mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This commit is contained in:
parent
1cc11ebf53
commit
bd98ab0356
6
ACI.txt
6
ACI.txt
@ -54,6 +54,8 @@ dn: dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=groups,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=groups,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=groups,cn=accounts,dc=ipa,dc=example
|
||||
@ -260,6 +262,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
@ -268,6 +272,8 @@ dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Add CA Certificate For Renewal";allow (add) groupdn = "ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Add Certificate Store Entry";allow (add) groupdn = "ldap:///cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (targetattr = "ipaanchoruuid")(target = "ldap:///cn=*,cn=compat,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaOverrideTarget)")(version 3.0;acl "permission:System: Compat Tree ID View targets";allow (compare,read,search) userdn = "ldap:///anyone";)
|
||||
dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "cacertificate")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Modify CA Certificate";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
|
||||
|
@ -5,3 +5,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.29 NAME 'ipaIDView' SUP nsContainer STR
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.30 NAME 'ipaOverrideAnchor' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) MAY ( description ) X-ORIGIN 'IPA v4' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.31 NAME 'ipaUserOverride' DESC 'Override for User Attributes' SUP ipaOverrideAnchor STRUCTURAL MAY ( uid $ uidNumber $ gidNumber $ homeDirectory $ loginShell $ gecos $ ipaOriginalUid ) X-ORIGIN 'IPA v4' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.32 NAME 'ipaGroupOverride' DESC 'Override for Group Attributes' SUP ipaOverrideAnchor STRUCTURAL MAY ( gidNumber $ cn ) X-ORIGIN 'IPA v4' )
|
||||
objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaOverrideTarget' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )
|
||||
|
@ -38,6 +38,10 @@ default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
|
||||
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
||||
default:schema-compat-entry-attribute: loginShell=%{loginShell}
|
||||
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
|
||||
default:objectClass: top
|
||||
@ -52,6 +56,10 @@ default:schema-compat-entry-attribute: objectclass=posixGroup
|
||||
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
||||
default:schema-compat-entry-attribute: memberUid=%{memberUid}
|
||||
default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
|
||||
default:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
|
||||
default:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
|
||||
default:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
|
||||
|
||||
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:objectClass: top
|
||||
|
@ -61,3 +61,14 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config
|
||||
# rewritten to the original entry if needed
|
||||
add:nsslapd-pluginprecedence: 49
|
||||
|
||||
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")'
|
||||
add:schema-compat-entry-attribute: 'ipaanchoruuid=%{ipaanchoruuid}'
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'
|
||||
|
||||
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")'
|
||||
add:schema-compat-entry-attribute: 'ipaanchoruuid=%{ipaanchoruuid}'
|
||||
add:schema-compat-entry-attribute: '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'
|
||||
|
@ -212,6 +212,16 @@ class group(LDAPObject):
|
||||
'objectclass', 'cn', 'memberuid', 'gidnumber',
|
||||
},
|
||||
},
|
||||
'System: Read Group Views Compat Tree': {
|
||||
'non_object': True,
|
||||
'ipapermbindruletype': 'anonymous',
|
||||
'ipapermlocation': api.env.basedn,
|
||||
'ipapermtarget': DN('cn=groups', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'objectclass', 'cn', 'memberuid', 'gidnumber',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
label = _('User Groups')
|
||||
|
@ -435,6 +435,17 @@ class user(LDAPObject):
|
||||
'homedirectory', 'loginshell',
|
||||
},
|
||||
},
|
||||
'System: Read User Views Compat Tree': {
|
||||
'non_object': True,
|
||||
'ipapermbindruletype': 'anonymous',
|
||||
'ipapermlocation': api.env.basedn,
|
||||
'ipapermtarget': DN('cn=users', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
|
||||
'homedirectory', 'loginshell',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
label = _('Users')
|
||||
|
@ -117,6 +117,17 @@ NONOBJECT_PERMISSIONS = {
|
||||
},
|
||||
'default_privileges': {'IPA Masters Readers'},
|
||||
},
|
||||
'System: Compat Tree ID View targets': {
|
||||
'replaces_global_anonymous_aci': True,
|
||||
'ipapermlocation': api.env.basedn,
|
||||
'ipapermtarget': DN('cn=*,cn=compat', api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=ipaOverrideTarget)'},
|
||||
'ipapermbindruletype': 'anonymous',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'ipaAnchorUUID',
|
||||
},
|
||||
},
|
||||
'System: Read DNA Configuration': {
|
||||
'replaces_global_anonymous_aci': True,
|
||||
'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
|
||||
|
Loading…
Reference in New Issue
Block a user