external-idp: add LDAP schema, indices and other LDAP objects

Fixes: https://pagure.io/freeipa/issue/8803 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Sumit Bose <sbose@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-05-03 11:37:08 +03:00 · 2022-05-03 11:37:08 +03:00 · fd19bdfd54
commit fd19bdfd54
parent 0484949b80
7 changed files with 76 additions and 0 deletions
--- a/install/share/60basev4.ldif
+++ b/install/share/60basev4.ldif
@ -18,3 +18,17 @@ objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subord
 objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
 objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( ipaOwner $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
 objectClasses: (2.16.840.1.113730.3.8.24.5 NAME 'ipaSubordinateIdEntry' DESC 'Subordinate uid and gid entry' SUP top STRUCTURAL MUST ( ipaUniqueId ) MAY ( description ) X-ORIGIN 'IPA v4.9')
 # External IdP support
 attributeTypes: (2.16.840.1.113730.3.8.23.15 NAME 'ipaIdpDevAuthEndpoint' DESC 'Identity Provider Device Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.16 NAME 'ipaIdpAuthEndpoint' DESC 'Identity Provider Authorization Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.17 NAME 'ipaIdpTokenEndpoint' DESC 'Identity Provider Token Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.18 NAME 'ipaIdpClientId' DESC 'Identity Provider Client Identifier' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.19 NAME 'ipaIdpClientSecret' DESC 'Identity Provider Client Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.20 NAME 'ipaIdpScope' DESC 'Identity Provider Scope' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.21 NAME 'ipaIdpConfigLink' DESC 'Corresponding Identity Provider Configuration link' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
 attributeTypes: (2.16.840.1.113730.3.8.23.22 NAME 'ipaIdpSub' DESC 'Identity Provider User Subject' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.23 NAME 'ipaIdpIssuerURL' DESC 'Identity Provider OIDC URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.24 NAME 'ipaIdpUserInfoEndpoint' DESC 'Identity Provider UserInfo Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 attributeTypes: (2.16.840.1.113730.3.8.23.25 NAME 'ipaIdpKeysEndpoint' DESC 'Identity Provider JWKS Endpoint' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9' )
 objectClasses: (2.16.840.1.113730.3.8.24.6 NAME 'ipaIdP' SUP top STRUCTURAL DESC 'Identity Provider Configuration' MUST ( cn ) MAY ( ipaIdpDevAuthEndpoint $ ipaIdpAuthEndpoint $ ipaIdpTokenEndpoint $ ipaIdpUserInfoEndpoint $ ipaIdpKeysEndpoint $ ipaIdpClientId $ description $ ipaIdpClientSecret $ ipaIdpScope $ ipaIdpIssuerURL $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
 objectClasses: (2.16.840.1.113730.3.8.24.7 NAME 'ipaIdpUser' SUP top AUXILIARY DESC 'User from an external Identity Provider ' MAY ( ipaIdpConfigLink $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@ -307,3 +307,11 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
 dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
 objectClass: nestedgroup
 cn: External IdP server Administrators
 description: External IdP server Administrators
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@ -199,6 +199,38 @@ default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 dn: cn=ipaIdpDevAuthEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaIdpDevAuthEndpoint
 default:objectClass: nsIndex
 default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: sub
 dn: cn=ipaIdpAuthEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaIdpAuthEndpoint
 default:objectClass: nsIndex
 default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: sub
 dn: cn=ipaIdpScope,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaIdpScope
 default:objectClass: nsIndex
 default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: sub
 dn: cn=ipaIdpTokenEndpoint,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaIdpTokenEndpoint
 default:objectClass: nsIndex
 default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: sub
 dn: cn=ipaKrbAuthzData,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaKrbAuthzData
 default:objectClass: nsIndex
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@ -22,3 +22,4 @@ add: referint-membership-attr: ipamembercertprofile
 add: referint-membership-attr: ipalocation
 add: referint-membership-attr: membermanager
 add: referint-membership-attr: ipaowner
 add: referint-membership-attr: ipaidpconfiglink
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@ -299,3 +299,10 @@ default:objectClass: groupofnames
 default:objectClass: nestedgroup
 default:cn: DNS Servers
 default:description: DNS Servers
 dn: cn=External IdP server Administrators,cn=privileges,cn=pbac,$SUFFIX
 default:objectClass: top
 default:objectClass: groupofnames
 default:objectClass: nestedgroup
 default:cn: External IdP server Administrators
 default:description: External IdP server Administrators
--- a/install/updates/40-idp.update
+++ b/install/updates/40-idp.update
@ -0,0 +1,13 @@
 dn: cn=idp,$SUFFIX
 default: objectClass: nsContainer
 default: objectClass: top
 default: cn: idp
 dn: cn=ipaidpconfiglink,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipaidpconfiglink
 default:objectClass: nsIndex
 default:objectClass: top
 default:nsSystemIndex: false
 add:nsIndexType: eq
 add:nsIndexType: pres
 add:nsIndexType: sub
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@ -40,6 +40,7 @@ app_DATA =				\
 	40-dns.update			\
 	40-automember.update		\
 	40-certprofile.update		\
 	40-idp.update			\
 	40-otp.update			\
 	40-vault.update			\
 	41-caacl.update			\