Enable SASL mapping fallback.

Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
2025-02-25 18:55:28 -06:00 · 2013-03-22 11:15:51 +01:00
parent f5bc155f56
commit ea7db35b62
6 changed files with 28 additions and 4 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.0
+BuildRequires:  389-ds-base-devel >= 1.3.1.1
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -89,7 +89,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.0.5
+Requires: 389-ds-base >= 1.3.1.1
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -815,6 +815,10 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 %changelog
 * Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.99-3
 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
  support.
 * Mon Jun 17 2013 Petr Viktorin <pviktori@redhat.com> - 3.2.99-2
 - Add the freeipa-tests subpackage
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -63,6 +63,7 @@ app_DATA =				\
 	replica-s4u2proxy.ldif		\
 	copy-schema-to-ca.py		\
 	upload-cacert.ldif		\
 	sasl-mapping-fallback.ldif	\
 	$(NULL)
 EXTRA_DIST =				\
--- a/install/share/sasl-mapping-fallback.ldif
+++ b/install/share/sasl-mapping-fallback.ldif
@@ -0,0 +1,4 @@
 dn: cn=config
 changetype: modify
 replace: nsslapd-sasl-mapping-fallback
 nsslapd-sasl-mapping-fallback: on
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -47,3 +47,13 @@ only:nsslapd-minssf-exclude-rootdse:on
 # POSIX winsync plugin
 dn: cn=ipa-winsync,cn=plugins,cn=config
 only: nsslapd-pluginPrecedence: 60
 # Enable SASL mapping fallback
 dn: cn=config
 only:nsslapd-sasl-mapping-fallback: on
 dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
 addifnew:nsSaslMapPriority: 10
 dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
 addifnew:nsSaslMapPriority: 10
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -215,6 +215,7 @@ class DsInstance(service.Service):
        self.step("configure autobind for root", self.__root_autobind)
        self.step("configure new location for managed entries", self.__repoint_managed_entries)
        self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
        self.step("enable SASL mapping fallback", self.__enable_sasl_mapping_fallback)
        self.step("restarting directory server", self.__restart_instance)
    def __common_post_setup(self):
@@ -657,6 +658,9 @@ class DsInstance(service.Service):
    def __enable_ldapi(self):
        self._ldap_mod("ldapi.ldif", self.sub_dict)
    def __enable_sasl_mapping_fallback(self):
        self._ldap_mod("sasl-mapping-fallback.ldif", self.sub_dict)
    def add_hbac(self):
        self._ldap_mod("default-hbac.ldif", self.sub_dict)
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -277,6 +277,7 @@ class KrbInstance(service.Service):
            nsSaslMapRegexString=['\(.*\)@\(.*\)'],
            nsSaslMapBaseDNTemplate=[self.suffix],
            nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'],
            nsSaslMapPriority=['10'],
        )
        self.admin_conn.add_entry(entry)
@@ -288,8 +289,8 @@ class KrbInstance(service.Service):
            cn=["Name Only"],
            nsSaslMapRegexString=['^[^:@]+$'],
            nsSaslMapBaseDNTemplate=[self.suffix],
-            nsSaslMapFilterTemplate=[
+            nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm],
-                '(krbPrincipalName=&@%s)' % self.realm],
+            nsSaslMapPriority=['10'],
        )
        self.admin_conn.add_entry(entry)