,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
default:objectClass: extensibleObject
default:cn: uid uniqueness
default:nsslapd-pluginPath: libattr-unique-plugin
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
default:nsslapd-pluginType: preoperation
default:nsslapd-pluginEnabled: on
default:uniqueness-attribute-name: uid
default:uniqueness-subtrees: $SUFFIX
default:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
default:uniqueness-across-all-subtrees: on
default:uniqueness-subtree-entries-oc: posixAccount
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginId: NSUniqueAttr
default:nsslapd-pluginVersion: 1.1.0
default:nsslapd-pluginVendor: Fedora Project
default:nsslapd-pluginDescription: Enforce unique attribute values
# uid uniqueness scopes Active/Delete containers
dn: cn=uid uniqueness,cn=plugins,cn=config
add:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
remove:uniqueness-across-all-subtrees: off
add:uniqueness-across-all-subtrees: on
add:uniqueness-subtree-entries-oc: posixAccount
# krbPrincipalName uniqueness scopes Active/Delete containers
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
add:uniqueness-across-all-subtrees: on
# krbCanonicalName uniqueness scopes Active/Delete containers
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
add:uniqueness-across-all-subtrees: on
# ipaUniqueID uniqueness scopes Active/Delete containers
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
add:uniqueness-across-all-subtrees: on

17
install/updates/19-managed-entries.update Normal file
View File

@@ -0,0 +1,17 @@
dn: cn=Managed Entries,cn=plugins,cn=config
only: nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
dn: cn=Managed Entries,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: Managed Entries
dn: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: Templates
dn: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: Definitions

157
install/updates/20-aci.update Normal file
View File

@@ -0,0 +1,157 @@
# Don't allow managed netgroups to be modified
dn: cn=ng,cn=alt,$SUFFIX
add:aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
# SSH public keys
dn: $SUFFIX
add:aci:(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
dn: cn=computers,cn=accounts,$SUFFIX
add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
dn: cn=computers,cn=accounts,$SUFFIX
add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
# Read access to $SUFFIX itself
dn: $SUFFIX
add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)
# Read access to containers
dn: $SUFFIX
add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)
# Read access to masters and their services
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
# Allow hosts to read masters service configuration
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
# Allow hosts to read replication managers
dn: cn=sysaccounts,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "objectClass || cn")(version 3.0; acl "Allow hosts to read replication managers"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX
add:aci:(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)
# Access for high-level admins
dn: $SUFFIX
# Read/write
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Write-only
remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash || krbPasswordExpiration")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Read-only
add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=tasks,cn=config
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
# Allow hosts to read their replication agreements
dn: cn=mapping tree,cn=config
add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
dn: cn=mapping tree,cn=config
add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
# Removal of obsolete ACIs
dn: cn=config
remove:aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
# ticket 5631: this ACI cannot be a managed ACI, because it is located in nonreplicated container
remove:aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: $SUFFIX
remove:aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
remove:aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
remove:aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
dn: cn=hbac,$SUFFIX
remove:aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)
dn: cn=sudo,$SUFFIX
remove:aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
# Get Keytab operation Access Control
dn: cn=accounts,$SUFFIX
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";)
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
# User certificates
dn: $SUFFIX
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
# Hosts can add their own services
dn: cn=services,cn=accounts,$SUFFIX
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
# CIFS service on the master can manage ID ranges
dn: cn=ranges,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=*,cn=ranges,cn=etc,$SUFFIX")(targetfilter = "(objectClass=ipaIDrange)")(version 3.0;acl "CIFS service can manage ID ranges for trust"; allow(all) userdn="ldap:///krbprincipalname=cifs/*@$REALM,cn=services,cn=accounts,$SUFFIX" and groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
# IPA server hosts can modify replication managers members
dn: cn=sysaccounts,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "member")(version 3.0; acl "IPA server hosts can modify replication managers members"; allow(read, search, compare, write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# IPA server hosts can change replica ID
dn: cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# IPA server hosts can create and manage own Custodia secrets
dn: cn=ipa,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
# IPA server hosts can create and manage Dogtag Custodia secrets for same host
dn: cn=ipa,cn=etc,$SUFFIX
add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create Dogtag Custodia secrets for same host"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia secrets for same host"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
# Dogtag service principals can search Custodia keys
add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";)
# Anonymous Principal key retrieval
dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX
addifexist: objectclass: ipaAllowedOperations
addifexist: aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
addifexist: ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX

133
install/updates/20-default_password_policy.update Normal file
View File

@@ -0,0 +1,133 @@
# Default password policies for hosts, services and Kerberos services
# Setting all attributes to zero effectively disables any password policy
# We can do this because hosts and services uses keytabs instead of passwords
# hosts
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Host Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# services
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# kerberos policy container
# this is necessary to avoid mixing the Kerberos sevice password policy
# with group-membership based user password policies
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: nsContainer
default:objectClass: top
default:cn: Kerberos Service Password Policy
# kerberos services
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:objectClass: krbPwdPolicy
default:objectClass: nsContainer
default:objectClass: top
default:cn: Default Kerberos Service Password Policy
default:krbMinPwdLife: 0
default:krbPwdMinDiffChars: 0
default:krbPwdMinLength: 0
default:krbPwdHistoryLength: 0
default:krbMaxPwdLife: 0
default:krbPwdMaxFailure: 0
default:krbPwdFailureCountInterval: 0
default:krbPwdLockoutDuration: 0
# default password policies for hosts, services and kerberos services
# cosPriority is set intentionally to higher number than FreeIPA API allows
# to set to ensure that these password policies have always lower priority
# than any defined by user.
# hosts
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
default:description: Default Password Policy for Hosts
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# services
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
default:description: Default Password Policy for Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default
# kerberos services
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: cosTemplates
dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:objectclass: top
default:objectclass: cosTemplate
default:objectclass: extensibleObject
default:objectclass: krbContainer
default:cn: Default Password Policy
default:cosPriority: 10000000000
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
default:description: Default Password Policy for Kerberos Services
default:objectClass: top
default:objectClass: ldapsubentry
default:objectClass: cosSuperDefinition
default:objectClass: cosPointerDefinition
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
default:cosAttribute: krbPwdPolicyReference default

6
install/updates/20-dna.update Normal file
View File

@@ -0,0 +1,6 @@
# Config winsync plugin according to DNA
dn: cn=ipa-winsync,cn=plugins,cn=config
remove:ipaWinSyncUserAttr: uidNumber 999
remove:ipaWinSyncUserAttr: gidNumber 999
add:ipaWinSyncUserAttr: uidNumber -1
add:ipaWinSyncUserAttr: gidNumber -1

23
install/updates/20-host_nis_groups.update Normal file
View File

@@ -0,0 +1,23 @@
# This is a copy of the definition from host_nis_groups.ldif
# This is required for replication. The template entry will get
# replicated but the plugin configuration will not.
dn: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: mepTemplateEntry
default:cn: NGP HGP Template
default:mepRDNAttr: cn
default:mepStaticAttr: ipaUniqueId: autogenerate
default:mepStaticAttr: objectclass: ipanisnetgroup
default:mepStaticAttr: objectclass: ipaobject
default:mepStaticAttr: nisDomainName: $DOMAIN
default:mepMappedAttr: cn: $$cn
default:mepMappedAttr: memberHost: $$dn
default:mepMappedAttr: description: ipaNetgroup $$cn
dn: cn=NGP Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: extensibleObject
only:cn: NGP Definition
default:originScope: cn=hostgroups,cn=accounts,$SUFFIX
default:originFilter: objectclass=ipahostgroup
default:managedBase: cn=ng,cn=alt,$SUFFIX
default:managedTemplate: cn=NGP HGP Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX

22
install/updates/20-idoverride_index.update Normal file
View File

@@ -0,0 +1,22 @@
#
# Make sure ID override attributes have the correct indexing
#
dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaOriginalUid
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only: nsIndexType: eq
only: nsIndexType: pres
dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaAnchorUUID
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only: nsIndexType: eq
only: nsIndexType: pres
dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
remove:cn: ipaOriginalUid

310
install/updates/20-indices.update Normal file
View File

@@ -0,0 +1,310 @@
#
# Some nss_ldap implementations will always ask for memberuid so we must
# have an index for it.
#
# FreeIPA frequently searches for memberHost and memberUser to determine
# group membership.
#
dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberuid
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberHost
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberUser
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: sub
dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: sub
dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=seealso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only:nsIndexType: eq
only:nsIndexType: sub
dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberof
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: fqdn
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: macAddress
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
default:nsIndexType: pres
dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: sourcehost
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberservice
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: managedby
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberallowcmd
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberdenycmd
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipasudorunas
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipasudorunasgroup
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: automountkey
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
dn: cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipakrbprincipalalias
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
dn: cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipauniqueid
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq
dn: cn=ipatokenradiusconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipatokenradiusconfiglink
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipaassignedidview,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaassignedidview
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipaallowedtarget,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaallowedtarget
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaMemberCa
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipaMemberCertProfile
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
only:nsIndexType: sub
dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: userCertificate
default:ObjectClass: top
default:ObjectClass: nsIndex
only:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ntUniqueId
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ntUserDomainId
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: ipalocation
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only:nsIndexType: eq
only:nsIndexType: pres
dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: krbPrincipalName
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
only: nsMatchingRule: caseIgnoreIA5Match
only: nsMatchingRule: caseExactIA5Match
only:nsIndexType: eq
only:nsIndexType: sub
dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default: cn: krbCanonicalName
default: objectClass: top
default: objectClass: nsIndex
only: nsSystemIndex: false
only: nsIndexType: eq
only: nsIndexType: sub
dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default: cn: serverhostname
default: objectClass: top
default: objectClass: nsIndex
only: nsSystemIndex: false
only: nsIndexType: eq
only: nsIndexType: sub
dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
default: cn: description
default: objectclass: top
default: objectclass: nsindex
default: nssystemindex: false
default: nsindextype: eq
default: nsindextype: sub
dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
default: cn: l
default: objectclass: top
default: objectclass: nsindex
default: nssystemindex: false
default: nsindextype: eq
default: nsindextype: sub
dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
default: cn: nsOsVersion
default: objectclass: top
default: objectclass: nsindex
default: nssystemindex: false
default: nsindextype: eq
default: nsindextype: sub
dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
default: cn: nsHardwarePlatform
default: objectclass: top
default: objectclass: nsindex
default: nssystemindex: false
default: nsindextype: eq
default: nsindextype: sub
dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
default: cn: nsHostLocation
default: objectclass: top
default: objectclass: nsindex
default: nssystemindex: false
default: nsindextype: eq
default: nsindextype: sub

13
install/updates/20-ipaservers_hostgroup.update Normal file
View File

@@ -0,0 +1,13 @@
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: groupOfNames
default: objectClass: nestedGroup
default: objectClass: ipaobject
default: objectClass: ipahostgroup
default: description: IPA server hosts
default: cn: ipaservers
default: ipaUniqueID: autogenerate
# Add local host to ipaservers
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
add: member: fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX

33
install/updates/20-nss_ldap.update Normal file
View File

@@ -0,0 +1,33 @@
#
# Add profile for RFC 4876 agents (Solaris and HP/ux)
#
# Update the top-level entry
dn: $SUFFIX
add:objectClass: domain
add:objectClass: domainRelatedObject
add:objectClass: nisDomainObject
add:associatedDomain: $DOMAIN
add:nisDomain: $DOMAIN
# Add a place to store the nss_ldap default profile
dn: ou=profile,$SUFFIX
add: objectClass: top
add: objectClass: organizationalUnit
add: ou: profiles
# The DUA profile. On Solaris one can run:
# ldap_client init ipa.example.com
dn: cn=default,ou=profile,$SUFFIX
default:ObjectClass: top
default:ObjectClass: DUAConfigProfile
default:defaultServerList: $FQDN
default:defaultSearchBase: $SUFFIX
default:authenticationMethod: none
default:searchTimeLimit: 15
default:cn: default
default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX
default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX
default:bindTimeLimit: 5
default:objectClassMap: shadow:shadowAccount=posixAccount
default:followReferrals:TRUE

68
install/updates/20-replication.update Normal file
View File

@@ -0,0 +1,68 @@
#
# Counter used to store the next replica id
#
# Start at 3 to avoid conflicts with v1.0 replica ids. The value itself
# isn't important but each replica needs a unique id.
dn: cn=replication,cn=etc,$SUFFIX
default: objectclass: nsDS5Replica
default: nsDS5ReplicaId: 3
default: nsDS5ReplicaRoot: $SUFFIX
# Group containing replication bind dns
dn: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: groupofnames
default: cn: replication managers
add: member: krbprincipalname=ldap/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
# Topology configuration container
dn: cn=topology,cn=ipa,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: topology
# Default topology configuration area
dn: cn=domain,cn=topology,cn=ipa,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: iparepltopoconf
default: ipaReplTopoConfRoot: $SUFFIX
default: cn: domain
add: nsDS5ReplicatedAttributeList: $EXCLUDES
add: nsDS5ReplicatedAttributeListTotal: $TOTAL_EXCLUDES
add: nsds5ReplicaStripAttrs: $STRIP_ATTRS
# Remove old topology configuration area (unused)
dn: cn=realm,cn=topology,cn=ipa,cn=etc,$SUFFIX
deleteentry: cn=realm,cn=topology,cn=ipa,cn=etc,$SUFFIX
# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX
# Enable Topology Plugin
dn: cn=IPA Topology Configuration,cn=plugins,cn=config
default: changetype: add
default: objectClass: top
default: objectClass: nsSlapdPlugin
default: objectClass: extensibleObject
default: cn: IPA Topology Configuration
default: nsslapd-pluginPath: libtopology
default: nsslapd-pluginInitfunc: ipa_topo_init
default: nsslapd-pluginType: object
default: nsslapd-pluginEnabled: on
default: nsslapd-topo-plugin-shared-config-base: cn=ipa,cn=etc,$SUFFIX
default: nsslapd-topo-plugin-shared-replica-root: $SUFFIX
default: nsslapd-topo-plugin-shared-replica-root: o=ipaca
default: nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
default: nsslapd-topo-plugin-startup-delay: 20
default: nsslapd-pluginId: none
default: nsslapd-plugin-depends-on-named: ldbm database
default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
default: nsslapd-pluginVersion: 1.0
default: nsslapd-pluginVendor: none
default: nsslapd-pluginDescription: none
# Set replication changelog limit (#5086)
dn: cn=changelog5,cn=config
addifnew: nsslapd-changelogmaxage: 7d

6
install/updates/20-sslciphers.update Normal file
View File

@@ -0,0 +1,6 @@
# change configured ciphers
# the result of this update will be that default ciphers
# provided by DS which are not weak will be enabled
dn: cn=encryption,cn=config
only:nsSSL3Ciphers: default
addifnew:allowWeakCipher: off

29
install/updates/20-syncrepl.update Normal file
View File

@@ -0,0 +1,29 @@
# Enable Retro changelog - it is necessary for SyncRepl
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
# Remember original nsuniqueid for objects referenced from cn=changelog
add:nsslapd-attribute: nsuniqueid:targetUniqueId
add:nsslapd-changelogmaxage: 2d
add:nsslapd-include-suffix: cn=dns,$SUFFIX
# Keep memberOf and referential integrity plugins away from cn=changelog.
# It is necessary for performance reasons because we don't have appropriate
# indices for cn=changelog.
dn: cn=MemberOf Plugin,cn=plugins,cn=config
add:memberofentryscope: $SUFFIX
add:memberofentryscopeexcludesubtree: cn=compat,$SUFFIX
add:memberofentryscopeexcludesubtree: cn=provisioning,$SUFFIX
add:memberofentryscopeexcludesubtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
dn: cn=referential integrity postoperation,cn=plugins,cn=config
add:nsslapd-plugincontainerscope: $SUFFIX
add:nsslapd-pluginentryscope: $SUFFIX
add:nsslapd-pluginExcludeEntryScope: cn=provisioning,$SUFFIX
# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
add:ipaUuidExcludeSubtree: cn=provisioning,$SUFFIX

26
install/updates/20-user_private_groups.update Normal file
View File

@@ -0,0 +1,26 @@
# This is a copy of the definition from user_private_groups.ldif
# This is required for replication. The template entry will get
# replicated but the plugin configuration will not.
dn: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: mepTemplateEntry
default:cn: UPG Template
default:mepRDNAttr: cn
default:mepStaticAttr: objectclass: posixgroup
default:mepStaticAttr: objectclass: ipaobject
default:mepStaticAttr: ipaUniqueId: autogenerate
default:mepMappedAttr: cn: $$uid
default:mepMappedAttr: gidNumber: $$uidNumber
default:mepMappedAttr: description: User private group for $$uid
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: extensibleObject
default:cn: UPG Definition
default:originScope: cn=users,cn=accounts,$SUFFIX
default:originFilter: objectclass=posixAccount
default:managedBase: cn=groups,cn=accounts,$SUFFIX
default:managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
replace:originFilter: objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__)))

11
install/updates/20-uuid.update Normal file
View File

@@ -0,0 +1,11 @@
# add plugin configuration for ipk11UniqueId
dn: cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config
default: objectclass: top
default: objectclass: extensibleObject
default: cn: IPK11 Unique IDs
default: ipaUuidAttr: ipk11UniqueID
default: ipaUuidMagicRegen: autogenerate
default: ipaUuidFilter: (objectclass=ipk11Object)
default: ipaUuidScope: $SUFFIX
default: ipaUuidEnforce: FALSE

14
install/updates/20-whoami.update Normal file
View File

@@ -0,0 +1,14 @@
dn: cn=whoami,cn=plugins,cn=config
default:objectClass: top
default:objectClass: nsSlapdPlugin
default:objectClass: extensibleObject
default:cn: whoami
default:nsslapd-plugin-depends-on-type: database
default:nsslapd-pluginDescription: whoami extended operation plugin
default:nsslapd-pluginEnabled: on
default:nsslapd-pluginId: whoami-plugin
default:nsslapd-pluginInitfunc: whoami_init
default:nsslapd-pluginPath: libwhoami-plugin
default:nsslapd-pluginType: extendedop
default:nsslapd-pluginVendor: 389 Project
default:nsslapd-pluginVersion: 1.0

12
install/updates/20-winsync_index.update Normal file
View File

@@ -0,0 +1,12 @@
#
# Make sure winsync attributes have the correct indexing
#
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only: nsIndexType: eq
only: nsIndexType: pres
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only: nsIndexType: eq
only: nsIndexType: pres

8
install/updates/21-ca_renewal_container.update Normal file
View File

@@ -0,0 +1,8 @@
#
# Add CA renewal container if not available
#
dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: ca_renewal

4
install/updates/21-certstore_container.update Normal file
View File

@@ -0,0 +1,4 @@
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: certificates

9
install/updates/21-replicas_container.update Normal file
View File

@@ -0,0 +1,9 @@
#
# Add replicas container if not available
#
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
add:objectClass: top
add:objectClass: nsContainer
add:cn: replicas

22
install/updates/25-referint.update Normal file
View File

@@ -0,0 +1,22 @@
# Expand attributes checked by Referential Integrity plugin
# pres and eq indexes defined in 20-indices.update must be set for all these
# attributes
# NOTE: migration to new style is done in update_referint.py
dn: cn=referential integrity postoperation,cn=plugins,cn=config
add: referint-membership-attr: manager
add: referint-membership-attr: secretary
add: referint-membership-attr: memberuser
add: referint-membership-attr: memberhost
add: referint-membership-attr: sourcehost
add: referint-membership-attr: memberservice
add: referint-membership-attr: managedby
add: referint-membership-attr: memberallowcmd
add: referint-membership-attr: memberdenycmd
add: referint-membership-attr: ipasudorunas
add: referint-membership-attr: ipasudorunasgroup
add: referint-membership-attr: ipatokenradiusconfiglink
add: referint-membership-attr: ipaassignedidview
add: referint-membership-attr: ipaallowedtarget
add: referint-membership-attr: ipamemberca
add: referint-membership-attr: ipamembercertprofile
add: referint-membership-attr: ipalocation

49
install/updates/30-provisioning.update Normal file
View File

@@ -0,0 +1,49 @@
# bootstrap the user life cycle DIT structure.
dn: cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: provisioning
dn: cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: accounts
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: staged users
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: cn: deleted users
# This is used for the admin to know if credential are set for stage users
# We can do a query on a DN to see if an attribute exists or retrieve the value
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
# This is used for the admin to reset the delete users credential
# No one is allowed to add entry in Delete container
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX
default: objectClass: top
default: objectClass: cosSuperDefinition
default: objectClass: cosPointerDefinition
default: objectClass: ldapSubEntry
default: costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
default: cosAttribute: nsaccountlock operational
default: cn: provisioning accounts lock
dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
default: objectClass: top
default: objectClass: extensibleObject
default: objectClass: cosTemplate
default: cosPriority: 1
default: cn: Inactivation cos template
default: nsAccountLock: true

24
install/updates/30-s4u2proxy.update Normal file
View File

@@ -0,0 +1,24 @@
dn: cn=s4u2proxy,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: s4u2proxy
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
default: objectClass: ipaKrb5DelegationACL
default: objectClass: groupOfPrincipals
default: objectClass: top
default: cn: ipa-http-delegation
default: memberPrincipal: HTTP/$FQDN@$REALM
default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
default: objectClass: groupOfPrincipals
default: objectClass: top
default: cn: ipa-ldap-delegation-targets
default: memberPrincipal: ldap/$FQDN@$REALM
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
add: memberPrincipal: HTTP/$FQDN@$REALM
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
add: memberPrincipal: ldap/$FQDN@$REALM

4
install/updates/37-locations.update Normal file
View File

@@ -0,0 +1,4 @@
dn: cn=locations,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: locations

22
install/updates/40-automember.update Normal file
View File

@@ -0,0 +1,22 @@
# Add all supported automember LDAP objects
dn: cn=Auto Membership Plugin,cn=plugins,cn=config
addifnew: nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
dn: cn=automember,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: automember
dn: cn=Hostgroup,cn=automember,cn=etc,$SUFFIX
default: objectclass: autoMemberDefinition
default: cn: Hostgroup
default: autoMemberScope: cn=computers,cn=accounts,$SUFFIX
default: autoMemberFilter: objectclass=ipaHost
default: autoMemberGroupingAttr: member:dn
dn: cn=Group,cn=automember,cn=etc,$SUFFIX
default: objectclass: autoMemberDefinition
default: cn: Group
default: autoMemberScope: cn=users,cn=accounts,$SUFFIX
default: autoMemberFilter: objectclass=posixAccount
default: autoMemberGroupingAttr: member:dn

9
install/updates/40-certprofile.update Normal file
View File

@@ -0,0 +1,9 @@
dn: cn=ca,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: ca
dn: cn=certprofiles,cn=ca,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: certprofiles

277
install/updates/40-delegation.update Normal file
View File

@@ -0,0 +1,277 @@
# IPA configuration
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Write IPA Configuration
default:description: Write IPA Configuration
dn: cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Write IPA Configuration
default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)
# Host-Based Access Control
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: HBAC Administrator
default:description: HBAC Administrator
# SUDO
dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Sudo Administrator
default:description: Sudo Administrator
# Password Policy
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Password Policy Administrator
default:description: Password Policy Administrator
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=admins,cn=groups,cn=accounts,$SUFFIX
# The original DNS permissions lacked the tag.
dn: $SUFFIX
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
# SELinux User Mapping
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: SELinux User Map Administrators
default:description: SELinux User Map Administrators
dn: cn=ipa,cn=etc,$SUFFIX
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
# to privilege "Host Administrators"
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=ipa,cn=etc,$SUFFIX
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# Automember tasks
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Automember Task Administrator
default:description: Automember Task Administrator
dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Automember Rebuild Membership Task
default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
# Virtual operations
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: retrieve certificate
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate different host
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate status
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: revoke certificate
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate remove hold
dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate ignore caacl
dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Request Certificate ignoring CA ACLs
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
# Read privileges
dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: RBAC Readers
default:description: Read roles, privileges, permissions and ACIs
dn: cn=Password Policy Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Password Policy Readers
default:description: Read password policies
dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Kerberos Ticket Policy Readers
default:description: Read global and per-user Kerberos ticket policy
dn: cn=Automember Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Automember Readers
default:description: Read Automember definitions
dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: IPA Masters Readers
default:description: Read list of IPA masters
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# PassSync
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: PassSync Service
default:description: PassSync Service
dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Read PassSync Managers Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify PassSync Managers Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
# Replication Administrators
dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Read LDBM Database Configuration
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Configuration Sub-Entries
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)
# CA Administrators
dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: CA Administrator
default:description: CA Administrator
# Vault Administrators
dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
default:objectClass: groupofnames
default:objectClass: top
default:cn: Vault Administrators
default:description: Vault Administrators
# Locations - always create DNS related privileges
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: DNS Administrators
default:description: DNS Administrators
dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: DNS Servers
default:description: DNS Servers

36
install/updates/40-dns.update Normal file
View File

@@ -0,0 +1,36 @@
# update DNS container
dn: cn=dns, $SUFFIX
addifexist: objectClass: idnsConfigObject
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
# replace DNS tree deny rule with managedBy enhanced allow rule
dn: cn=dns, $SUFFIX
replace:aci:(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
replace:aci:(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
# remove old managedBy ACIs
dn: cn=dns, $SUFFIX
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
remove:aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
# add DNS plugin
dn: cn=IPA DNS,cn=plugins,cn=config
default: objectclass: top
default: objectclass: nsslapdPlugin
default: objectclass: extensibleObject
default: cn: IPA DNS
default: nsslapd-plugindescription: IPA DNS support plugin
default: nsslapd-pluginenabled: on
default: nsslapd-pluginid: ipa_dns
default: nsslapd-plugininitfunc: ipadns_init
default: nsslapd-pluginpath: libipa_dns.so
default: nsslapd-plugintype: preoperation
default: nsslapd-pluginvendor: Red Hat, Inc.
default: nsslapd-pluginversion: 1.0
default: nsslapd-plugin-depends-on-type: database

61
install/updates/40-otp.update Normal file
View File

@@ -0,0 +1,61 @@
dn: cn=otp,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: otp
dn: cn=otp,cn=etc,$SUFFIX
default: objectClass: ipatokenOTPConfig
default: objectClass: top
default: cn: otp
default: ipatokenTOTPauthWindow: 300
default: ipatokenTOTPsyncWindow: 86400
default: ipatokenHOTPauthWindow: 10
default: ipatokenHOTPsyncWindow: 100
dn: $SUFFIX
remove: aci:(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete tokens"; allow (add, delete) userattr = "ipatokenOwner#SELFDN";)
remove: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
remove: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
remove: aci:(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
remove: aci:(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter")(version 3.0; acl "Users can add HOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
add: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || description || managedBy || ipatokenUniqueID || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial || ipatokenOwner")(version 3.0; acl "Users/managers can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
add: aci:(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Users/managers can see TOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
add: aci:(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users/managers can see HOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
add: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Managers can write basic token info"; allow (write) userattr = "managedBy#USERDN";)
add: aci:(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Managers can delete tokens"; allow (delete) userattr = "managedBy#USERDN";)
add: aci:(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create self-managed tokens"; allow (add) userattr = "ipatokenOwner#SELFDN" and userattr = "managedBy#SELFDN";)
dn: cn=radiusproxy,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: radiusproxy
dn: cn=IPA OTP Last Token,cn=plugins,cn=config
default:objectclass: top
default:objectclass: nsSlapdPlugin
default:objectclass: extensibleObject
default:cn: IPA OTP Last Token
default:nsslapd-pluginpath: libipa_otp_lasttoken
default:nsslapd-plugininitfunc: ipa_otp_lasttoken_init
default:nsslapd-plugintype: preoperation
default:nsslapd-pluginenabled: on
default:nsslapd-pluginid: ipa-otp-lasttoken
default:nsslapd-pluginversion: 1.0
default:nsslapd-pluginvendor: Red Hat, Inc.
default:nsslapd-plugindescription: IPA OTP Last Token plugin
default:nsslapd-plugin-depends-on-type: database
dn: cn=IPA OTP Counter,cn=plugins,cn=config
default:objectclass: top
default:objectclass: nsSlapdPlugin
default:objectclass: extensibleObject
default:cn: IPA OTP Counter
default:nsslapd-pluginpath: libipa_otp_counter
default:nsslapd-plugininitfunc: ipa_otp_counter_init
default:nsslapd-plugintype: preoperation
default:nsslapd-pluginenabled: on
default:nsslapd-pluginid: ipa-otp-counter
default:nsslapd-pluginversion: 1.0
default:nsslapd-pluginvendor: Red Hat, Inc.
default:nsslapd-plugindescription: IPA OTP Counter plugin
default:nsslapd-plugin-depends-on-type: database

8
install/updates/40-realm_domains.update Normal file
View File

@@ -0,0 +1,8 @@
# Add the Realm Domains container
dn: cn=Realm Domains,cn=ipa,cn=etc,$SUFFIX
default:objectClass: domainRelatedObject
default:objectClass: nsContainer
default:objectClass: top
default:cn: Realm Domains
default:associatedDomain: $DOMAIN

27
install/updates/40-replication.update Normal file
View File

@@ -0,0 +1,27 @@
# Let a delegated user put the database into read-only mode when deleting
# an agreement.
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
add:aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
# Add rules to manage DNA ranges
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Modify DNA Range
default:ipapermissiontype: SYSTEM
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
add:aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Read DNA Range
default:ipapermissiontype: SYSTEM
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
add:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)

24
install/updates/40-vault.update Normal file
View File

@@ -0,0 +1,24 @@
dn: cn=vaults,cn=kra,$SUFFIX
remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)

4
install/updates/41-caacl.update Normal file
View File

@@ -0,0 +1,4 @@
dn: cn=caacls,cn=ca,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: caacls

4
install/updates/41-lightweight-cas.update Normal file
View File

@@ -0,0 +1,4 @@
dn: cn=cas,cn=ca,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: cas

102
install/updates/45-roles.update Normal file
View File

@@ -0,0 +1,102 @@
# Helpdesk roles
dn: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Modify Users and Reset passwords
default:description: Modify Users and Reset passwords
default:member: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
dn: cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Modify Group membership
default:description: Modify Group membership
default:member: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
dn: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: User Administrator
default:description: Responsible for creating Users and Groups
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: Stage User Administrators
default:description: Stage User Administrators
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
dn: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: IT Specialist
default:description: IT Specialist
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: IT Security Specialist
default:description: IT Security Specialist
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=Sudo administrator,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
dn: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: Security Architect
default:description: Security Architect
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
dn: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: Enrollment Administrator
default:description: Enrollment Administrator responsible for client(host) enrollment
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX

6
install/updates/50-7_bit_check.update Normal file
View File

@@ -0,0 +1,6 @@
# Remove userPassword from the list of attributes checked by 7-bit plugin
# Replace argument value 'userPassword' with 'mail' to avoid the need to
# shift the whole argument array. Attribute 'mail' is already listed
# in pluginarg1, so it is conveniently used as valid value placeholder.
dn: cn=7-bit check,cn=plugins,cn=config
replace:nsslapd-pluginarg2:userpassword::mail

19
install/updates/50-dogtag10-migration.update Normal file
View File

@@ -0,0 +1,19 @@
# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
# based replica is being installed from a Dogtag 9 based replica,
# the database will miss ACLs added in Dogtag 10 resulting in limited
# functionality.
#
# This update file can be removed when Dogtag database upgrades are done
# in PKI component. Upstream tickets:
# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
dn: cn=aclResources,o=ipaca
addifexist:resourceACLS:certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles

3
install/updates/50-externalmembers.update Normal file
View File

@@ -0,0 +1,3 @@
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup

12
install/updates/50-groupuuid.update Normal file
View File

@@ -0,0 +1,12 @@
# The groups added in bootstrap-template.ldif didn't include ipaUniqueId
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
add:objectclass: ipaobject
addifnew:ipaUniqueID: autogenerate
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
add:objectclass: ipaobject
addifnew:ipaUniqueID: autogenerate
dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
add:objectclass: ipaobject
addifnew:ipaUniqueID: autogenerate

50
install/updates/50-hbacservice.update Normal file
View File

@@ -0,0 +1,50 @@
dn: cn=crond,cn=hbacservices,cn=hbac,$SUFFIX
default:objectclass: ipahbacservice
default:objectclass: ipaobject
default:cn: crond
default:description: crond
default:ipauniqueid:autogenerate
dn: cn=vsftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:objectclass: ipahbacservice
default:objectclass: ipaobject
default:cn: vsftpd
default:description: vsftpd
default:ipauniqueid:autogenerate
dn: cn=proftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:objectclass: ipahbacservice
default:objectclass: ipaobject
default:cn: proftpd
default:description: proftpd
default:ipauniqueid:autogenerate
dn: cn=pure-ftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:objectclass: ipahbacservice
default:objectclass: ipaobject
default:cn: pure-ftpd
default:description: pure-ftpd
default:ipauniqueid:autogenerate
dn: cn=gssftp,cn=hbacservices,cn=hbac,$SUFFIX
default:objectclass: ipahbacservice
default:objectclass: ipaobject
default:cn: gssftp
default:description: gssftp
default:ipauniqueid:autogenerate
dn: cn=ftp,cn=hbacservicegroups,cn=hbac,$SUFFIX
default:objectClass: ipaobject
default:objectClass: ipahbacservicegroup
default:objectClass: nestedGroup
default:objectClass: groupOfNames
default:objectClass: top
default:cn: ftp
default:ipauniqueid:autogenerate
default:description: Default group of ftp related services
default:member: cn=ftp,cn=hbacservices,cn=hbac,$SUFFIX
default:member: cn=proftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:member: cn=pure-ftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:member: cn=vsftpd,cn=hbacservices,cn=hbac,$SUFFIX
default:member: cn=gssftp,cn=hbacservices,cn=hbac,$SUFFIX

7
install/updates/50-ipaconfig.update Normal file
View File

@@ -0,0 +1,7 @@
dn: cn=ipaConfig,cn=etc,$SUFFIX
add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
add:ipaUserObjectClasses: ipasshuser
remove:ipaConfigString:AllowLMhash
add:objectClass: ipaUserAuthTypeClass
add:objectClass: ipaNameResolutionData

5
install/updates/50-krbenctypes.update Normal file
View File

@@ -0,0 +1,5 @@
dn: cn=$REALM,cn=kerberos,$SUFFIX
add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special

3
install/updates/50-nis.update Normal file
View File

@@ -0,0 +1,3 @@
# Updates are applied only if NIS plugin has been configured
# update definitions are located in install/share/nis-update.uldif
plugin: update_nis_configuration

18
install/updates/55-pbacmemberof.update Normal file
View File

@@ -0,0 +1,18 @@
#
# This needs to come later in the cycle otherwise the DN sorting is going
# to cause it to execute before the member attributes are added
dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
add: objectClass: top
add: objectClass: extensibleObject
add: cn: IPA PBAC memberOf $TIME
add: basedn: cn=privileges,cn=pbac,$SUFFIX
add: filter: (objectclass=*)
add: ttl: 10
dn: cn=Update Role memberOf $TIME, cn=memberof task, cn=tasks, cn=config
add: objectClass: top
add: objectClass: extensibleObject
add: cn: Update Role memberOf $TIME
add: basedn: cn=roles,cn=accounts,$SUFFIX
add: filter: (objectclass=*)
add: ttl: 10

8
install/updates/59-trusts-sysacount.update Normal file
View File

@@ -0,0 +1,8 @@
# this update must be applied before 60-trusts.update, because current
# implementation of ipa-ldap-updater doesn't keep the order of updates in
# filesets
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
add: objectClass: nestedgroup
default: objectClass: GroupOfNames
default: objectClass: top
default: cn: adtrust agents

45
install/updates/60-trusts.update Normal file
View File

@@ -0,0 +1,45 @@
dn: cn=trust admins,cn=groups,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: ipausergroup
default: objectClass: nestedgroup
default: objectClass: ipaobject
default: cn: trust admins
default: description: Trusts administrators group
default: member: uid=admin,cn=users,cn=accounts,$SUFFIX
default: nsAccountLock: FALSE
default: ipaUniqueID: autogenerate
dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: nestedgroup
default: cn: ADTrust Agents
default: description: System accounts able to access trust information
default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
dn: cn=trusts,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: trusts
# Trust management
# 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS
# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
dn: cn=trusts,$SUFFIX
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Allow trust agents to set keys for cross realm principals"; allow(write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
# Samba user should be able to read NT passwords to authenticate
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
dn: $SUFFIX
add:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
remove:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
addifnew: ipaKrbAuthzData: MS-PAC

7
install/updates/61-trusts-s4u2proxy.update Normal file
View File

@@ -0,0 +1,7 @@
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
default: objectClass: groupOfPrincipals
default: objectClass: top
default: cn: ipa-cifs-delegation-targets
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
add: ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX

24
install/updates/62-ranges.update Normal file
View File

@@ -0,0 +1,24 @@
dn: cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: ranges
dn: cn=IPA Range-Check,cn=plugins,cn=config
default: objectclass: top
default: objectclass: nsSlapdPlugin
default: objectclass: extensibleObject
default: cn: IPA Range-Check
default: nsslapd-pluginpath: libipa_range_check
default: nsslapd-plugininitfunc: ipa_range_check_init
default: nsslapd-plugintype: preoperation
default: nsslapd-pluginenabled: on
default: nsslapd-pluginid: ipa_range_check_version
default: nsslapd-pluginversion: 1.0
default: nsslapd-pluginvendor: Red Hat, Inc.
default: nsslapd-plugindescription: IPA Range-Check plugin
default: nsslapd-plugin-depends-on-type: database
default: nsslapd-basedn: $SUFFIX
# Add new ipaIDobject to DNA plugin configuraton
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
replace:dnaFilter:(|(objectclass=posixAccount)(objectClass=posixGroup))::(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))

8
install/updates/71-idviews-sasl-mapping.update Normal file
View File

@@ -0,0 +1,8 @@
dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
default:cn: ID Overridden Principal
default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
default:nsSaslMapPriority: 20
default:nsSaslMapRegexString: \(.*\)@\(.*\)
default:objectClass: top
default:objectClass: nsSaslMapping

4
install/updates/71-idviews.update Normal file
View File

@@ -0,0 +1,4 @@
dn: cn=views,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: views

14
install/updates/72-domainlevels.update Normal file
View File

@@ -0,0 +1,14 @@
# Create default Domain Level entry if it does not exist
dn: cn=Domain Level,cn=ipa,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: objectClass: ipaDomainLevelConfig
default: ipaDomainLevel: 0
# Create entry proclaiming Domain Level support of this master
# This will update the supported Domain Levels during upgrade
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectClass: ipaConfigObject
add: objectClass: ipaSupportedDomainLevelConfig
only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL

23
install/updates/73-certmap.update Normal file
View File

@@ -0,0 +1,23 @@
# Configuration for Certificate Identity Mapping
dn: cn=certmap,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:objectclass: ipaCertMapConfigObject
default:cn: certmap
default:ipaCertMapPromptUsername: FALSE
dn: cn=certmaprules,cn=certmap,$SUFFIX
default:objectclass: top
default:objectclass: nsContainer
default:cn: certmaprules
# Certificate Identity Mapping Administrators
dn: cn=Certificate Identity Mapping Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Certificate Identity Mapping Administrators
default:description: Certificate Identity Mapping Administrators
dn: $SUFFIX
add:aci: (targetattr = "ipacertmapdata")(targattrfilters="add=objectclass:(objectclass=ipacertmapobject)")(version 3.0;acl "selfservice:Users can manage their own X.509 certificate identity mappings";allow (write) userdn = "ldap:///self";)

9
install/updates/73-custodia.update Normal file
View File

@@ -0,0 +1,9 @@
dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: custodia
dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: dogtag

3
install/updates/73-winsync.update Normal file
View File

@@ -0,0 +1,3 @@
# Add a inetUser objectclass to the passsync user
dn: uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX
addifexist: objectClass: inetUser

227
install/updates/80-schema_compat.update Normal file
View File

@@ -0,0 +1,227 @@
#
# Setup the Schema Compatibility plugin provided by slapi-nis.
# This should be done after all other updates have been applied
#
# https://pagure.io/slapi-nis/
#
dn: cn=Schema Compatibility, cn=plugins, cn=config
default:objectclass: top
default:objectclass: nsSlapdPlugin
default:objectclass: extensibleObject
default:cn: Schema Compatibility
default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
default:nsslapd-plugininitfunc: schema_compat_plugin_init
default:nsslapd-plugintype: object
default:nsslapd-pluginenabled: on
default:nsslapd-pluginid: schema-compat-plugin
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
default:nsslapd-pluginprecedence: 40
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginbetxn: on
default:nsslapd-pluginvendor: redhat.com
default:nsslapd-plugindescription: Schema Compatibility Plugin
dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: users
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=users
default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixAccount
default:schema-compat-entry-rdn: uid=%{uid}
default:schema-compat-entry-attribute: objectclass=posixAccount
default:schema-compat-entry-attribute: gecos=%{cn}
default:schema-compat-entry-attribute: cn=%{cn}
default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: loginShell=%{loginShell}
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: groups
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=groups
default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixGroup
default:schema-compat-entry-rdn: cn=%{cn}
default:schema-compat-entry-attribute: objectclass=posixGroup
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: memberUid=%{memberUid}
default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: ng
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=ng
add:schema-compat-check-access: yes
add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX
add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-attribute: objectclass=nisNetgroup
add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: sudoers
add:schema-compat-container-group: ou=SUDOers, $SUFFIX
add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX
add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
add:schema-compat-entry-attribute: objectclass=sudoRole
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")
add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")
# memberDenyCmds are to be allowed even if cmdCategory is set to ALL
add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd")
add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")
add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt}
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: computers
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=computers
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
# Enable anonymous VLV browsing for Solaris
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
# Fix for #4324 (regression of #1309)
remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
# We need to add the value in a separate transaction
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: $SUFFIX
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: $SUFFIX
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: computers
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=computers
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: $SUFFIX
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: $SUFFIX
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
remove: schema-compat-ignore-subtree: cn=changelog
remove: schema-compat-ignore-subtree: o=ipaca
add: schema-compat-restrict-subtree: $SUFFIX
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
# rewritten to the original entry if needed
add:nsslapd-pluginprecedence: 40
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: uid=%{uid}
replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")

35
install/updates/90-post_upgrade_plugins.update Normal file
View File

@@ -0,0 +1,35 @@
# first
# middle
plugin: update_ca_topology
plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
plugin: update_dnszones
plugin: update_dns_limits
plugin: update_sigden_extdom_broken_config
plugin: update_sids
plugin: update_default_range
plugin: update_default_trust_view
plugin: update_tdo_gidnumber
plugin: update_ca_renewal_master
plugin: update_idrange_type
plugin: update_pacs
plugin: update_service_principalalias
plugin: update_fix_duplicate_cacrt_in_ldap
plugin: update_upload_cacrt
# update_ra_cert_store has to be executed after update_ca_renewal_master
plugin: update_ra_cert_store
# last
# DNS version 1
plugin: update_master_to_dnsforwardzones
# DNS version 2
plugin: update_dnsforward_emptyzones
plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_read_replication_agreements_permission
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
plugin: update_dnsserver_configuration_into_ldap
plugin: update_ldap_server_list
plugin: update_dna_shared_config

71
install/updates/Makefile.am Normal file
View File

@@ -0,0 +1,71 @@
NULL =
appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
05-pre_upgrade_plugins.update \
10-config.update \
10-enable-betxn.update \
10-ipapwd.update \
10-selinuxusermap.update \
10-rootdse.update \
10-uniqueness.update \
19-managed-entries.update \
20-aci.update \
20-dna.update \
20-host_nis_groups.update \
20-indices.update \
20-ipaservers_hostgroup.update \
20-nss_ldap.update \
20-replication.update \
20-sslciphers.update \
20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
20-idoverride_index.update \
20-uuid.update \
20-default_password_policy.update \
20-whoami.update \
21-replicas_container.update \
21-ca_renewal_container.update \
21-certstore_container.update \
25-referint.update \
30-provisioning.update \
30-s4u2proxy.update \
37-locations.update \
40-delegation.update \
40-realm_domains.update \
40-replication.update \
40-dns.update \
40-automember.update \
40-certprofile.update \
40-otp.update \
40-vault.update \
41-caacl.update \
41-lightweight-cas.update \
45-roles.update \
50-7_bit_check.update \
50-dogtag10-migration.update \
50-groupuuid.update \
50-hbacservice.update \
50-krbenctypes.update \
50-nis.update \
50-ipaconfig.update \
50-externalmembers.update \
55-pbacmemberof.update \
59-trusts-sysacount.update \
60-trusts.update \
61-trusts-s4u2proxy.update \
62-ranges.update \
71-idviews.update \
71-idviews-sasl-mapping.update \
72-domainlevels.update \
73-custodia.update \
73-winsync.update \
73-certmap.update \
80-schema_compat.update \
90-post_upgrade_plugins.update \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)

673
install/updates/Makefile.in Normal file
View File

@@ -0,0 +1,673 @@
# Makefile.in generated by automake 1.15.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = install/updates
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(appdir)"
DATA = $(app_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in README
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
NULL =
appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
05-pre_upgrade_plugins.update \
10-config.update \
10-enable-betxn.update \
10-ipapwd.update \
10-selinuxusermap.update \
10-rootdse.update \
10-uniqueness.update \
19-managed-entries.update \
20-aci.update \
20-dna.update \
20-host_nis_groups.update \
20-indices.update \
20-ipaservers_hostgroup.update \
20-nss_ldap.update \
20-replication.update \
20-sslciphers.update \
20-syncrepl.update \
20-user_private_groups.update \
20-winsync_index.update \
20-idoverride_index.update \
20-uuid.update \
20-default_password_policy.update \
20-whoami.update \
21-replicas_container.update \
21-ca_renewal_container.update \
21-certstore_container.update \
25-referint.update \
30-provisioning.update \
30-s4u2proxy.update \
37-locations.update \
40-delegation.update \
40-realm_domains.update \
40-replication.update \
40-dns.update \
40-automember.update \
40-certprofile.update \
40-otp.update \
40-vault.update \
41-caacl.update \
41-lightweight-cas.update \
45-roles.update \
50-7_bit_check.update \
50-dogtag10-migration.update \
50-groupuuid.update \
50-hbacservice.update \
50-krbenctypes.update \
50-nis.update \
50-ipaconfig.update \
50-externalmembers.update \
55-pbacmemberof.update \
59-trusts-sysacount.update \
60-trusts.update \
61-trusts-s4u2proxy.update \
62-ranges.update \
71-idviews.update \
71-idviews-sasl-mapping.update \
72-domainlevels.update \
73-custodia.update \
73-winsync.update \
73-certmap.update \
80-schema_compat.update \
90-post_upgrade_plugins.update \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/updates/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign install/updates/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-appDATA: $(app_DATA)
@$(NORMAL_INSTALL)
@list='$(app_DATA)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(appdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(appdir)" || exit $$?; \
done
uninstall-appDATA:
@$(NORMAL_UNINSTALL)
@list='$(app_DATA)'; test -n "$(appdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(appdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-appDATA
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-appDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-appDATA install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-appDATA
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

23
install/updates/README Normal file
View File

@@ -0,0 +1,23 @@
The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).
Updates are applied in blocks of ten so that any entries that are dependant
on another can be added successfully without having to rely on the length
of the DN to get the sorting correct.
The file names should use the format #-<description>.update where # conforms
to this:
10 - 19: Configuration
20 - 29: 389-ds configuration, new indices
30 - 39: Structual elements of the DIT
40 - 49: Pre-loaded data
50 - 59: Cleanup existing data
60 - 69: AD Trust
70 - 79: Reserved
80 - 89: Reserved
These numbers aren't absolute, there may be reasons to put an update
into one place or another, but by adhereing to the scheme it will be
easier to find existing updates and know where to put new ones.