Imported Upstream version 4.7.2
This commit is contained in:
Mario Fetka
10
install/updates/05-pre_upgrade_plugins.update
Normal file
10
install/updates/05-pre_upgrade_plugins.update
Normal file
@@ -0,0 +1,10 @@
|
||||
# first
|
||||
plugin: update_managed_post_first
|
||||
|
||||
# middle
|
||||
plugin: update_replica_attribute_lists
|
||||
plugin: update_passync_privilege_check
|
||||
plugin: update_referint
|
||||
plugin: update_uniqueness_plugins_to_new_syntax
|
||||
|
||||
# last
|
||||
@@ -31,13 +31,13 @@ default:nsSizeLimit: 5000
|
||||
default:nsLookThroughLimit: 5000
|
||||
|
||||
dn: cn=config
|
||||
only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX'
|
||||
only:nsslapd-anonlimitsdn:cn=anonymous-limits,cn=etc,$SUFFIX
|
||||
|
||||
# Add a defaultNamingContext if one hasn't already been set. This was
|
||||
# introduced in 389-ds-base-1.2.10-0.9.a8. Adding this to a server that
|
||||
# doesn't support it generates a non-fatal error.
|
||||
dn: cn=config
|
||||
add:nsslapd-defaultNamingContext:'$SUFFIX'
|
||||
add:nsslapd-defaultNamingContext:$SUFFIX
|
||||
|
||||
# Allow the root DSE to be searched even with minssf set
|
||||
dn: cn=config
|
||||
@@ -58,13 +58,11 @@ addifnew:nsSaslMapPriority: 10
|
||||
dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
|
||||
addifnew:nsSaslMapPriority: 10
|
||||
|
||||
# Default SASL buffer size was too small and could lead for example to
|
||||
# migration errors
|
||||
# Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
|
||||
dn: cn=config
|
||||
only:nsslapd-sasl-max-buffer-size:2097152
|
||||
|
||||
# Allow hashed passwords to be added by non-DM users. Without this
|
||||
# setting, password migration fails
|
||||
dn: cn=config
|
||||
only:nsslapd-allow-hashed-passwords:on
|
||||
|
||||
# Decrease default value for IO blocking to prevent server unresponsiveness
|
||||
dn: cn=config
|
||||
only:nsslapd-ioblocktimeout:10000
|
||||
|
||||
9
install/updates/10-ipapwd.update
Normal file
9
install/updates/10-ipapwd.update
Normal file
@@ -0,0 +1,9 @@
|
||||
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
|
||||
# DS core server provides a default plugin (passwd_modify_extop) to handle
|
||||
# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)
|
||||
# the pluginprecedence of the passwd_modify_extop is 50 (default value)
|
||||
#
|
||||
# IPA delivers ipa_pwd_extop plugin to handle that extended op
|
||||
# we need to make sure ipa_pwd_extop is called and so to set a lower
|
||||
# precedence value
|
||||
add:nsslapd-pluginprecedence: 49
|
||||
@@ -1,73 +0,0 @@
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'
|
||||
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")'
|
||||
add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}'
|
||||
# Fix for #4324 (regression of #1309)
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}'
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
|
||||
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
|
||||
|
||||
# We need to add the value in a separate transaction
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
|
||||
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
# Change padding for host and userCategory so the pad returns the same value
|
||||
# as the original, '' or -.
|
||||
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: computers
|
||||
default:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
default:schema-compat-container-rdn: cn=computers
|
||||
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
||||
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
||||
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
||||
default:schema-compat-entry-attribute: objectclass=device
|
||||
default:schema-compat-entry-attribute: objectclass=ieee802Device
|
||||
default:schema-compat-entry-attribute: cn=%{fqdn}
|
||||
default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: '$SUFFIX'
|
||||
add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
|
||||
|
||||
dn: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
# We need to run schema-compat pre-bind callback before
|
||||
# other IPA pre-bind callbacks to make sure bind DN is
|
||||
# rewritten to the original entry if needed
|
||||
add:nsslapd-pluginprecedence: 49
|
||||
|
||||
@@ -8,8 +8,103 @@ default:nsslapd-pluginPath: libattr-unique-plugin
|
||||
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
||||
default:nsslapd-pluginType: preoperation
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:nsslapd-pluginarg0: cn
|
||||
default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX
|
||||
default:uniqueness-attribute-name: cn
|
||||
default:uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginId: NSUniqueAttr
|
||||
default:nsslapd-pluginVersion: 1.1.0
|
||||
default:nsslapd-pluginVendor: Fedora Project
|
||||
|
||||
dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSlapdPlugin
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: certificate store subject uniqueness
|
||||
default:nsslapd-pluginDescription: Enforce unique attribute values
|
||||
default:nsslapd-pluginPath: libattr-unique-plugin
|
||||
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
||||
default:nsslapd-pluginType: preoperation
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:uniqueness-attribute-name: ipaCertSubject
|
||||
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginId: NSUniqueAttr
|
||||
default:nsslapd-pluginVersion: 1.1.0
|
||||
default:nsslapd-pluginVendor: Fedora Project
|
||||
|
||||
dn: cn=certificate store issuer/serial uniqueness,cn=plugins,cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSlapdPlugin
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: certificate store issuer/serial uniqueness
|
||||
default:nsslapd-pluginDescription: Enforce unique attribute values
|
||||
default:nsslapd-pluginPath: libattr-unique-plugin
|
||||
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
||||
default:nsslapd-pluginType: preoperation
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:uniqueness-attribute-name: ipaCertIssuerSerial
|
||||
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginId: NSUniqueAttr
|
||||
default:nsslapd-pluginVersion: 1.1.0
|
||||
default:nsslapd-pluginVendor: Fedora Project
|
||||
|
||||
dn: cn=uid uniqueness,cn=plugins,cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSlapdPlugin
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: uid uniqueness
|
||||
default:nsslapd-pluginPath: libattr-unique-plugin
|
||||
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
||||
default:nsslapd-pluginType: preoperation
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:uniqueness-attribute-name: uid
|
||||
default:uniqueness-subtrees: $SUFFIX
|
||||
default:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
|
||||
default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default:uniqueness-across-all-subtrees: on
|
||||
default:uniqueness-subtree-entries-oc: posixAccount
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginId: NSUniqueAttr
|
||||
default:nsslapd-pluginVersion: 1.1.0
|
||||
default:nsslapd-pluginVendor: Fedora Project
|
||||
default:nsslapd-pluginDescription: Enforce unique attribute values
|
||||
|
||||
# uid uniqueness scopes Active/Delete containers
|
||||
dn: cn=uid uniqueness,cn=plugins,cn=config
|
||||
add:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
|
||||
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
remove:uniqueness-across-all-subtrees: off
|
||||
add:uniqueness-across-all-subtrees: on
|
||||
add:uniqueness-subtree-entries-oc: posixAccount
|
||||
|
||||
# krbPrincipalName uniqueness scopes Active/Delete containers
|
||||
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
|
||||
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
add:uniqueness-across-all-subtrees: on
|
||||
|
||||
# krbCanonicalName uniqueness scopes Active/Delete containers
|
||||
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
|
||||
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
add:uniqueness-across-all-subtrees: on
|
||||
|
||||
# ipaUniqueID uniqueness scopes Active/Delete containers
|
||||
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
|
||||
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
add:uniqueness-across-all-subtrees: on
|
||||
|
||||
dn: cn=caacl name uniqueness,cn=plugins,cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSlapdPlugin
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: caacl name uniqueness
|
||||
default:nsslapd-pluginDescription: Enforce unique attribute values
|
||||
default:nsslapd-pluginPath: libattr-unique-plugin
|
||||
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
||||
default:nsslapd-pluginType: preoperation
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:uniqueness-attribute-name: cn
|
||||
default:uniqueness-subtrees: cn=caacls,cn=ca,$SUFFIX
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginId: NSUniqueAttr
|
||||
default:nsslapd-pluginVersion: 1.1.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
dn: cn=Managed Entries,cn=plugins,cn=config
|
||||
only: nsslapd-pluginConfigArea: 'cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX'
|
||||
only: nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=Managed Entries,cn=etc,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Don't allow managed netgroups to be modified
|
||||
dn: cn=ng,cn=alt,$SUFFIX
|
||||
add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
|
||||
add:aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)
|
||||
|
||||
# This is used for the host/service one-time passwordn and keytab indirectors.
|
||||
# We can do a query on a DN to see if an attribute exists.
|
||||
@@ -9,73 +9,158 @@ add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search
|
||||
|
||||
# SSH public keys
|
||||
dn: $SUFFIX
|
||||
add:aci:'(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)'
|
||||
add:aci:(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
|
||||
|
||||
dn: cn=computers,cn=accounts,$SUFFIX
|
||||
add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)'
|
||||
add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
|
||||
|
||||
dn: cn=computers,cn=accounts,$SUFFIX
|
||||
add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
|
||||
add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)
|
||||
|
||||
# Read access to $SUFFIX itself
|
||||
dn: $SUFFIX
|
||||
add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)'
|
||||
add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
||||
|
||||
# Read access to parentID information to allow filter optimizations in 389-ds
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
||||
|
||||
# Read access to containers
|
||||
dn: $SUFFIX
|
||||
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
|
||||
add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
||||
|
||||
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
|
||||
remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)
|
||||
|
||||
# Read access to masters and their services
|
||||
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci:'(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
|
||||
add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
|
||||
|
||||
# Allow users to discover enabled services
|
||||
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)
|
||||
|
||||
# Allow hosts to read masters service configuration
|
||||
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Allow hosts to read replication managers
|
||||
dn: cn=sysaccounts,cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "objectClass || cn")(version 3.0; acl "Allow hosts to read replication managers"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
|
||||
dn: cn=kerberos,$SUFFIX
|
||||
add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)'
|
||||
add:aci:(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)
|
||||
|
||||
# Access for high-level admins
|
||||
dn: $SUFFIX
|
||||
# Read/write
|
||||
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
# Write-only
|
||||
remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash || krbPasswordExpiration")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
# Read-only
|
||||
add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci:(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
add:aci:(targetattr="krbPrincipalName || krbCanonicalName")(version 3.0; acl "Admin can write principal names"; allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn=tasks,cn=config
|
||||
add:aci:'(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Allow hosts to read their replication agreements
|
||||
dn: cn=mapping tree,cn=config
|
||||
add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
|
||||
# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes
|
||||
dn: cn=mapping tree,cn=config
|
||||
add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn="$SUFFIX",cn=mapping tree,cn=config
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
|
||||
remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
|
||||
# Removal of obsolete ACIs
|
||||
dn: cn=config
|
||||
# Replaced by 'System: Read Replication Agreements'
|
||||
remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
remove:aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
# ticket 5631: this ACI cannot be a managed ACI, because it is located in nonreplicated container
|
||||
remove:aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: $SUFFIX
|
||||
remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)'
|
||||
remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)'
|
||||
remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
|
||||
remove:aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
remove:aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
remove:aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
|
||||
dn: cn=hbac,$SUFFIX
|
||||
remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)'
|
||||
remove:aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
|
||||
dn: cn=sudo,$SUFFIX
|
||||
remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
|
||||
remove:aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||
|
||||
# Get Keytab operation Access Control
|
||||
dn: cn=accounts,$SUFFIX
|
||||
add:aci: '(targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";)'
|
||||
add:aci: '(targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)'
|
||||
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";)'
|
||||
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";)'
|
||||
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)'
|
||||
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci: '(targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)'
|
||||
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
|
||||
|
||||
# User certificates
|
||||
dn: $SUFFIX
|
||||
add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
|
||||
|
||||
# Hosts can add and delete their own services
|
||||
dn: cn=services,cn=accounts,$SUFFIX
|
||||
remove:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaKrbPrincipal)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can add own services"; allow(add) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///krbprincipalname=*/($$dn)@$REALM,cn=services,cn=accounts,$SUFFIX")(targetfilter = "(objectClass=ipaService)")(version 3.0;acl "Hosts can delete own services"; allow(delete) userdn="ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# CIFS service on the master can manage ID ranges
|
||||
dn: cn=ranges,cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=*,cn=ranges,cn=etc,$SUFFIX")(targetfilter = "(objectClass=ipaIDrange)")(version 3.0;acl "CIFS service can manage ID ranges for trust"; allow(all) userdn="ldap:///krbprincipalname=cifs/*@$REALM,cn=services,cn=accounts,$SUFFIX" and groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
|
||||
# IPA server hosts can modify replication managers members
|
||||
dn: cn=sysaccounts,cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX")(targetattr = "member")(version 3.0; acl "IPA server hosts can modify replication managers members"; allow(read, search, compare, write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# IPA server hosts can change replica ID
|
||||
dn: cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5ReplicaId")(version 3.0; acl "IPA server hosts can change replica ID"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# IPA server hosts can create and manage own Custodia secrets
|
||||
dn: cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# IPA server hosts can create and manage Dogtag Custodia secrets for same host
|
||||
dn: cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create Dogtag Custodia secrets for same host"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia secrets for same host"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Dogtag service principals can search Custodia keys
|
||||
add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Anonymous Principal key retrieval
|
||||
dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
addifexist: objectclass: ipaAllowedOperations
|
||||
addifexist: aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
|
||||
addifexist: ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
|
||||
|
||||
133
install/updates/20-default_password_policy.update
Normal file
133
install/updates/20-default_password_policy.update
Normal file
@@ -0,0 +1,133 @@
|
||||
# Default password policies for hosts, services and Kerberos services
|
||||
# Setting all attributes to zero effectively disables any password policy
|
||||
# We can do this because hosts and services uses keytabs instead of passwords
|
||||
|
||||
# hosts
|
||||
dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
default:objectClass: krbPwdPolicy
|
||||
default:objectClass: nsContainer
|
||||
default:objectClass: top
|
||||
default:cn: Default Host Password Policy
|
||||
default:krbMinPwdLife: 0
|
||||
default:krbPwdMinDiffChars: 0
|
||||
default:krbPwdMinLength: 0
|
||||
default:krbPwdHistoryLength: 0
|
||||
default:krbMaxPwdLife: 0
|
||||
default:krbPwdMaxFailure: 0
|
||||
default:krbPwdFailureCountInterval: 0
|
||||
default:krbPwdLockoutDuration: 0
|
||||
|
||||
# services
|
||||
dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
default:objectClass: krbPwdPolicy
|
||||
default:objectClass: nsContainer
|
||||
default:objectClass: top
|
||||
default:cn: Default Service Password Policy
|
||||
default:krbMinPwdLife: 0
|
||||
default:krbPwdMinDiffChars: 0
|
||||
default:krbPwdMinLength: 0
|
||||
default:krbPwdHistoryLength: 0
|
||||
default:krbMaxPwdLife: 0
|
||||
default:krbPwdMaxFailure: 0
|
||||
default:krbPwdFailureCountInterval: 0
|
||||
default:krbPwdLockoutDuration: 0
|
||||
|
||||
# kerberos policy container
|
||||
# this is necessary to avoid mixing the Kerberos sevice password policy
|
||||
# with group-membership based user password policies
|
||||
dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:objectClass: nsContainer
|
||||
default:objectClass: top
|
||||
default:cn: Kerberos Service Password Policy
|
||||
|
||||
# kerberos services
|
||||
dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:objectClass: krbPwdPolicy
|
||||
default:objectClass: nsContainer
|
||||
default:objectClass: top
|
||||
default:cn: Default Kerberos Service Password Policy
|
||||
default:krbMinPwdLife: 0
|
||||
default:krbPwdMinDiffChars: 0
|
||||
default:krbPwdMinLength: 0
|
||||
default:krbPwdHistoryLength: 0
|
||||
default:krbMaxPwdLife: 0
|
||||
default:krbPwdMaxFailure: 0
|
||||
default:krbPwdFailureCountInterval: 0
|
||||
default:krbPwdLockoutDuration: 0
|
||||
|
||||
# default password policies for hosts, services and kerberos services
|
||||
# cosPriority is set intentionally to higher number than FreeIPA API allows
|
||||
# to set to ensure that these password policies have always lower priority
|
||||
# than any defined by user.
|
||||
|
||||
# hosts
|
||||
dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:cn: cosTemplates
|
||||
|
||||
dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: cosTemplate
|
||||
default:objectclass: extensibleObject
|
||||
default:objectclass: krbContainer
|
||||
default:cn: Default Password Policy
|
||||
default:cosPriority: 10000000000
|
||||
default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
|
||||
default:description: Default Password Policy for Hosts
|
||||
default:objectClass: top
|
||||
default:objectClass: ldapsubentry
|
||||
default:objectClass: cosSuperDefinition
|
||||
default:objectClass: cosPointerDefinition
|
||||
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
|
||||
default:cosAttribute: krbPwdPolicyReference default
|
||||
|
||||
# services
|
||||
dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:cn: cosTemplates
|
||||
|
||||
dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: cosTemplate
|
||||
default:objectclass: extensibleObject
|
||||
default:objectclass: krbContainer
|
||||
default:cn: Default Password Policy
|
||||
default:cosPriority: 10000000000
|
||||
default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
|
||||
default:description: Default Password Policy for Services
|
||||
default:objectClass: top
|
||||
default:objectClass: ldapsubentry
|
||||
default:objectClass: cosSuperDefinition
|
||||
default:objectClass: cosPointerDefinition
|
||||
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
|
||||
default:cosAttribute: krbPwdPolicyReference default
|
||||
|
||||
# kerberos services
|
||||
dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:cn: cosTemplates
|
||||
|
||||
dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: cosTemplate
|
||||
default:objectclass: extensibleObject
|
||||
default:objectclass: krbContainer
|
||||
default:cn: Default Password Policy
|
||||
default:cosPriority: 10000000000
|
||||
default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
|
||||
dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:description: Default Password Policy for Kerberos Services
|
||||
default:objectClass: top
|
||||
default:objectClass: ldapsubentry
|
||||
default:objectClass: cosSuperDefinition
|
||||
default:objectClass: cosPointerDefinition
|
||||
default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
default:cosAttribute: krbPwdPolicyReference default
|
||||
@@ -1,11 +1,4 @@
|
||||
# Enable the DNA plugin
|
||||
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
only:nsslapd-pluginEnabled: on
|
||||
|
||||
# Change the magic value to -1
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
only:dnaMagicRegen: -1
|
||||
|
||||
# Config winsync plugin according to DNA
|
||||
dn: cn=ipa-winsync,cn=plugins,cn=config
|
||||
remove:ipaWinSyncUserAttr: uidNumber 999
|
||||
remove:ipaWinSyncUserAttr: gidNumber 999
|
||||
|
||||
76
install/updates/20-enable_dirsrv_plugins.update
Normal file
76
install/updates/20-enable_dirsrv_plugins.update
Normal file
@@ -0,0 +1,76 @@
|
||||
# 7-bit check, plugins, config
|
||||
dn: cn=7-bit check,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Account Usability Plugin, plugins, config
|
||||
dn: cn=Account Usability Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# ACL Plugin, plugins, config
|
||||
dn: cn=ACL Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# ACL preoperation, plugins, config
|
||||
dn: cn=ACL preoperation,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Auto Membership Plugin, plugins, config
|
||||
dn: cn=Auto Membership Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Bitwise Plugin, plugins, config
|
||||
dn: cn=Bitwise Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# chaining database, plugins, config
|
||||
dn: cn=chaining database,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Class of Service, plugins, config
|
||||
dn: cn=Class of Service,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# deref, plugins, config
|
||||
dn: cn=deref,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# HTTP Client, plugins, config
|
||||
dn: cn=HTTP Client,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Internationalization Plugin, plugins, config
|
||||
dn: cn=Internationalization Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Linked Attributes, plugins, config
|
||||
dn: cn=Linked Attributes,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Managed Entries, plugins, config
|
||||
dn: cn=Managed Entries,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Multimaster Replication Plugin, plugins, config
|
||||
dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Roles Plugin, plugins, config
|
||||
dn: cn=Roles Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Schema Reload, plugins, config
|
||||
dn: cn=Schema Reload,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# State Change Plugin, plugins, config
|
||||
dn: cn=State Change Plugin,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# Views, plugins, config
|
||||
dn: cn=Views,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
# whoami, plugins, config
|
||||
dn: cn=whoami,cn=plugins,cn=config
|
||||
replace: nsslapd-pluginEnabled:off::on
|
||||
|
||||
22
install/updates/20-idoverride_index.update
Normal file
22
install/updates/20-idoverride_index.update
Normal file
@@ -0,0 +1,22 @@
|
||||
#
|
||||
# Make sure ID override attributes have the correct indexing
|
||||
#
|
||||
|
||||
dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaOriginalUid
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: pres
|
||||
|
||||
dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaAnchorUUID
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: pres
|
||||
|
||||
dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
remove:cn: ipaOriginalUid
|
||||
@@ -10,39 +10,53 @@ default:cn: memberuid
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
default:nsIndexType: eq,pres
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberHost
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberUser
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=seealso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only:nsIndexType: eq,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberof
|
||||
@@ -56,8 +70,9 @@ default:cn: fqdn
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
default:nsIndexType: eq
|
||||
default:nsIndexType: pres
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: macAddress
|
||||
@@ -72,49 +87,63 @@ default:cn: sourcehost
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberservice
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: managedby
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberallowcmd
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: memberdenycmd
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipasudorunas
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipasudorunasgroup
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: automountkey
|
||||
@@ -142,4 +171,140 @@ default:cn: ipatokenradiusconfiglink
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq,pres,sub
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipaassignedidview,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaassignedidview
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipaallowedtarget,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaallowedtarget
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaMemberCa
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipaMemberCertProfile
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: userCertificate
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
only:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ntUniqueId
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ntUserDomainId
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=ipalocation,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: ipalocation
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: pres
|
||||
|
||||
dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default:cn: krbPrincipalName
|
||||
default:ObjectClass: top
|
||||
default:ObjectClass: nsIndex
|
||||
default:nsSystemIndex: false
|
||||
only: nsMatchingRule: caseIgnoreIA5Match
|
||||
only: nsMatchingRule: caseExactIA5Match
|
||||
only:nsIndexType: eq
|
||||
only:nsIndexType: sub
|
||||
|
||||
dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: krbCanonicalName
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
only: nsSystemIndex: false
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: sub
|
||||
|
||||
dn: cn=serverhostname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: serverhostname
|
||||
default: objectClass: top
|
||||
default: objectClass: nsIndex
|
||||
only: nsSystemIndex: false
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: sub
|
||||
|
||||
dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: description
|
||||
default: objectclass: top
|
||||
default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: l
|
||||
default: objectclass: top
|
||||
default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: nsOsVersion
|
||||
default: objectclass: top
|
||||
default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: nsHardwarePlatform
|
||||
default: objectclass: top
|
||||
default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
|
||||
default: cn: nsHostLocation
|
||||
default: objectclass: top
|
||||
default: objectclass: nsindex
|
||||
default: nssystemindex: false
|
||||
default: nsindextype: eq
|
||||
default: nsindextype: sub
|
||||
|
||||
13
install/updates/20-ipaservers_hostgroup.update
Normal file
13
install/updates/20-ipaservers_hostgroup.update
Normal file
@@ -0,0 +1,13 @@
|
||||
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: groupOfNames
|
||||
default: objectClass: nestedGroup
|
||||
default: objectClass: ipaobject
|
||||
default: objectClass: ipahostgroup
|
||||
default: description: IPA server hosts
|
||||
default: cn: ipaservers
|
||||
default: ipaUniqueID: autogenerate
|
||||
|
||||
# Add local host to ipaservers
|
||||
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
|
||||
add: member: fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX
|
||||
@@ -7,3 +7,62 @@ dn: cn=replication,cn=etc,$SUFFIX
|
||||
default: objectclass: nsDS5Replica
|
||||
default: nsDS5ReplicaId: 3
|
||||
default: nsDS5ReplicaRoot: $SUFFIX
|
||||
|
||||
# Group containing replication bind dns
|
||||
dn: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: groupofnames
|
||||
default: cn: replication managers
|
||||
add: member: krbprincipalname=ldap/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
|
||||
|
||||
# Topology configuration container
|
||||
dn: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: nsContainer
|
||||
default: cn: topology
|
||||
|
||||
# Default topology configuration area
|
||||
dn: cn=domain,cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: iparepltopoconf
|
||||
default: ipaReplTopoConfRoot: $SUFFIX
|
||||
default: cn: domain
|
||||
add: nsDS5ReplicatedAttributeList: $EXCLUDES
|
||||
add: nsDS5ReplicatedAttributeListTotal: $TOTAL_EXCLUDES
|
||||
add: nsds5ReplicaStripAttrs: $STRIP_ATTRS
|
||||
|
||||
# Remove old topology configuration area (unused)
|
||||
dn: cn=realm,cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
deleteentry: cn=realm,cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
# add IPA realm managed suffix to master entry
|
||||
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
add: objectclass: ipaReplTopoManagedServer
|
||||
add: ipaReplTopoManagedSuffix: $SUFFIX
|
||||
|
||||
# Enable Topology Plugin
|
||||
dn: cn=IPA Topology Configuration,cn=plugins,cn=config
|
||||
default: changetype: add
|
||||
default: objectClass: top
|
||||
default: objectClass: nsSlapdPlugin
|
||||
default: objectClass: extensibleObject
|
||||
default: cn: IPA Topology Configuration
|
||||
default: nsslapd-pluginPath: libtopology
|
||||
default: nsslapd-pluginInitfunc: ipa_topo_init
|
||||
default: nsslapd-pluginType: object
|
||||
default: nsslapd-pluginEnabled: on
|
||||
default: nsslapd-topo-plugin-shared-config-base: cn=ipa,cn=etc,$SUFFIX
|
||||
default: nsslapd-topo-plugin-shared-replica-root: $SUFFIX
|
||||
default: nsslapd-topo-plugin-shared-replica-root: o=ipaca
|
||||
default: nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
default: nsslapd-topo-plugin-startup-delay: 20
|
||||
default: nsslapd-pluginId: none
|
||||
default: nsslapd-plugin-depends-on-named: ldbm database
|
||||
default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
|
||||
default: nsslapd-pluginVersion: 1.0
|
||||
default: nsslapd-pluginVendor: none
|
||||
default: nsslapd-pluginDescription: none
|
||||
|
||||
# Set replication changelog limit (#5086)
|
||||
dn: cn=changelog5,cn=config
|
||||
addifnew: nsslapd-changelogmaxage: 7d
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# change configured ciphers
|
||||
# the result of this update will be that all ciphers
|
||||
# provided by NSS which ar not weak will be enabled
|
||||
# the result of this update will be that default ciphers
|
||||
# provided by DS which are not weak will be enabled
|
||||
dn: cn=encryption,cn=config
|
||||
only:nsSSL3Ciphers: +all
|
||||
only:nsSSL3Ciphers: default
|
||||
addifnew:allowWeakCipher: off
|
||||
|
||||
@@ -4,17 +4,26 @@ only:nsslapd-pluginEnabled: on
|
||||
# Remember original nsuniqueid for objects referenced from cn=changelog
|
||||
add:nsslapd-attribute: nsuniqueid:targetUniqueId
|
||||
add:nsslapd-changelogmaxage: 2d
|
||||
add:nsslapd-include-suffix: cn=dns,$SUFFIX
|
||||
|
||||
# Keep memberOf and referential integrity plugins away from cn=changelog.
|
||||
# It is necessary for performance reasons because we don't have appropriate
|
||||
# indices for cn=changelog.
|
||||
dn: cn=MemberOf Plugin,cn=plugins,cn=config
|
||||
add:memberofentryscope: '$SUFFIX'
|
||||
add:memberofentryscope: $SUFFIX
|
||||
add:memberofentryscopeexcludesubtree: cn=compat,$SUFFIX
|
||||
add:memberofentryscopeexcludesubtree: cn=provisioning,$SUFFIX
|
||||
add:memberofentryscopeexcludesubtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=referential integrity postoperation,cn=plugins,cn=config
|
||||
add:nsslapd-plugincontainerscope: '$SUFFIX'
|
||||
add:nsslapd-pluginentryscope: '$SUFFIX'
|
||||
add:nsslapd-plugincontainerscope: $SUFFIX
|
||||
add:nsslapd-pluginentryscope: $SUFFIX
|
||||
add:nsslapd-pluginExcludeEntryScope: cn=provisioning,$SUFFIX
|
||||
|
||||
# Enable SyncRepl
|
||||
dn: cn=Content Synchronization,cn=plugins,cn=config
|
||||
only:nsslapd-pluginEnabled: on
|
||||
|
||||
# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
|
||||
dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
|
||||
add:ipaUuidExcludeSubtree: cn=provisioning,$SUFFIX
|
||||
|
||||
11
install/updates/20-uuid.update
Normal file
11
install/updates/20-uuid.update
Normal file
@@ -0,0 +1,11 @@
|
||||
|
||||
# add plugin configuration for ipk11UniqueId
|
||||
dn: cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config
|
||||
default: objectclass: top
|
||||
default: objectclass: extensibleObject
|
||||
default: cn: IPK11 Unique IDs
|
||||
default: ipaUuidAttr: ipk11UniqueID
|
||||
default: ipaUuidMagicRegen: autogenerate
|
||||
default: ipaUuidFilter: (objectclass=ipk11Object)
|
||||
default: ipaUuidScope: $SUFFIX
|
||||
default: ipaUuidEnforce: FALSE
|
||||
14
install/updates/20-whoami.update
Normal file
14
install/updates/20-whoami.update
Normal file
@@ -0,0 +1,14 @@
|
||||
dn: cn=whoami,cn=plugins,cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSlapdPlugin
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: whoami
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
default:nsslapd-pluginDescription: whoami extended operation plugin
|
||||
default:nsslapd-pluginEnabled: on
|
||||
default:nsslapd-pluginId: whoami-plugin
|
||||
default:nsslapd-pluginInitfunc: whoami_init
|
||||
default:nsslapd-pluginPath: libwhoami-plugin
|
||||
default:nsslapd-pluginType: extendedop
|
||||
default:nsslapd-pluginVendor: 389 Project
|
||||
default:nsslapd-pluginVersion: 1.0
|
||||
@@ -3,8 +3,10 @@
|
||||
#
|
||||
|
||||
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only: nsIndexType: eq,pres
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: pres
|
||||
|
||||
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
only: nsIndexType: eq,pres
|
||||
only: nsIndexType: eq
|
||||
only: nsIndexType: pres
|
||||
|
||||
|
||||
4
install/updates/21-certstore_container.update
Normal file
4
install/updates/21-certstore_container.update
Normal file
@@ -0,0 +1,4 @@
|
||||
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
||||
add:objectClass: top
|
||||
add:objectClass: nsContainer
|
||||
add:cn: certificates
|
||||
@@ -1,19 +1,8 @@
|
||||
# Expand attributes checked by Referential Integrity plugin
|
||||
# pres and eq indexes defined in 20-indices.update must be set for all these
|
||||
# attributes
|
||||
# NOTE: migration to new style is done in update_referint.py
|
||||
dn: cn=referential integrity postoperation,cn=plugins,cn=config
|
||||
remove: nsslapd-pluginArg7: manager
|
||||
remove: nsslapd-pluginArg8: secretary
|
||||
remove: nsslapd-pluginArg9: memberuser
|
||||
remove: nsslapd-pluginArg10: memberhost
|
||||
remove: nsslapd-pluginArg11: sourcehost
|
||||
remove: nsslapd-pluginArg12: memberservice
|
||||
remove: nsslapd-pluginArg13: managedby
|
||||
remove: nsslapd-pluginArg14: memberallowcmd
|
||||
remove: nsslapd-pluginArg15: memberdenycmd
|
||||
remove: nsslapd-pluginArg16: ipasudorunas
|
||||
remove: nsslapd-pluginArg17: ipasudorunasgroup
|
||||
remove: nsslapd-pluginArg18: ipatokenradiusconfiglink
|
||||
add: referint-membership-attr: manager
|
||||
add: referint-membership-attr: secretary
|
||||
add: referint-membership-attr: memberuser
|
||||
@@ -26,3 +15,8 @@ add: referint-membership-attr: memberdenycmd
|
||||
add: referint-membership-attr: ipasudorunas
|
||||
add: referint-membership-attr: ipasudorunasgroup
|
||||
add: referint-membership-attr: ipatokenradiusconfiglink
|
||||
add: referint-membership-attr: ipaassignedidview
|
||||
add: referint-membership-attr: ipaallowedtarget
|
||||
add: referint-membership-attr: ipamemberca
|
||||
add: referint-membership-attr: ipamembercertprofile
|
||||
add: referint-membership-attr: ipalocation
|
||||
|
||||
@@ -1,44 +0,0 @@
|
||||
# bootstrap the policy DIT structure. Currently not used.
|
||||
|
||||
dn: cn=policies,$SUFFIX
|
||||
add: objectclass: nsContainer
|
||||
add: objectclass: ipaContainer
|
||||
add: cn: policies
|
||||
add: description: Root of the policy related sub tree
|
||||
|
||||
dn: cn=configs,cn=policies,$SUFFIX
|
||||
add: objectclass: nsContainer
|
||||
add: objectclass: ipaContainer
|
||||
add: cn: configs
|
||||
add: description: Root of the sub tree that holds configuration policies for different applications
|
||||
|
||||
dn: cn=applications,cn=configs,cn=policies,$SUFFIX
|
||||
add: objectclass: nsContainer
|
||||
add: objectclass: ipaContainer
|
||||
add: cn: applications
|
||||
add: description: Root of the tree that hold all definitions of the supported applications
|
||||
|
||||
dn: cn=Shell Applications,cn=applications,cn=configs,cn=policies,$SUFFIX
|
||||
add: objectclass: nsContainer
|
||||
add: objectclass: ipaContainer
|
||||
add: cn: Shell Applications
|
||||
add: description: Shell Applications - special application that holds templates for actions
|
||||
|
||||
dn: cn=roles,cn=policies,$SUFFIX
|
||||
add: objectclass: nsContainer
|
||||
add: objectclass: ipaContainer
|
||||
add: cn: roles
|
||||
add: description: Root of the sub tree that holds role management data
|
||||
|
||||
dn: cn=policygroups,cn=configs,cn=policies,$SUFFIX
|
||||
add: objectclass: ipaContainer
|
||||
add: objectclass: ipaOrderedContainer
|
||||
add: cn: policygroups
|
||||
add: description: Sub tree to hold policy groups
|
||||
|
||||
dn: cn=policylinks,cn=configs,cn=policies,$SUFFIX
|
||||
add: objectclass: ipaContainer
|
||||
add: objectclass: ipaOrderedContainer
|
||||
add: cn: policylinks
|
||||
add: description: Sub tree to hold policy links
|
||||
|
||||
51
install/updates/30-provisioning.update
Normal file
51
install/updates/30-provisioning.update
Normal file
@@ -0,0 +1,51 @@
|
||||
# bootstrap the user life cycle DIT structure.
|
||||
|
||||
dn: cn=provisioning,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: nsContainer
|
||||
default: cn: provisioning
|
||||
|
||||
dn: cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: nsContainer
|
||||
default: cn: accounts
|
||||
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: nsContainer
|
||||
default: cn: staged users
|
||||
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: objectclass: top
|
||||
default: objectclass: nsContainer
|
||||
default: cn: deleted users
|
||||
|
||||
# This is used for the admin to know if credential are set for stage users
|
||||
# We can do a query on a DN to see if an attribute exists or retrieve the value
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
remove:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
|
||||
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# This is used for the admin to reset the delete users credential
|
||||
# No one is allowed to add entry in Delete container
|
||||
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
|
||||
remove:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
|
||||
add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
|
||||
|
||||
dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: cosSuperDefinition
|
||||
default: objectClass: cosPointerDefinition
|
||||
default: objectClass: ldapSubEntry
|
||||
default: costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: cosAttribute: nsaccountlock operational
|
||||
default: cn: provisioning accounts lock
|
||||
|
||||
dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: extensibleObject
|
||||
default: objectClass: cosTemplate
|
||||
default: cosPriority: 1
|
||||
default: cn: Inactivation cos template
|
||||
default: nsAccountLock: true
|
||||
4
install/updates/37-locations.update
Normal file
4
install/updates/37-locations.update
Normal file
@@ -0,0 +1,4 @@
|
||||
dn: cn=locations,cn=etc,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: locations
|
||||
@@ -1,6 +1,6 @@
|
||||
# Add all supported automember LDAP objects
|
||||
dn: cn=Auto Membership Plugin,cn=plugins,cn=config
|
||||
addifnew: nsslapd-pluginConfigArea: 'cn=automember,cn=etc,$SUFFIX'
|
||||
addifnew: nsslapd-pluginConfigArea: cn=automember,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=automember,cn=etc,$SUFFIX
|
||||
default: objectClass: top
|
||||
|
||||
9
install/updates/40-certprofile.update
Normal file
9
install/updates/40-certprofile.update
Normal file
@@ -0,0 +1,9 @@
|
||||
dn: cn=ca,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: ca
|
||||
|
||||
dn: cn=certprofiles,cn=ca,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: certprofiles
|
||||
@@ -15,7 +15,7 @@ default:cn: Write IPA Configuration
|
||||
default:member: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: $SUFFIX
|
||||
add:aci: '(targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
add:aci: (targetattr = "ipausersearchfields || ipagroupsearchfields || ipasearchtimelimit || ipasearchrecordslimit || ipacustomfields || ipahomesrootdir || ipadefaultloginshell || ipadefaultprimarygroup || ipamaxusernamelength || ipapwdexpadvnotify || ipauserobjectclasses || ipagroupobjectclasses || ipadefaultemaildomain || ipamigrationenabled || ipacertificatesubjectbase || ipaconfigstring")(target = "ldap:///cn=ipaconfig,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Write IPA Configuration"; allow (write) groupdn = "ldap:///cn=Write IPA Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# Host-Based Access Control
|
||||
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
@@ -43,13 +43,13 @@ default:cn: Password Policy Administrator
|
||||
default:description: Password Policy Administrator
|
||||
|
||||
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
|
||||
add:member: cn=admins,cn=groups,cn=accounts,$SUFFIX
|
||||
|
||||
# The original DNS permissions lacked the tag.
|
||||
dn: $SUFFIX
|
||||
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# SELinux User Mapping
|
||||
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
@@ -60,17 +60,26 @@ default:cn: SELinux User Map Administrators
|
||||
default:description: SELinux User Map Administrators
|
||||
|
||||
dn: cn=ipa,cn=etc,$SUFFIX
|
||||
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
|
||||
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
|
||||
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
|
||||
# to privilege "Host Administrators"
|
||||
dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
|
||||
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
|
||||
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
|
||||
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
|
||||
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=ipa,cn=etc,$SUFFIX
|
||||
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
||||
remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Automember tasks
|
||||
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
@@ -89,7 +98,7 @@ default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
add:aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
|
||||
# Virtual operations
|
||||
@@ -124,20 +133,20 @@ default:objectClass: top
|
||||
default:objectClass: nsContainer
|
||||
default:cn: certificate remove hold
|
||||
|
||||
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
|
||||
dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: nsContainer
|
||||
default:cn: request certificate with subjectaltname
|
||||
default:cn: request certificate ignore caacl
|
||||
|
||||
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
|
||||
dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:cn: Request Certificate with SubjectAltName
|
||||
default:cn: Request Certificate ignoring CA ACLs
|
||||
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: $SUFFIX
|
||||
add:aci:'(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
|
||||
# Read privileges
|
||||
@@ -175,3 +184,94 @@ default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: IPA Masters Readers
|
||||
default:description: Read list of IPA masters
|
||||
|
||||
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# PassSync
|
||||
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: PassSync Service
|
||||
default:description: PassSync Service
|
||||
|
||||
dn: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Read PassSync Managers Configuration
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Modify PassSync Managers Configuration
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers Configuration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# Replication Administrators
|
||||
dn: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Read LDBM Database Configuration
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsslapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm database,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Configuration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:objectClass: top
|
||||
default:cn: Add Configuration Sub-Entries
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:ipapermissiontype: SYSTEM
|
||||
|
||||
dn: cn=config
|
||||
add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# CA Administrators
|
||||
dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: CA Administrator
|
||||
default:description: CA Administrator
|
||||
|
||||
# Vault Administrators
|
||||
dn: cn=Vault Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: Vault Administrators
|
||||
default:description: Vault Administrators
|
||||
|
||||
|
||||
# Locations - always create DNS related privileges
|
||||
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: nestedgroup
|
||||
default:cn: DNS Administrators
|
||||
default:description: DNS Administrators
|
||||
|
||||
dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: nestedgroup
|
||||
default:cn: DNS Servers
|
||||
default:description: DNS Servers
|
||||
|
||||
@@ -2,15 +2,22 @@
|
||||
# update DNS container
|
||||
dn: cn=dns, $SUFFIX
|
||||
addifexist: objectClass: idnsConfigObject
|
||||
addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)'
|
||||
addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)'
|
||||
addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
|
||||
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
|
||||
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
|
||||
addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
|
||||
|
||||
# replace DNS tree deny rule with managedBy enhanced allow rule
|
||||
dn: cn=dns, $SUFFIX
|
||||
replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
|
||||
replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
|
||||
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
|
||||
replace:aci:(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
replace:aci:(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
|
||||
# remove old managedBy ACIs
|
||||
dn: cn=dns, $SUFFIX
|
||||
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
remove:aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
|
||||
|
||||
# add DNS plugin
|
||||
dn: cn=IPA DNS,cn=plugins,cn=config
|
||||
|
||||
@@ -3,18 +3,27 @@ default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: otp
|
||||
|
||||
dn: cn=otp,cn=etc,$SUFFIX
|
||||
default: objectClass: ipatokenOTPConfig
|
||||
default: objectClass: top
|
||||
default: cn: otp
|
||||
default: ipatokenTOTPauthWindow: 300
|
||||
default: ipatokenTOTPsyncWindow: 86400
|
||||
default: ipatokenHOTPauthWindow: 10
|
||||
default: ipatokenHOTPsyncWindow: 100
|
||||
|
||||
dn: $SUFFIX
|
||||
remove: aci:'(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete tokens"; allow (add, delete) userattr = "ipatokenOwner#SELFDN";)'
|
||||
remove: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'
|
||||
remove: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'
|
||||
remove: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
|
||||
remove: aci:'(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter")(version 3.0; acl "Users can add HOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
|
||||
add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || description || managedBy || ipatokenUniqueID || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial || ipatokenOwner")(version 3.0; acl "Users/managers can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)'
|
||||
add: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Users/managers can see TOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)'
|
||||
add: aci:'(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users/managers can see HOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)'
|
||||
add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Managers can write basic token info"; allow (write) userattr = "managedBy#USERDN";)'
|
||||
add: aci:'(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Managers can delete tokens"; allow (delete) userattr = "managedBy#USERDN";)'
|
||||
add: aci:'(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create self-managed tokens"; allow (add) userattr = "ipatokenOwner#SELFDN" and userattr = "managedBy#SELFDN";)'
|
||||
remove: aci:(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete tokens"; allow (add, delete) userattr = "ipatokenOwner#SELFDN";)
|
||||
remove: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
|
||||
remove: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
|
||||
remove: aci:(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
|
||||
remove: aci:(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter")(version 3.0; acl "Users can add HOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
|
||||
add: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || description || managedBy || ipatokenUniqueID || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial || ipatokenOwner")(version 3.0; acl "Users/managers can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
|
||||
add: aci:(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPtimeStep")(version 3.0; acl "Users/managers can see TOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
|
||||
add: aci:(targetfilter = "(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPalgorithm || ipatokenOTPdigits")(version 3.0; acl "Users/managers can see HOTP details"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
|
||||
add: aci:(targetfilter = "(objectClass=ipaToken)")(targetattrs = "description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Managers can write basic token info"; allow (write) userattr = "managedBy#USERDN";)
|
||||
add: aci:(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Managers can delete tokens"; allow (delete) userattr = "managedBy#USERDN";)
|
||||
add: aci:(target = "ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX")(targetfilter = "(objectClass=ipaToken)")(version 3.0; acl "Users can create self-managed tokens"; allow (add) userattr = "ipatokenOwner#SELFDN" and userattr = "managedBy#SELFDN";)
|
||||
|
||||
dn: cn=radiusproxy,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
@@ -35,3 +44,18 @@ default:nsslapd-pluginversion: 1.0
|
||||
default:nsslapd-pluginvendor: Red Hat, Inc.
|
||||
default:nsslapd-plugindescription: IPA OTP Last Token plugin
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
|
||||
dn: cn=IPA OTP Counter,cn=plugins,cn=config
|
||||
default:objectclass: top
|
||||
default:objectclass: nsSlapdPlugin
|
||||
default:objectclass: extensibleObject
|
||||
default:cn: IPA OTP Counter
|
||||
default:nsslapd-pluginpath: libipa_otp_counter
|
||||
default:nsslapd-plugininitfunc: ipa_otp_counter_init
|
||||
default:nsslapd-plugintype: preoperation
|
||||
default:nsslapd-pluginenabled: on
|
||||
default:nsslapd-pluginid: ipa-otp-counter
|
||||
default:nsslapd-pluginversion: 1.0
|
||||
default:nsslapd-pluginvendor: Red Hat, Inc.
|
||||
default:nsslapd-plugindescription: IPA OTP Counter plugin
|
||||
default:nsslapd-plugin-depends-on-type: database
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Let a delegated user put the database into read-only mode when deleting
|
||||
# an agreement.
|
||||
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
add:aci: '(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
add:aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
# Add rules to manage DNA ranges
|
||||
dn: cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
||||
@@ -13,4 +13,15 @@ default:ipapermissiontype: SYSTEM
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
|
||||
add:aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: ipapermission
|
||||
default:cn: Read DNA Range
|
||||
default:ipapermissiontype: SYSTEM
|
||||
default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
|
||||
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
add:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
|
||||
24
install/updates/40-vault.update
Normal file
24
install/updates/40-vault.update
Normal file
@@ -0,0 +1,24 @@
|
||||
dn: cn=vaults,cn=kra,$SUFFIX
|
||||
remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
|
||||
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
|
||||
remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
|
||||
remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
||||
addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
||||
addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn),cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
|
||||
addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
|
||||
4
install/updates/41-caacl.update
Normal file
4
install/updates/41-caacl.update
Normal file
@@ -0,0 +1,4 @@
|
||||
dn: cn=caacls,cn=ca,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: caacls
|
||||
4
install/updates/41-lightweight-cas.update
Normal file
4
install/updates/41-lightweight-cas.update
Normal file
@@ -0,0 +1,4 @@
|
||||
dn: cn=cas,cn=ca,$SUFFIX
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: top
|
||||
default: cn: cas
|
||||
@@ -23,10 +23,18 @@ default:cn: User Administrator
|
||||
default:description: Responsible for creating Users and Groups
|
||||
|
||||
dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add: member: 'cn=User Administrator,cn=roles,cn=accounts,$SUFFIX'
|
||||
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add: member: 'cn=User Administrator,cn=roles,cn=accounts,$SUFFIX'
|
||||
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: top
|
||||
default:cn: Stage User Administrators
|
||||
default:description: Stage User Administrators
|
||||
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
@@ -36,16 +44,16 @@ default:cn: IT Specialist
|
||||
default:description: IT Specialist
|
||||
|
||||
dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
@@ -55,13 +63,13 @@ default:cn: IT Security Specialist
|
||||
default:description: IT Security Specialist
|
||||
|
||||
dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Sudo administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=IT Security Specialist,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
@@ -71,14 +79,24 @@ default:cn: Security Architect
|
||||
default:description: Security Architect
|
||||
|
||||
dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=Security Architect,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=Security Architect,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
|
||||
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Write IPA Configuration,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=Security Architect,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: 'cn=Security Architect,cn=roles,cn=accounts,$SUFFIX'
|
||||
add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
dn: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: top
|
||||
default:cn: Enrollment Administrator
|
||||
default:description: Enrollment Administrator responsible for client(host) enrollment
|
||||
|
||||
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
|
||||
add:member: cn=Enrollment Administrator,cn=roles,cn=accounts,$SUFFIX
|
||||
|
||||
@@ -9,10 +9,11 @@
|
||||
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
|
||||
|
||||
dn: cn=aclResources,o=ipaca
|
||||
addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
|
||||
addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
|
||||
addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
|
||||
addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
|
||||
addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
|
||||
replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
|
||||
replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
|
||||
addifexist:resourceACLS:certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
|
||||
addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
|
||||
addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
|
||||
addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
|
||||
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
|
||||
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
|
||||
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
|
||||
addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
|
||||
|
||||
3
install/updates/50-externalmembers.update
Normal file
3
install/updates/50-externalmembers.update
Normal file
@@ -0,0 +1,3 @@
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
|
||||
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
|
||||
@@ -1,6 +1,7 @@
|
||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||
add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||
add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
|
||||
add:ipaUserObjectClasses: ipasshuser
|
||||
remove:ipaConfigString:AllowLMhash
|
||||
add:objectClass: ipaUserAuthTypeClass
|
||||
add:objectClass: ipaNameResolutionData
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
|
||||
replace:krbPwdLockoutDuration:10::600
|
||||
replace: krbPwdMaxFailure:3::6
|
||||
|
||||
@@ -1,37 +1,3 @@
|
||||
# Correct syntax error that caused users to not appear
|
||||
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
|
||||
replace:nis-value-format: '%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")'
|
||||
|
||||
# Correct syntax error that caused nested netgroups to not work
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=788625
|
||||
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
|
||||
replace:nis-value-format: '%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")'
|
||||
|
||||
# Make the padding an expression so usercat and hostcat always gets
|
||||
# evaluated when displaying entries.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=767372
|
||||
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
|
||||
replace:nis-value-format: '%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})")'
|
||||
|
||||
dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config
|
||||
default:objectclass: top
|
||||
default:objectclass: extensibleObject
|
||||
default:nis-domain: $DOMAIN
|
||||
default:nis-map: ethers.byaddr
|
||||
default:nis-base: cn=computers, cn=accounts, $SUFFIX
|
||||
default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
||||
default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6")
|
||||
default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
|
||||
default:nis-secure: no
|
||||
|
||||
dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config
|
||||
default:objectclass: top
|
||||
default:objectclass: extensibleObject
|
||||
default:nis-domain: $DOMAIN
|
||||
default:nis-map: ethers.byname
|
||||
default:nis-base: cn=computers, cn=accounts, $SUFFIX
|
||||
default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
||||
default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
|
||||
default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
|
||||
default:nis-secure: no
|
||||
|
||||
# Updates are applied only if NIS plugin has been configured
|
||||
# update definitions are located in install/share/nis-update.uldif
|
||||
plugin: update_nis_configuration
|
||||
|
||||
@@ -5,7 +5,7 @@ dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
|
||||
add: objectClass: top
|
||||
add: objectClass: extensibleObject
|
||||
add: cn: IPA PBAC memberOf $TIME
|
||||
add: basedn: 'cn=privileges,cn=pbac,$SUFFIX'
|
||||
add: basedn: cn=privileges,cn=pbac,$SUFFIX
|
||||
add: filter: (objectclass=*)
|
||||
add: ttl: 10
|
||||
|
||||
@@ -13,6 +13,6 @@ dn: cn=Update Role memberOf $TIME, cn=memberof task, cn=tasks, cn=config
|
||||
add: objectClass: top
|
||||
add: objectClass: extensibleObject
|
||||
add: cn: Update Role memberOf $TIME
|
||||
add: basedn: 'cn=roles,cn=accounts,$SUFFIX'
|
||||
add: basedn: cn=roles,cn=accounts,$SUFFIX
|
||||
add: filter: (objectclass=*)
|
||||
add: ttl: 10
|
||||
|
||||
8
install/updates/59-trusts-sysacount.update
Normal file
8
install/updates/59-trusts-sysacount.update
Normal file
@@ -0,0 +1,8 @@
|
||||
# this update must be applied before 60-trusts.update, because current
|
||||
# implementation of ipa-ldap-updater doesn't keep the order of updates in
|
||||
# filesets
|
||||
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
add: objectClass: nestedgroup
|
||||
default: objectClass: GroupOfNames
|
||||
default: objectClass: top
|
||||
default: cn: adtrust agents
|
||||
@@ -10,12 +10,6 @@ default: member: uid=admin,cn=users,cn=accounts,$SUFFIX
|
||||
default: nsAccountLock: FALSE
|
||||
default: ipaUniqueID: autogenerate
|
||||
|
||||
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
add: objectClass: nestedgroup
|
||||
default: objectClass: GroupOfNames
|
||||
default: objectClass: top
|
||||
default: cn: adtrust agents
|
||||
|
||||
dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: groupofnames
|
||||
@@ -33,16 +27,18 @@ default: cn: trusts
|
||||
# 1. cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX can manage trusts, to allow modification via CIFS
|
||||
# 2. cn=trust admins,cn=groups,cn=accounts,$SUFFIX can manage trusts (via ipa tools)
|
||||
dn: cn=trusts,$SUFFIX
|
||||
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
|
||||
replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
|
||||
replace:aci:'(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)'
|
||||
add:aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow trust agents to retrieve keytab keys for cross realm principals"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
|
||||
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Allow trust agents to set keys for cross realm principals"; allow(write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing || krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount || krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user to create and delete trust accounts and cross realm principals"; allow (read,write,add,delete) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
replace:aci:(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)::(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
add:aci: (target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes || ipaNTSIDBlacklistIncoming || ipaNTSIDBlacklistOutgoing")(version 3.0;acl "Allow trust admins manage trust accounts"; allow (read,write,add,delete) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||
|
||||
# Samba user should be able to read NT passwords to authenticate
|
||||
# Add ipaNTHash to global ACIs, leave DNS tree out of global allow access rule
|
||||
dn: $SUFFIX
|
||||
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
|
||||
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
|
||||
add:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
remove:aci: (targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
|
||||
# Add the default PAC type to configuration
|
||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||
|
||||
@@ -4,4 +4,4 @@ default: objectClass: top
|
||||
default: cn: ipa-cifs-delegation-targets
|
||||
|
||||
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
|
||||
add: ipaAllowedTarget: 'cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
|
||||
add: ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
|
||||
|
||||
8
install/updates/71-idviews-sasl-mapping.update
Normal file
8
install/updates/71-idviews-sasl-mapping.update
Normal file
@@ -0,0 +1,8 @@
|
||||
dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
|
||||
default:cn: ID Overridden Principal
|
||||
default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
|
||||
default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
|
||||
default:nsSaslMapPriority: 20
|
||||
default:nsSaslMapRegexString: \(.*\)@\(.*\)
|
||||
default:objectClass: top
|
||||
default:objectClass: nsSaslMapping
|
||||
4
install/updates/71-idviews.update
Normal file
4
install/updates/71-idviews.update
Normal file
@@ -0,0 +1,4 @@
|
||||
dn: cn=views,cn=accounts,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: nsContainer
|
||||
default: cn: views
|
||||
14
install/updates/72-domainlevels.update
Normal file
14
install/updates/72-domainlevels.update
Normal file
@@ -0,0 +1,14 @@
|
||||
# Create default Domain Level entry if it does not exist
|
||||
dn: cn=Domain Level,cn=ipa,cn=etc,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: nsContainer
|
||||
default: objectClass: ipaDomainLevelConfig
|
||||
default: ipaDomainLevel: 0
|
||||
|
||||
# Create entry proclaiming Domain Level support of this master
|
||||
# This will update the supported Domain Levels during upgrade
|
||||
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
|
||||
add: objectClass: ipaConfigObject
|
||||
add: objectClass: ipaSupportedDomainLevelConfig
|
||||
only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
|
||||
only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL
|
||||
23
install/updates/73-certmap.update
Normal file
23
install/updates/73-certmap.update
Normal file
@@ -0,0 +1,23 @@
|
||||
# Configuration for Certificate Identity Mapping
|
||||
dn: cn=certmap,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:objectclass: ipaCertMapConfigObject
|
||||
default:cn: certmap
|
||||
default:ipaCertMapPromptUsername: FALSE
|
||||
|
||||
dn: cn=certmaprules,cn=certmap,$SUFFIX
|
||||
default:objectclass: top
|
||||
default:objectclass: nsContainer
|
||||
default:cn: certmaprules
|
||||
|
||||
# Certificate Identity Mapping Administrators
|
||||
dn: cn=Certificate Identity Mapping Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: top
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: nestedgroup
|
||||
default:cn: Certificate Identity Mapping Administrators
|
||||
default:description: Certificate Identity Mapping Administrators
|
||||
|
||||
dn: $SUFFIX
|
||||
add:aci: (targetattr = "ipacertmapdata")(targattrfilters="add=objectclass:(objectclass=ipacertmapobject)")(version 3.0;acl "selfservice:Users can manage their own X.509 certificate identity mappings";allow (write) userdn = "ldap:///self";)
|
||||
9
install/updates/73-custodia.update
Normal file
9
install/updates/73-custodia.update
Normal file
@@ -0,0 +1,9 @@
|
||||
dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: nsContainer
|
||||
default: cn: custodia
|
||||
|
||||
dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX
|
||||
default: objectClass: top
|
||||
default: objectClass: nsContainer
|
||||
default: cn: dogtag
|
||||
3
install/updates/73-winsync.update
Normal file
3
install/updates/73-winsync.update
Normal file
@@ -0,0 +1,3 @@
|
||||
# Add a inetUser objectclass to the passsync user
|
||||
dn: uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX
|
||||
addifexist: objectClass: inetUser
|
||||
227
install/updates/80-schema_compat.update
Normal file
227
install/updates/80-schema_compat.update
Normal file
@@ -0,0 +1,227 @@
|
||||
#
|
||||
# Setup the Schema Compatibility plugin provided by slapi-nis.
|
||||
# This should be done after all other updates have been applied
|
||||
#
|
||||
# https://pagure.io/slapi-nis/
|
||||
#
|
||||
dn: cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectclass: top
|
||||
default:objectclass: nsSlapdPlugin
|
||||
default:objectclass: extensibleObject
|
||||
default:cn: Schema Compatibility
|
||||
default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
|
||||
default:nsslapd-plugininitfunc: schema_compat_plugin_init
|
||||
default:nsslapd-plugintype: object
|
||||
default:nsslapd-pluginenabled: on
|
||||
default:nsslapd-pluginid: schema-compat-plugin
|
||||
# We need to run schema-compat pre-bind callback before
|
||||
# other IPA pre-bind callbacks to make sure bind DN is
|
||||
# rewritten to the original entry if needed
|
||||
default:nsslapd-pluginprecedence: 40
|
||||
default:nsslapd-pluginversion: 0.8
|
||||
default:nsslapd-pluginbetxn: on
|
||||
default:nsslapd-pluginvendor: redhat.com
|
||||
default:nsslapd-plugindescription: Schema Compatibility Plugin
|
||||
|
||||
dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: users
|
||||
default:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
default:schema-compat-container-rdn: cn=users
|
||||
default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
|
||||
default:schema-compat-search-filter: objectclass=posixAccount
|
||||
default:schema-compat-entry-rdn: uid=%{uid}
|
||||
default:schema-compat-entry-attribute: objectclass=posixAccount
|
||||
default:schema-compat-entry-attribute: gecos=%{cn}
|
||||
default:schema-compat-entry-attribute: cn=%{cn}
|
||||
default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
|
||||
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
||||
default:schema-compat-entry-attribute: loginShell=%{loginShell}
|
||||
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: groups
|
||||
default:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
default:schema-compat-container-rdn: cn=groups
|
||||
default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
|
||||
default:schema-compat-search-filter: objectclass=posixGroup
|
||||
default:schema-compat-entry-rdn: cn=%{cn}
|
||||
default:schema-compat-entry-attribute: objectclass=posixGroup
|
||||
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
||||
default:schema-compat-entry-attribute: memberUid=%{memberUid}
|
||||
default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:objectClass: top
|
||||
add:objectClass: extensibleObject
|
||||
add:cn: ng
|
||||
add:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
add:schema-compat-container-rdn: cn=ng
|
||||
add:schema-compat-check-access: yes
|
||||
add:schema-compat-search-base: cn=ng, cn=alt, $SUFFIX
|
||||
add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
|
||||
add:schema-compat-entry-rdn: cn=%{cn}
|
||||
add:schema-compat-entry-attribute: objectclass=nisNetgroup
|
||||
add:schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
|
||||
add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
|
||||
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:objectClass: top
|
||||
add:objectClass: extensibleObject
|
||||
add:cn: sudoers
|
||||
add:schema-compat-container-group: ou=SUDOers, $SUFFIX
|
||||
add:schema-compat-search-base: cn=sudorules, cn=sudo, $SUFFIX
|
||||
add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
|
||||
add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
|
||||
add:schema-compat-entry-attribute: objectclass=sudoRole
|
||||
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")
|
||||
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
|
||||
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")
|
||||
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
|
||||
add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")
|
||||
add:schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")
|
||||
# memberDenyCmds are to be allowed even if cmdCategory is set to ALL
|
||||
add:schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd")
|
||||
add:schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")
|
||||
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
|
||||
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
|
||||
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
|
||||
add:schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
|
||||
add:schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
|
||||
add:schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt}
|
||||
|
||||
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: computers
|
||||
default:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
default:schema-compat-container-rdn: cn=computers
|
||||
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
||||
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
||||
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
||||
default:schema-compat-entry-attribute: objectclass=device
|
||||
default:schema-compat-entry-attribute: objectclass=ieee802Device
|
||||
default:schema-compat-entry-attribute: cn=%{fqdn}
|
||||
default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
||||
|
||||
# Enable anonymous VLV browsing for Solaris
|
||||
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
|
||||
only:aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )
|
||||
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
only:schema-compat-entry-rdn:%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
|
||||
add:schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")
|
||||
add:schema-compat-entry-attribute: sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
||||
# Fix for #4324 (regression of #1309)
|
||||
remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref("ipaSudoRunAs","cn")
|
||||
remove:schema-compat-entry-attribute:sudoRunAsUser=%{ipaSudoRunAsExtUser}
|
||||
remove:schema-compat-entry-attribute:sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}
|
||||
remove:schema-compat-entry-attribute:sudoRunAsUser=%deref("ipaSudoRunAs","uid")
|
||||
remove:schema-compat-entry-attribute:sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
|
||||
remove:schema-compat-entry-attribute:sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
||||
|
||||
# We need to add the value in a separate transaction
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")
|
||||
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")
|
||||
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")
|
||||
add: schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")
|
||||
add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")
|
||||
add: schema-compat-entry-attribute: sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: $SUFFIX
|
||||
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
# Change padding for host and userCategory so the pad returns the same value
|
||||
# as the original, '' or -.
|
||||
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
replace: schema-compat-entry-attribute:nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: $SUFFIX
|
||||
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
default:objectClass: extensibleObject
|
||||
default:cn: computers
|
||||
default:schema-compat-container-group: cn=compat, $SUFFIX
|
||||
default:schema-compat-container-rdn: cn=computers
|
||||
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
||||
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
||||
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
||||
default:schema-compat-entry-attribute: objectclass=device
|
||||
default:schema-compat-entry-attribute: objectclass=ieee802Device
|
||||
default:schema-compat-entry-attribute: cn=%{fqdn}
|
||||
default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: $SUFFIX
|
||||
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: $SUFFIX
|
||||
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
remove: schema-compat-ignore-subtree: cn=changelog
|
||||
remove: schema-compat-ignore-subtree: o=ipaca
|
||||
add: schema-compat-restrict-subtree: $SUFFIX
|
||||
add: schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add: schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
add: schema-compat-ignore-subtree: cn=topology,cn=ipa,cn=etc,$SUFFIX
|
||||
|
||||
dn: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
# We need to run schema-compat pre-bind callback before
|
||||
# other IPA pre-bind callbacks to make sure bind DN is
|
||||
# rewritten to the original entry if needed
|
||||
add:nsslapd-pluginprecedence: 40
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: uid=%{uid}
|
||||
replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
|
||||
36
install/updates/90-post_upgrade_plugins.update
Normal file
36
install/updates/90-post_upgrade_plugins.update
Normal file
@@ -0,0 +1,36 @@
|
||||
# first
|
||||
|
||||
|
||||
# middle
|
||||
plugin: update_ca_topology
|
||||
plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
|
||||
plugin: update_dnszones
|
||||
plugin: update_dns_limits
|
||||
plugin: update_sigden_extdom_broken_config
|
||||
plugin: update_sids
|
||||
plugin: update_default_range
|
||||
plugin: update_default_trust_view
|
||||
plugin: update_tdo_gidnumber
|
||||
plugin: update_ca_renewal_master
|
||||
plugin: update_idrange_type
|
||||
plugin: update_pacs
|
||||
plugin: update_service_principalalias
|
||||
plugin: update_fix_duplicate_cacrt_in_ldap
|
||||
plugin: update_upload_cacrt
|
||||
# update_ra_cert_store has to be executed after update_ca_renewal_master
|
||||
plugin: update_ra_cert_store
|
||||
plugin: update_mapping_Guests_to_nobody
|
||||
|
||||
# last
|
||||
# DNS version 1
|
||||
plugin: update_master_to_dnsforwardzones
|
||||
# DNS version 2
|
||||
plugin: update_dnsforward_emptyzones
|
||||
plugin: update_managed_post
|
||||
plugin: update_managed_permissions
|
||||
plugin: update_read_replication_agreements_permission
|
||||
plugin: update_idrange_baserid
|
||||
plugin: update_passync_privilege_update
|
||||
plugin: update_dnsserver_configuration_into_ldap
|
||||
plugin: update_ldap_server_list
|
||||
plugin: update_dna_shared_config
|
||||
@@ -2,52 +2,71 @@ NULL =
|
||||
|
||||
appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
05-pre_upgrade_plugins.update \
|
||||
10-config.update \
|
||||
10-enable-betxn.update \
|
||||
10-ipapwd.update \
|
||||
10-selinuxusermap.update \
|
||||
10-rootdse.update \
|
||||
10-uniqueness.update \
|
||||
10-schema_compat.update \
|
||||
19-managed-entries.update \
|
||||
20-aci.update \
|
||||
20-dna.update \
|
||||
20-enable_dirsrv_plugins.update \
|
||||
20-host_nis_groups.update \
|
||||
20-indices.update \
|
||||
20-ipaservers_hostgroup.update \
|
||||
20-nss_ldap.update \
|
||||
20-replication.update \
|
||||
20-sslciphers.update \
|
||||
20-syncrepl.update \
|
||||
20-user_private_groups.update \
|
||||
20-winsync_index.update \
|
||||
20-idoverride_index.update \
|
||||
20-uuid.update \
|
||||
20-default_password_policy.update \
|
||||
20-whoami.update \
|
||||
21-replicas_container.update \
|
||||
21-ca_renewal_container.update \
|
||||
21-certstore_container.update \
|
||||
25-referint.update \
|
||||
30-provisioning.update \
|
||||
30-s4u2proxy.update \
|
||||
37-locations.update \
|
||||
40-delegation.update \
|
||||
40-realm_domains.update \
|
||||
40-replication.update \
|
||||
40-dns.update \
|
||||
40-automember.update \
|
||||
40-certprofile.update \
|
||||
40-otp.update \
|
||||
40-vault.update \
|
||||
41-caacl.update \
|
||||
41-lightweight-cas.update \
|
||||
45-roles.update \
|
||||
50-7_bit_check.update \
|
||||
50-dogtag10-migration.update \
|
||||
50-lockout-policy.update \
|
||||
50-groupuuid.update \
|
||||
50-hbacservice.update \
|
||||
50-krbenctypes.update \
|
||||
50-nis.update \
|
||||
50-ipaconfig.update \
|
||||
50-externalmembers.update \
|
||||
55-pbacmemberof.update \
|
||||
59-trusts-sysacount.update \
|
||||
60-trusts.update \
|
||||
61-trusts-s4u2proxy.update \
|
||||
62-ranges.update \
|
||||
71-idviews.update \
|
||||
71-idviews-sasl-mapping.update \
|
||||
72-domainlevels.update \
|
||||
73-custodia.update \
|
||||
73-winsync.update \
|
||||
73-certmap.update \
|
||||
80-schema_compat.update \
|
||||
90-post_upgrade_plugins.update \
|
||||
$(NULL)
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(app_DATA) \
|
||||
$(NULL)
|
||||
|
||||
MAINTAINERCLEANFILES = \
|
||||
*~ \
|
||||
Makefile.in
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.16.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@@ -15,7 +15,17 @@
|
||||
@SET_MAKE@
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__is_gnu_make = { \
|
||||
if test -z '$(MAKELEVEL)'; then \
|
||||
false; \
|
||||
elif test -n '$(MAKE_HOST)'; then \
|
||||
true; \
|
||||
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
|
||||
true; \
|
||||
else \
|
||||
false; \
|
||||
fi; \
|
||||
}
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
@@ -76,13 +86,22 @@ POST_INSTALL = :
|
||||
NORMAL_UNINSTALL = :
|
||||
PRE_UNINSTALL = :
|
||||
POST_UNINSTALL = :
|
||||
subdir = updates
|
||||
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README
|
||||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = install/updates
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
|
||||
$(top_srcdir)/configure.ac
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
|
||||
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
|
||||
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
|
||||
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
||||
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
|
||||
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
|
||||
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
|
||||
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||
$(ACLOCAL_M4)
|
||||
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
|
||||
mkinstalldirs = $(install_sh) -d
|
||||
CONFIG_HEADER = $(top_builddir)/config.h
|
||||
CONFIG_CLEAN_FILES =
|
||||
@@ -136,38 +155,115 @@ am__uninstall_files_from_dir = { \
|
||||
am__installdirs = "$(DESTDIR)$(appdir)"
|
||||
DATA = $(app_DATA)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
am__DIST_COMMON = $(srcdir)/Makefile.in README
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
API_VERSION = @API_VERSION@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
AUTOMAKE = @AUTOMAKE@
|
||||
AWK = @AWK@
|
||||
CC = @CC@
|
||||
CCDEPMODE = @CCDEPMODE@
|
||||
CFLAGS = @CFLAGS@
|
||||
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
|
||||
CMOCKA_LIBS = @CMOCKA_LIBS@
|
||||
CONFIG_STATUS = @CONFIG_STATUS@
|
||||
CPP = @CPP@
|
||||
CPPFLAGS = @CPPFLAGS@
|
||||
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
|
||||
CRYPTO_LIBS = @CRYPTO_LIBS@
|
||||
CYGPATH_W = @CYGPATH_W@
|
||||
DATA_VERSION = @DATA_VERSION@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
|
||||
DIRSRV_LIBS = @DIRSRV_LIBS@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
ECHO_N = @ECHO_N@
|
||||
ECHO_T = @ECHO_T@
|
||||
EGREP = @EGREP@
|
||||
EXEEXT = @EXEEXT@
|
||||
FGREP = @FGREP@
|
||||
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
|
||||
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
|
||||
GIT_BRANCH = @GIT_BRANCH@
|
||||
GIT_VERSION = @GIT_VERSION@
|
||||
GMSGFMT = @GMSGFMT@
|
||||
GMSGFMT_015 = @GMSGFMT_015@
|
||||
GREP = @GREP@
|
||||
INI_CFLAGS = @INI_CFLAGS@
|
||||
INI_LIBS = @INI_LIBS@
|
||||
INSTALL = @INSTALL@
|
||||
INSTALL_DATA = @INSTALL_DATA@
|
||||
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||
INTLLIBS = @INTLLIBS@
|
||||
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
|
||||
IPAPLATFORM = @IPAPLATFORM@
|
||||
IPA_DATA_DIR = @IPA_DATA_DIR@
|
||||
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
|
||||
JSLINT = @JSLINT@
|
||||
KRAD_LIBS = @KRAD_LIBS@
|
||||
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
|
||||
KRB5_CFLAGS = @KRB5_CFLAGS@
|
||||
KRB5_LIBS = @KRB5_LIBS@
|
||||
LD = @LD@
|
||||
LDAP_CFLAGS = @LDAP_CFLAGS@
|
||||
LDAP_LIBS = @LDAP_LIBS@
|
||||
LDFLAGS = @LDFLAGS@
|
||||
LIBICONV = @LIBICONV@
|
||||
LIBINTL = @LIBINTL@
|
||||
LIBINTL_LIBS = @LIBINTL_LIBS@
|
||||
LIBOBJS = @LIBOBJS@
|
||||
LIBPDB_NAME = @LIBPDB_NAME@
|
||||
LIBS = @LIBS@
|
||||
LIBTOOL = @LIBTOOL@
|
||||
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
|
||||
LIBVERTO_LIBS = @LIBVERTO_LIBS@
|
||||
LIPO = @LIPO@
|
||||
LN_S = @LN_S@
|
||||
LTLIBICONV = @LTLIBICONV@
|
||||
LTLIBINTL = @LTLIBINTL@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAINT = @MAINT@
|
||||
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
MK_ASSIGN = @MK_ASSIGN@
|
||||
MK_ELSE = @MK_ELSE@
|
||||
MK_ENDIF = @MK_ENDIF@
|
||||
MK_IFEQ = @MK_IFEQ@
|
||||
MSGATTRIB = @MSGATTRIB@
|
||||
MSGCMP = @MSGCMP@
|
||||
MSGFMT = @MSGFMT@
|
||||
MSGINIT = @MSGINIT@
|
||||
MSGFMT_015 = @MSGFMT_015@
|
||||
MSGMERGE = @MSGMERGE@
|
||||
NAMED_GROUP = @NAMED_GROUP@
|
||||
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
|
||||
NDRNBT_LIBS = @NDRNBT_LIBS@
|
||||
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
|
||||
NDRPAC_LIBS = @NDRPAC_LIBS@
|
||||
NDR_CFLAGS = @NDR_CFLAGS@
|
||||
NDR_LIBS = @NDR_LIBS@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
NSPR_CFLAGS = @NSPR_CFLAGS@
|
||||
NSPR_LIBS = @NSPR_LIBS@
|
||||
NSS_CFLAGS = @NSS_CFLAGS@
|
||||
NSS_LIBS = @NSS_LIBS@
|
||||
NUM_VERSION = @NUM_VERSION@
|
||||
OBJDUMP = @OBJDUMP@
|
||||
OBJEXT = @OBJEXT@
|
||||
ODS_USER = @ODS_USER@
|
||||
OTOOL = @OTOOL@
|
||||
OTOOL64 = @OTOOL64@
|
||||
PACKAGE = @PACKAGE@
|
||||
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
||||
PACKAGE_NAME = @PACKAGE_NAME@
|
||||
@@ -176,33 +272,89 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PKG_CONFIG = @PKG_CONFIG@
|
||||
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
|
||||
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
|
||||
PLATFORM_PYTHON = @PLATFORM_PYTHON@
|
||||
POPT_CFLAGS = @POPT_CFLAGS@
|
||||
POPT_LIBS = @POPT_LIBS@
|
||||
POSUB = @POSUB@
|
||||
PYLINT = @PYLINT@
|
||||
PYTHON = @PYTHON@
|
||||
PYTHON2 = @PYTHON2@
|
||||
PYTHON3 = @PYTHON3@
|
||||
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
|
||||
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
|
||||
PYTHON_PLATFORM = @PYTHON_PLATFORM@
|
||||
PYTHON_PREFIX = @PYTHON_PREFIX@
|
||||
PYTHON_VERSION = @PYTHON_VERSION@
|
||||
RANLIB = @RANLIB@
|
||||
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
|
||||
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
|
||||
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
|
||||
SASL_CFLAGS = @SASL_CFLAGS@
|
||||
SASL_LIBS = @SASL_LIBS@
|
||||
SED = @SED@
|
||||
SET_MAKE = @SET_MAKE@
|
||||
SHELL = @SHELL@
|
||||
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
|
||||
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
|
||||
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
|
||||
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
|
||||
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
|
||||
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
|
||||
STRIP = @STRIP@
|
||||
TX = @TX@
|
||||
TALLOC_CFLAGS = @TALLOC_CFLAGS@
|
||||
TALLOC_LIBS = @TALLOC_LIBS@
|
||||
TEVENT_CFLAGS = @TEVENT_CFLAGS@
|
||||
TEVENT_LIBS = @TEVENT_LIBS@
|
||||
UNISTRING_LIBS = @UNISTRING_LIBS@
|
||||
UNLINK = @UNLINK@
|
||||
USE_NLS = @USE_NLS@
|
||||
UUID_CFLAGS = @UUID_CFLAGS@
|
||||
UUID_LIBS = @UUID_LIBS@
|
||||
VENDOR_SUFFIX = @VENDOR_SUFFIX@
|
||||
VERSION = @VERSION@
|
||||
XGETTEXT = @XGETTEXT@
|
||||
XGETTEXT_015 = @XGETTEXT_015@
|
||||
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
|
||||
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
|
||||
XMLRPC_LIBS = @XMLRPC_LIBS@
|
||||
abs_builddir = @abs_builddir@
|
||||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
am__leading_dot = @am__leading_dot@
|
||||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
build_cpu = @build_cpu@
|
||||
build_os = @build_os@
|
||||
build_vendor = @build_vendor@
|
||||
builddir = @builddir@
|
||||
datadir = @datadir@
|
||||
datarootdir = @datarootdir@
|
||||
docdir = @docdir@
|
||||
dvidir = @dvidir@
|
||||
exec_prefix = @exec_prefix@
|
||||
host = @host@
|
||||
host_alias = @host_alias@
|
||||
host_cpu = @host_cpu@
|
||||
host_os = @host_os@
|
||||
host_vendor = @host_vendor@
|
||||
htmldir = @htmldir@
|
||||
i18ntests = @i18ntests@
|
||||
includedir = @includedir@
|
||||
infodir = @infodir@
|
||||
install_sh = @install_sh@
|
||||
krb5rundir = @krb5rundir@
|
||||
libdir = @libdir@
|
||||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
@@ -211,13 +363,20 @@ mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
pdfdir = @pdfdir@
|
||||
pkgpyexecdir = @pkgpyexecdir@
|
||||
pkgpythondir = @pkgpythondir@
|
||||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
pyexecdir = @pyexecdir@
|
||||
pythondir = @pythondir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
sysconfdir = @sysconfdir@
|
||||
sysconfenvdir = @sysconfenvdir@
|
||||
systemdsystemunitdir = @systemdsystemunitdir@
|
||||
systemdtmpfilesdir = @systemdtmpfilesdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
top_builddir = @top_builddir@
|
||||
@@ -225,60 +384,79 @@ top_srcdir = @top_srcdir@
|
||||
NULL =
|
||||
appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
05-pre_upgrade_plugins.update \
|
||||
10-config.update \
|
||||
10-enable-betxn.update \
|
||||
10-ipapwd.update \
|
||||
10-selinuxusermap.update \
|
||||
10-rootdse.update \
|
||||
10-uniqueness.update \
|
||||
10-schema_compat.update \
|
||||
19-managed-entries.update \
|
||||
20-aci.update \
|
||||
20-dna.update \
|
||||
20-enable_dirsrv_plugins.update \
|
||||
20-host_nis_groups.update \
|
||||
20-indices.update \
|
||||
20-ipaservers_hostgroup.update \
|
||||
20-nss_ldap.update \
|
||||
20-replication.update \
|
||||
20-sslciphers.update \
|
||||
20-syncrepl.update \
|
||||
20-user_private_groups.update \
|
||||
20-winsync_index.update \
|
||||
20-idoverride_index.update \
|
||||
20-uuid.update \
|
||||
20-default_password_policy.update \
|
||||
20-whoami.update \
|
||||
21-replicas_container.update \
|
||||
21-ca_renewal_container.update \
|
||||
21-certstore_container.update \
|
||||
25-referint.update \
|
||||
30-provisioning.update \
|
||||
30-s4u2proxy.update \
|
||||
37-locations.update \
|
||||
40-delegation.update \
|
||||
40-realm_domains.update \
|
||||
40-replication.update \
|
||||
40-dns.update \
|
||||
40-automember.update \
|
||||
40-certprofile.update \
|
||||
40-otp.update \
|
||||
40-vault.update \
|
||||
41-caacl.update \
|
||||
41-lightweight-cas.update \
|
||||
45-roles.update \
|
||||
50-7_bit_check.update \
|
||||
50-dogtag10-migration.update \
|
||||
50-lockout-policy.update \
|
||||
50-groupuuid.update \
|
||||
50-hbacservice.update \
|
||||
50-krbenctypes.update \
|
||||
50-nis.update \
|
||||
50-ipaconfig.update \
|
||||
50-externalmembers.update \
|
||||
55-pbacmemberof.update \
|
||||
59-trusts-sysacount.update \
|
||||
60-trusts.update \
|
||||
61-trusts-s4u2proxy.update \
|
||||
62-ranges.update \
|
||||
71-idviews.update \
|
||||
71-idviews-sasl-mapping.update \
|
||||
72-domainlevels.update \
|
||||
73-custodia.update \
|
||||
73-winsync.update \
|
||||
73-certmap.update \
|
||||
80-schema_compat.update \
|
||||
90-post_upgrade_plugins.update \
|
||||
$(NULL)
|
||||
|
||||
EXTRA_DIST = \
|
||||
$(app_DATA) \
|
||||
$(NULL)
|
||||
|
||||
MAINTAINERCLEANFILES = \
|
||||
*~ \
|
||||
Makefile.in
|
||||
|
||||
all: all-am
|
||||
|
||||
.SUFFIXES:
|
||||
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
@for dep in $?; do \
|
||||
case '$(am__configure_deps)' in \
|
||||
*$$dep*) \
|
||||
@@ -287,27 +465,32 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__confi
|
||||
exit 1;; \
|
||||
esac; \
|
||||
done; \
|
||||
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign updates/Makefile'; \
|
||||
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/updates/Makefile'; \
|
||||
$(am__cd) $(top_srcdir) && \
|
||||
$(AUTOMAKE) --foreign updates/Makefile
|
||||
.PRECIOUS: Makefile
|
||||
$(AUTOMAKE) --foreign install/updates/Makefile
|
||||
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
||||
@case '$?' in \
|
||||
*config.status*) \
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
||||
*) \
|
||||
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
||||
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
|
||||
esac;
|
||||
|
||||
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||
|
||||
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
|
||||
$(top_srcdir)/configure: $(am__configure_deps)
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
|
||||
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||
$(am__aclocal_m4_deps):
|
||||
|
||||
mostlyclean-libtool:
|
||||
-rm -f *.lo
|
||||
|
||||
clean-libtool:
|
||||
-rm -rf .libs _libs
|
||||
install-appDATA: $(app_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
@list='$(app_DATA)'; test -n "$(appdir)" || list=; \
|
||||
@@ -336,7 +519,10 @@ ctags CTAGS:
|
||||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
distdir: $(BUILT_SOURCES)
|
||||
$(MAKE) $(AM_MAKEFLAGS) distdir-am
|
||||
|
||||
distdir-am: $(DISTFILES)
|
||||
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
list='$(DISTFILES)'; \
|
||||
@@ -403,10 +589,9 @@ distclean-generic:
|
||||
maintainer-clean-generic:
|
||||
@echo "This command is intended for maintainers to use"
|
||||
@echo "it deletes files that may require special tools to rebuild."
|
||||
-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
|
||||
clean: clean-am
|
||||
|
||||
clean-am: clean-generic mostlyclean-am
|
||||
clean-am: clean-generic clean-libtool mostlyclean-am
|
||||
|
||||
distclean: distclean-am
|
||||
-rm -f Makefile
|
||||
@@ -458,7 +643,7 @@ maintainer-clean-am: distclean-am maintainer-clean-generic
|
||||
|
||||
mostlyclean: mostlyclean-am
|
||||
|
||||
mostlyclean-am: mostlyclean-generic
|
||||
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
|
||||
|
||||
pdf: pdf-am
|
||||
|
||||
@@ -472,17 +657,20 @@ uninstall-am: uninstall-appDATA
|
||||
|
||||
.MAKE: install-am install-strip
|
||||
|
||||
.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
|
||||
ctags-am distclean distclean-generic distdir dvi dvi-am html \
|
||||
html-am info info-am install install-am install-appDATA \
|
||||
install-data install-data-am install-dvi install-dvi-am \
|
||||
install-exec install-exec-am install-html install-html-am \
|
||||
install-info install-info-am install-man install-pdf \
|
||||
install-pdf-am install-ps install-ps-am install-strip \
|
||||
installcheck installcheck-am installdirs maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
|
||||
pdf-am ps ps-am tags-am uninstall uninstall-am \
|
||||
uninstall-appDATA
|
||||
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||
cscopelist-am ctags-am distclean distclean-generic \
|
||||
distclean-libtool distdir dvi dvi-am html html-am info info-am \
|
||||
install install-am install-appDATA install-data \
|
||||
install-data-am install-dvi install-dvi-am install-exec \
|
||||
install-exec-am install-html install-html-am install-info \
|
||||
install-info-am install-man install-pdf install-pdf-am \
|
||||
install-ps install-ps-am install-strip installcheck \
|
||||
installcheck-am installdirs maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic \
|
||||
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
|
||||
uninstall-am uninstall-appDATA
|
||||
|
||||
.PRECIOUS: Makefile
|
||||
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
|
||||
Reference in New Issue
Block a user