From b506fd178edbf1553ca581c44ac6697f88ead125 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 6 Jun 2016 11:51:05 +0300
Subject: [PATCH] adtrust: support GSSAPI authentication to LDAP as Active
 Directory user

In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/updates/20-idoverride_index.update    | 19 +++++++++++++++++++
 .../updates/71-idviews-sasl-mapping.update    |  8 ++++++++
 install/updates/Makefile.am                   |  2 ++
 3 files changed, 29 insertions(+)
 create mode 100644 install/updates/20-idoverride_index.update
 create mode 100644 install/updates/71-idviews-sasl-mapping.update

diff --git a/install/updates/20-idoverride_index.update b/install/updates/20-idoverride_index.update
new file mode 100644
index 000000000..bfc9c6e23
--- /dev/null
+++ b/install/updates/20-idoverride_index.update
@@ -0,0 +1,19 @@
+#
+# Make sure ID override attributes have the correct indexing
+#
+
+dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
+
+dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
diff --git a/install/updates/71-idviews-sasl-mapping.update b/install/updates/71-idviews-sasl-mapping.update
new file mode 100644
index 000000000..cc19c43f4
--- /dev/null
+++ b/install/updates/71-idviews-sasl-mapping.update
@@ -0,0 +1,8 @@
+dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
+default:cn: ID Overridden Principal
+default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
+default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
+default:nsSaslMapPriority: 20
+default:nsSaslMapRegexString: \(.*\)@\(.*\)
+default:objectClass: top
+default:objectClass: nsSaslMapping
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 737a8bbbd..fde69175c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -21,6 +21,7 @@ app_DATA =				\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
+	20-idoverride_index.update	\
 	20-uuid.update  \
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
@@ -53,6 +54,7 @@ app_DATA =				\
 	61-trusts-s4u2proxy.update	\
 	62-ranges.update		\
 	71-idviews.update		\
+	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
 	73-winsync.update		\