Install policy schema

install/share/60policyv2.ldif

@@ -0,0 +1,25 @@
+dn: cn=schema
+objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaContainer' SUP nsContainer STRUCTURAL MAY description X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.28 NAME 'ipaPolicyType' DESC 'Type of the policy' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.29 NAME 'ipaSchemaFile' DESC 'Name of the file with schema definition' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.30 NAME 'ipaTrasformFile' DESC 'Name of the policy transformation file' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.13 NAME 'ipaPolicyTemplate' SUP top STRUCTURAL MUST ( cn $ ipaUniqueID $ ipaPolicyType $ ipaSchemaFile ) MAY ( ipaTrasformFile $ description ) X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.31 NAME 'ipaOrderedUUIDList' DESC 'Defines order of the entities within some sort of ordered group' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.32 NAME 'ipaLastChangeBy' DESC 'DN of the user who caused the configuration change' SUP owner EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.33 NAME 'ipaLastChanged' DESC 'Last time there was some change to the data' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.34 NAME 'ipaAllowedTemplateRef' DESC 'DN of the allowed policy template' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaOrderedContainer' SUP ipaContainer STRUCTURAL MAY ( ipaOrderedUUIDList $ ipaLastChangeBy $ ipaLastChanged ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPolicyGroup' SUP ipaOrderedContainer STRUCTURAL MUST ( ipaUniqueID $ ipaEnabledFlag ) MAY ipaAllowedTemplateRef X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.35 NAME 'ipaTemplateRef' DESC 'DN of the allowed policy template' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.36 NAME 'ipaPolicyBlob' DESC 'Compressed XML policy data in binary format' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.37 NAME 'ipaPolicyState' DESC 'State of the policy data' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.16 NAME 'ipaPolicy' SUP ipaContainer STRUCTURAL MUST ( ipaUniqueID $ ipaEnabledFlag $ ipaTemplateRef ) MAY ( ipaLastChangeBy $ ipaLastChanged ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.17 NAME 'ipaPolicyData' SUP top STRUCTURAL MUST ( ipaUniqueID $ cn $ ipaPolicyState $ ipaLastChangeBy $ ipaLastChanged ) MAY ( ipaPolicyBlob $ description ) X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.38 NAME 'ipaPolicyGroupRef' DESC 'DN of the member policy group reference' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.18 NAME 'ipaPolicyLink' SUP ipaAssociation STRUCTURAL MAY ( ipaPolicyGroupRef $ owner ) X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.39 NAME 'ipaRoleType' DESC 'Type of the role' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2')
+attributeTypes: (2.16.840.1.113730.3.8.3.40 NAME 'ipaRoleOrder' DESC 'List of possible roles in priority order' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2')
+objectClasses: (2.16.840.1.113730.3.8.4.19 NAME 'ipaRelationsContainer' SUP ipaContainer STRUCTURAL MUST ( ipaRoleType $ ipaRoleOrder ) X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.41 NAME 'ipaRoleRef' DESC 'DN of the role definition policy' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.3.42 NAME 'ipaRoleName' DESC 'Name of the role' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.20 NAME 'ipaRelation' SUP ipaAssociation STRUCTURAL MUST ( ipaRoleRef $ ipaRoleName ) X-ORIGIN 'IPA v2' )

install/share/Makefile.am

@@ -8,6 +8,7 @@ app_DATA =				\
 	60radius.ldif			\
 	60ipaconfig.ldif		\
 	60basev2.ldif			\
+	60policyv2.ldif			\
 	bootstrap-template.ldif		\
 	default-aci.ldif		\
 	default-keytypes.ldif		\

install/updates/Makefile.am

@@ -10,6 +10,7 @@ app_DATA =				\
 	RFC2307bis.update		\
 	RFC4876.update			\
 	netgroups.update		\
+	policy.update			\
 	winsync_index.update		\
 	$(NULL)
 

install/updates/policy.update

@@ -0,0 +1,44 @@
+# bootstrap the policy DIT structure
+
+dn: cn=policies,$SUFFIX
+add: objectclass: nsContainer
+add: objectclass: ipaContainer
+add: cn: policies
+add: description: Root of the policy related sub tree
+
+dn: cn=configs,cn=policies,$SUFFIX
+add: objectclass: nsContainer
+add: objectclass: ipaContainer
+add: cn: configs
+add: description: Root of the sub tree that holds configuration policies for different applications
+
+dn: cn=applications,cn=configs,cn=policies,$SUFFIX
+add: objectclass: nsContainer
+add: objectclass: ipaContainer
+add: cn: applications
+add: description: Root of the tree that hold all definitions of the supported applications
+
+dn: cn=Shell Applications,cn=applications,cn=configs,cn=policies,$SUFFIX
+add: objectclass: nsContainer
+add: objectclass: ipaContainer
+add: cn: Shell Applications
+add: description: Shell Applications - special application that holds templates for actions
+
+dn: cn=roles,cn=policies,$SUFFIX
+add: objectclass: nsContainer
+add: objectclass: ipaContainer
+add: cn: roles
+add: description: Root of the sub tree that holds role management data
+
+dn: cn=policygroups,cn=configs,cn=policies,$SUFFIX
+add: objectclass: ipaContainer
+add: objectclass: ipaOrderedContainer
+add: cn: policygroups
+add: description: Sub tree to hold policy groups
+
+dn: cn=policylinks,cn=configs,cn=policies,$SUFFIX
+add: objectclass: ipaContainer
+add: objectclass: ipaOrderedContainer
+add: cn: policylinks
+add: description: Sub tree to hold policy links
+

ipaserver/install/dsinstance.py

@@ -268,6 +268,8 @@ class DsInstance(service.Service):
                         schema_dirname(self.serverid) + "60ipaconfig.ldif")
         shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif",
                         schema_dirname(self.serverid) + "60basev2.ldif")
+        shutil.copyfile(ipautil.SHARE_DIR + "60policyv2.ldif",
+                        schema_dirname(self.serverid) + "60policyv2.ldif")
         shutil.move(schema_dirname(self.serverid) + "05rfc2247.ldif",
                         schema_dirname(self.serverid) + "05rfc2247.ldif.old")
         shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif",