freeipa/install/share/schema_compat.uldif

#
# Enable the Schema Compatibility plugin provided by slapi-nis.
#
# http://slapi-nis.fedorahosted.org/
#
dn: cn=Schema Compatibility, cn=plugins, cn=config
default:objectclass: top
default:objectclass: nsSlapdPlugin
default:objectclass: extensibleObject
default:cn: Schema Compatibility
default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
default:nsslapd-plugininitfunc: schema_compat_plugin_init
default:nsslapd-plugintype: object
default:nsslapd-pluginenabled: on
default:nsslapd-pluginid: schema-compat-plugin
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginbetxn: on
default:nsslapd-pluginvendor: redhat.com
default:nsslapd-plugindescription: Schema Compatibility Plugin

dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: users
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=users
default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixAccount
default:schema-compat-entry-rdn: uid=%{uid}
default:schema-compat-entry-attribute: objectclass=posixAccount
default:schema-compat-entry-attribute: gecos=%{cn}
default:schema-compat-entry-attribute: cn=%{cn}
default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: loginShell=%{loginShell}
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}

dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: groups
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=groups
default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixGroup
default:schema-compat-entry-rdn: cn=%{cn}
default:schema-compat-entry-attribute: objectclass=posixGroup
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: memberUid=%{memberUid}
default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")

dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: ng
add:schema-compat-container-group: 'cn=compat, $SUFFIX'
add:schema-compat-container-rdn: cn=ng
add:schema-compat-check-access: yes
add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'
add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-attribute: objectclass=nisNetgroup
add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})'

dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: sudoers
add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'
add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'
add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")
add:schema-compat-entry-attribute: objectclass=sudoRole
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")'
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'
add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'

dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: computers
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=computers
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}

# Enable anonymous VLV browsing for Solaris
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'
Update files for the schema compatibility plugin and RFC4876 profiles Also handle syntax errors a bit more gracefully and allow the updater to work on more than one file at a time. Adjust to new config.py and use a custom exception class for syntax errors. Also fix a error in parsing the separate files Include slapi-nis in Requires Includes work provided by Martin Nagy 460055 2008-09-10 14:56:11 -05:00			`#`
			`# Enable the Schema Compatibility plugin provided by slapi-nis.`
			`#`
			`# http://slapi-nis.fedorahosted.org/`
			`#`
			`dn: cn=Schema Compatibility, cn=plugins, cn=config`
			`default:objectclass: top`
			`default:objectclass: nsSlapdPlugin`
			`default:objectclass: extensibleObject`
			`default:cn: Schema Compatibility`
			`default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so`
			`default:nsslapd-plugininitfunc: schema_compat_plugin_init`
			`default:nsslapd-plugintype: object`
			`default:nsslapd-pluginenabled: on`
			`default:nsslapd-pluginid: schema-compat-plugin`
			`default:nsslapd-pluginversion: 0.8`
Enable transactions by default, make password and modrdn TXN-aware The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046 2012-11-15 20:38:26 -06:00			`default:nsslapd-pluginbetxn: on`
Update files for the schema compatibility plugin and RFC4876 profiles Also handle syntax errors a bit more gracefully and allow the updater to work on more than one file at a time. Adjust to new config.py and use a custom exception class for syntax errors. Also fix a error in parsing the separate files Include slapi-nis in Requires Includes work provided by Martin Nagy 460055 2008-09-10 14:56:11 -05:00			`default:nsslapd-pluginvendor: redhat.com`
			`default:nsslapd-plugindescription: Schema Compatibility Plugin`

			`dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config`
			`default:objectClass: top`
			`default:objectClass: extensibleObject`
			`default:cn: users`
			`default:schema-compat-container-group: cn=compat, $SUFFIX`
			`default:schema-compat-container-rdn: cn=users`
			`default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX`
			`default:schema-compat-search-filter: objectclass=posixAccount`
			`default:schema-compat-entry-rdn: uid=%{uid}`
			`default:schema-compat-entry-attribute: objectclass=posixAccount`
			`default:schema-compat-entry-attribute: gecos=%{cn}`
			`default:schema-compat-entry-attribute: cn=%{cn}`
			`default:schema-compat-entry-attribute: uidNumber=%{uidNumber}`
			`default:schema-compat-entry-attribute: gidNumber=%{gidNumber}`
			`default:schema-compat-entry-attribute: loginShell=%{loginShell}`
			`default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}`

			`dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config`
			`default:objectClass: top`
			`default:objectClass: extensibleObject`
			`default:cn: groups`
			`default:schema-compat-container-group: cn=compat, $SUFFIX`
			`default:schema-compat-container-rdn: cn=groups`
			`default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX`
			`default:schema-compat-search-filter: objectclass=posixGroup`
			`default:schema-compat-entry-rdn: cn=%{cn}`
			`default:schema-compat-entry-attribute: objectclass=posixGroup`
			`default:schema-compat-entry-attribute: gidNumber=%{gidNumber}`
			`default:schema-compat-entry-attribute: memberUid=%{memberUid}`
list users from nested groups, too 2011-10-04 10:46:59 -05:00			`default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")`
Enable anonymous VLV so Solaris clients will work out of the box. Since one needs to enable the compat plugin we will enable anonymous VLV when that is configured. By default the DS installs an aci that grants read access to ldap:///all and we need ldap:///anyone 2010-03-19 15:52:13 -05:00
Enable compat plugin by default and configure netgroups Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91 2010-08-11 14:26:37 -05:00			`dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config`
			`add:objectClass: top`
			`add:objectClass: extensibleObject`
			`add:cn: ng`
			`add:schema-compat-container-group: 'cn=compat, $SUFFIX'`
			`add:schema-compat-container-rdn: cn=ng`
			`add:schema-compat-check-access: yes`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'`
			`add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)`
Enable compat plugin by default and configure netgroups Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91 2010-08-11 14:26:37 -05:00			`add:schema-compat-entry-rdn: cn=%{cn}`
			`add:schema-compat-entry-attribute: objectclass=nisNetgroup`
			`add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})'

			`dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config`
			`add:objectClass: top`
			`add:objectClass: extensibleObject`
			`add:cn: sudoers`
			`add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'`
Move sudo related data all under cn=sudo Fixes: https://fedorahosted.org/freeipa/ticket/773 2011-01-14 14:27:56 -06:00			`add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))`
Remove disabled entries from sudoers compat tree. The removal is triggered by generating an invalid RDN when ipaEnabledFlag of the original entry is FALSE. https://fedorahosted.org/freeipa/ticket/3437 2013-03-06 03:07:13 -06:00			`add:schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-entry-attribute: objectclass=sudoRole`
			`add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'`
			`add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'`
			`add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(\|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")'`
			`add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")'`
			`add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'`
			`add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'`
			`add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'`
sudo: treat mepOriginEntry hostgroups differently - if a hostgroup named by the memberHost attribute is not also a mepOriginEntry, proceed as before - if a hostgroup named by the memberHost attribute is also a mepOriginEntry, read its "cn" attribute, prepend a "+" to it, and call it done 2010-12-09 14:31:13 -06:00			`add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(\|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'`
			`add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'`
			`add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'`
			`add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'`
Bugfix for sudo compat cmdcat and deny commands https://fedorahosted.org/freeipa/ticket/742 2011-01-11 09:32:55 -06:00			`add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'`
			`add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'`
			`add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'`
fix sudorule runas user/groups https://fedorahosted.org/freeipa/ticket/570 2011-01-07 17:29:00 -06:00			`add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00			`add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'`
			`add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'`
			`add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'`
Enable compat plugin by default and configure netgroups Move the netgroup compat configuration from the nis configuration to the existing compat configuration. Add a 'status' option to the ipa-copmat-manage tool. ticket 91 2010-08-11 14:26:37 -05:00
- create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-16 14:31:12 -05:00			`dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config`
			`default:objectClass: top`
			`default:objectClass: extensibleObject`
			`default:cn: computers`
			`default:schema-compat-container-group: cn=compat, $SUFFIX`
			`default:schema-compat-container-rdn: cn=computers`
			`default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX`
			`default:schema-compat-search-filter: (&(macAddress=)(fqdn=)(objectClass=ipaHost))`
			`default:schema-compat-entry-rdn: cn=%first("%{fqdn}")`
			`default:schema-compat-entry-attribute: objectclass=device`
			`default:schema-compat-entry-attribute: objectclass=ieee802Device`
			`default:schema-compat-entry-attribute: cn=%{fqdn}`
			`default:schema-compat-entry-attribute: macAddress=%{macAddress}`

Enable anonymous VLV so Solaris clients will work out of the box. Since one needs to enable the compat plugin we will enable anonymous VLV when that is configured. By default the DS installs an aci that grants read access to ldap:///all and we need ldap:///anyone 2010-03-19 15:52:13 -05:00			`# Enable anonymous VLV browsing for Solaris`
			`dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config`
			`only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'`
sudo and netgroup schema compat updates - fix quoting of netgroup entries - don't bother looking for members of netgroups by looking for entries which list "memberOf: $netgroup" -- the netgroup should list them as "member" values - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container to make room for the compat container 2010-11-30 17:25:33 -06:00