diff --git a/install/share/60basev4.ldif b/install/share/60basev4.ldif index c48b0c36a..ecfcf2d15 100644 --- a/install/share/60basev4.ldif +++ b/install/share/60basev4.ldif @@ -18,3 +18,17 @@ objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subord objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9') objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9') objectClasses: (2.16.840.1.113730.3.8.24.5 NAME 'ipaSubordinateIdEntry' DESC 'Subordinate uid and gid entry' SUP top STRUCTURAL MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9') +# External IdP support +attributeTypes: (2.16.840.1.113730.3.8.23.15 NAME 'ipaIdpDevAuthEndpoint' DESC 'Identity Provider Device Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.16 NAME 'ipaIdpAuthEndpoint' DESC 'Identity Provider Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.17 NAME 'ipaIdpTokenEndpoint' DESC 'Identity Provider Token Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.18 NAME 'ipaIdpClientId' DESC 'Identity Provider Client Identifier' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.19 NAME 'ipaIdpClientSecret' DESC 'Identity Provider Client Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.20 NAME 'ipaIdpScope' DESC 'Identity Provider Scope' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.21 NAME 'ipaIdpConfigLink' DESC 'Corresponding Identity Provider Configuration link' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9') +attributeTypes: (2.16.840.1.113730.3.8.23.22 NAME 'ipaIdpSub' DESC 'Identity Provider User Subject' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.23 NAME 'ipaIdpIssuerURL' DESC 'Identity Provider OIDC URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.24 NAME 'ipaIdpUserInfoEndpoint' DESC 'Identity Provider UserInfo Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +attributeTypes: (2.16.840.1.113730.3.8.23.25 NAME 'ipaIdpKeysEndpoint' DESC 'Identity Provider JWKS Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' ) +objectClasses: (2.16.840.1.113730.3.8.24.6 NAME 'ipaIdP' SUP top STRUCTURAL DESC 'Identity Provider Configuration' MUST ( cn ) MAY ( ipaIdpDevAuthEndpoint $ ipaIdpAuthEndpoint $ ipaIdpTokenEndpoint $ ipaIdpUserInfoEndpoint $ ipaIdpKeysEndpoint $ ipaIdpClientId $ description $ ipaIdpClientSecret $ ipaIdpScope $ ipaIdpIssuerURL $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' ) +objectClasses: (2.16.840.1.113730.3.8.24.7 NAME 'ipaIdpUser' SUP top AUXILIARY DESC 'User from an external Identity Provider ' MAY ( ipaIdpConfigLink $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' ) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 064078306..e35aeeef4 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -307,3 +307,11 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";) + +dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: External IdP server Administrators +description: External IdP server Administrators diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 42c16bc3a..dfdb242b1 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -199,6 +199,38 @@ default:objectClass: top default:nsSystemIndex: false add:nsIndexType: eq +dn: cn=ipaIdpDevAuthEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaIdpDevAuthEndpoint +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq +add:nsIndexType: sub + +dn: cn=ipaIdpAuthEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaIdpAuthEndpoint +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq +add:nsIndexType: sub + +dn: cn=ipaIdpScope,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaIdpScope +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq +add:nsIndexType: sub + +dn: cn=ipaIdpTokenEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaIdpTokenEndpoint +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq +add:nsIndexType: sub + dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config only:cn: ipaKrbAuthzData default:objectClass: nsIndex diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index b29926a4e..759cf5b76 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -22,3 +22,4 @@ add: referint-membership-attr: ipamembercertprofile add: referint-membership-attr: ipalocation add: referint-membership-attr: membermanager add: referint-membership-attr: ipaowner +add: referint-membership-attr: ipaidpconfiglink diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f12186053..2de5f10fe 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -299,3 +299,10 @@ default:objectClass: groupofnames default:objectClass: nestedgroup default:cn: DNS Servers default:description: DNS Servers + +dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: External IdP server Administrators +default:description: External IdP server Administrators diff --git a/install/updates/40-idp.update b/install/updates/40-idp.update new file mode 100644 index 000000000..347aee5b2 --- /dev/null +++ b/install/updates/40-idp.update @@ -0,0 +1,13 @@ +dn: cn=idp,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: idp + +dn: cn=ipaidpconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only:cn: ipaidpconfiglink +default:objectClass: nsIndex +default:objectClass: top +default:nsSystemIndex: false +add:nsIndexType: eq +add:nsIndexType: pres +add:nsIndexType: sub diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 652b6ae38..43a3c11b6 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -40,6 +40,7 @@ app_DATA = \ 40-dns.update \ 40-automember.update \ 40-certprofile.update \ + 40-idp.update \ 40-otp.update \ 40-vault.update \ 41-caacl.update \