IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add altSecurityIdentities attribute from MS-WSPP schema definition

Browse Source 
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Alexander Bokovoy
2019-05-03 08:57:07 +03:00
parent 0187a746c9
commit 5a83eea20b
2 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
install/share/73certmap.ldif
View File

@@ -12,3 +12,6 @@ attributeTypes: (2.16.840.1.113730.3.8.22.1.5 NAME 'ipaCertMapPriority' DESC 'Ru
objectClasses: (2.16.840.1.113730.3.8.22.2.1 NAME 'ipaCertMapConfigObject' DESC 'IPA Certificate Mapping global config options' AUXILIARY MAY ipaCertMapPromptUsername X-ORIGIN 'IPA v4.5' )
objectClasses: (2.16.840.1.113730.3.8.22.2.2 NAME 'ipaCertMapRule' DESC 'IPA Certificate Mapping rule' SUP top STRUCTURAL MUST cn MAY ( description $ ipaCertMapMapRule $ ipaCertMapMatchRule $ associatedDomain $ ipaCertMapPriority $ ipaEnabledFlag ) X-ORIGIN 'IPA v4.5' )
objectClasses: (2.16.840.1.113730.3.8.22.2.3 NAME 'ipaCertMapObject' DESC 'IPA Object for Certificate Mapping' AUXILIARY MAY ipaCertMapData X-ORIGIN 'IPA v4.5' )
# altSecurityIdentities attribute is from MS-WSPP AD schema
# we define it here to have proper indexed searches
attributeTypes: (1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' DESC 'Alt-Security-Identities' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'MS-WSPP')

4
install/updates/20-aci.update
View File

@@ -25,6 +25,10 @@ add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || i
dn: $SUFFIX
add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";)
# Read access to altSecurityIdentities to allow filter optimizations in 389-ds
dn: $SUFFIX
add:aci:(targetattr="altSecurityIdentities")(version 3.0; acl "Authenticated read access to altSecurityIdentities information"; allow(read, search, compare) userdn = "ldap:///all";)
# Read access to containers
dn: $SUFFIX
add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)