Name update files so they can be easily sorted.

We want to process some updates in a particular order (schema, structural).
Using an init-inspired ordering mechanism.

install/updates/10-RFC2307bis.update

@@ -47,8 +47,8 @@ add:attributeTypes:
 add:objectClasses:
    ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject'
      DESC 'nisKeyObject' SUP top
-     MUST ( cn $ nisPublickey $ nisSecretkey )
-     MAY ( uidNumber $ description ) )
+     MUST ( cn $$ nisPublickey $$ nisSecretkey )
+     MAY ( uidNumber $$ description ) )
 add:objectClasses:
    ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject'
      DESC 'nisDomainObject' SUP top AUXILIARY
@@ -57,9 +57,9 @@ add:objectClasses:
    ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup'
      DESC 'mailGroup' SUP top
      MUST ( mail )
-     MAY ( cn $ mgrpRFC822MailMember ) )
+     MAY ( cn $$ mgrpRFC822MailMember ) )
 add:objectClasses:
    ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId'
      DESC 'nisNetId' SUP top
      MUST ( cn )
-     MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
+     MAY ( nisNetIdUser $$ nisNetIdGroup $$ nisNetIdHost ) )

install/updates/10-RFC4876.update

@@ -135,12 +135,12 @@ add:objectClasses:
      SUP top STRUCTURAL
      DESC 'Abstraction of a base configuration for a DUA'
      MUST ( cn )
-     MAY ( defaultServerList $ preferredServerList $
-           defaultSearchBase $ defaultSearchScope $
-           searchTimeLimit $ bindTimeLimit $
-           credentialLevel $ authenticationMethod $
-           followReferrals $ dereferenceAliases $
-           serviceSearchDescriptor $ serviceCredentialLevel $
-           serviceAuthenticationMethod $ objectclassMap $
-           attributeMap $ profileTTL ) 
+     MAY ( defaultServerList $$ preferredServerList $$
+           defaultSearchBase $$ defaultSearchScope $$
+           searchTimeLimit $$ bindTimeLimit $$
+           credentialLevel $$ authenticationMethod $$
+           followReferrals $$ dereferenceAliases $$
+           serviceSearchDescriptor $$ serviceCredentialLevel $$
+           serviceAuthenticationMethod $$ objectclassMap $$
+           attributeMap $$ profileTTL ) 
      X-ORIGIN 'RFC4876' )

install/updates/20-dna.update

@@ -0,0 +1,3 @@
+# Enable the DNA plugin
+dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on

install/updates/30-rolegroup.update

@@ -3,3 +3,4 @@
 dn: cn=rolegroups,cn=accounts,$SUFFIX
 add:objectClass: nsContainer
 add:cn: rolegroups
+

install/updates/40-delegation.update

@@ -0,0 +1,124 @@
+# Add the default roles 
+
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: helpdesk
+add:description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: useradmin
+add:description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: groupadmin
+add:description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: hostadmin
+add:description: Host Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: delegationadmin
+add:description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: serviceadmin
+add:description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: automountadmin
+add:description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: netgroupadmin
+add:description: Netgroups Administrators
+
+dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:objectClass: nestedgroup
+add:cn: useradmins
+add:description: User Administrators
+
+# Add the taskgroups referenced by the ACIs for user administration
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: nsContainer
+add:objectClass: top
+add:cn: taskgroups
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: addusers
+add:description: Add Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: change_password
+add:description: Change a user password
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: add_user_to_default_group
+add:description: Add user to default group
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: removeusers
+add:description: Remove Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: modifyusers
+add:description: Modify Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACIs that grant these permissions for user administration
+
+dn: $SUFFIX
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+  3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
+ ,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
+ aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
+ te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+ ";)
+add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
+ ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
+ te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
+ ,$SUFFIX";)
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+  3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
+ askgroups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials 
+ || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
+ umber || telephoneNumber || street || roomNumber || l || st || postalCode || 
+ manager || secretary || description || carLicense || labeledURI || inetUserHT
+ TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
+ //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
+ s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";)
+

install/updates/Makefile.am

@@ -2,18 +2,20 @@ NULL =
 
 appdir = $(IPA_DATA_DIR)/updates
 app_DATA =				\
-	automount.update		\
-	groupofhosts.update		\
-	indices.update			\
-	nss_ldap.update			\
-	replication.update		\
-	RFC2307bis.update		\
-	RFC4876.update			\
-	netgroups.update		\
-	policy.update			\
-	rolegroup.update		\
-	taskgroup.update		\
-	winsync_index.update		\
+	10-RFC2307bis.update		\
+	10-RFC4876.update		\
+	20-dna.update			\
+	20-indices.update		\
+	20-nss_ldap.update		\
+	20-replication.update		\
+	20-winsync_index.update		\
+	30-automount.update		\
+	30-groupofhosts.update		\
+	30-netgroups.update		\
+	30-policy.update		\
+	30-rolegroup.update		\
+	30-taskgroup.update		\
+	40-delegation.update		\
 	$(NULL)
 
 EXTRA_DIST =				\

install/updates/README

@@ -0,0 +1,8 @@
+The update files are sorted before being processed because there are
+cases where order matters (such as getting schema added first, creating
+parent entries, etc).
+
+10 - 20: Schema
+20 - 30: FDS Configuration, new indices
+30 - 40: Structual elements of the DIT
+40 - 50: Pre-loaded data