adtrust: support GSSAPI authentication to LDAP as Active Directory user

In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user. This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or certificates. Admins can define what can be changed by the users via self-service permissions. Part of https://fedorahosted.org/freeipa/ticket/2149 Part of https://fedorahosted.org/freeipa/ticket/3242 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-06 11:51:05 +03:00 · 2016-06-06 11:51:05 +03:00 · b506fd178e
commit b506fd178e
parent a0f953e0ff
3 changed files with 29 additions and 0 deletions
--- a/install/updates/20-idoverride_index.update
+++ b/install/updates/20-idoverride_index.update
@ -0,0 +1,19 @@
+#
+# Make sure ID override attributes have the correct indexing
+#
+
+dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
+
+dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
--- a/install/updates/71-idviews-sasl-mapping.update
+++ b/install/updates/71-idviews-sasl-mapping.update
@ -0,0 +1,8 @@
+dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
+default:cn: ID Overridden Principal
+default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
+default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
+default:nsSaslMapPriority: 20
+default:nsSaslMapRegexString: \(.*\)@\(.*\)
+default:objectClass: top
+default:objectClass: nsSaslMapping
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@ -21,6 +21,7 @@ app_DATA =				\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
+	20-idoverride_index.update	\
 	20-uuid.update  \
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
@ -53,6 +54,7 @@ app_DATA =				\
 	61-trusts-s4u2proxy.update	\
 	62-ranges.update		\
 	71-idviews.update		\
+	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
 	73-winsync.update		\