mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
0e9ce73a52
It is possible to add caacl entries with same "name" (cn). The command is supposed to prevent this but direct LDAP operations allow it and doing that will cause subsequent errors. Enable the DS uniqueness constraint plugin for the cn attribute in CA ACL entries. Fixes: https://pagure.io/freeipa/issue/7304 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
112 lines
4.7 KiB
Plaintext
112 lines
4.7 KiB
Plaintext
dn: cn=sudorule name uniqueness,cn=plugins,cn=config
|
|
default:objectClass: top
|
|
default:objectClass: nsSlapdPlugin
|
|
default:objectClass: extensibleObject
|
|
default:cn: sudorule name uniqueness
|
|
default:nsslapd-pluginDescription: Enforce unique attribute values
|
|
default:nsslapd-pluginPath: libattr-unique-plugin
|
|
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
|
default:nsslapd-pluginType: preoperation
|
|
default:nsslapd-pluginEnabled: on
|
|
default:uniqueness-attribute-name: cn
|
|
default:uniqueness-subtrees: cn=sudorules,cn=sudo,$SUFFIX
|
|
default:nsslapd-plugin-depends-on-type: database
|
|
default:nsslapd-pluginId: NSUniqueAttr
|
|
default:nsslapd-pluginVersion: 1.1.0
|
|
default:nsslapd-pluginVendor: Fedora Project
|
|
|
|
dn: cn=certificate store subject uniqueness,cn=plugins,cn=config
|
|
default:objectClass: top
|
|
default:objectClass: nsSlapdPlugin
|
|
default:objectClass: extensibleObject
|
|
default:cn: certificate store subject uniqueness
|
|
default:nsslapd-pluginDescription: Enforce unique attribute values
|
|
default:nsslapd-pluginPath: libattr-unique-plugin
|
|
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
|
default:nsslapd-pluginType: preoperation
|
|
default:nsslapd-pluginEnabled: on
|
|
default:uniqueness-attribute-name: ipaCertSubject
|
|
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
|
default:nsslapd-plugin-depends-on-type: database
|
|
default:nsslapd-pluginId: NSUniqueAttr
|
|
default:nsslapd-pluginVersion: 1.1.0
|
|
default:nsslapd-pluginVendor: Fedora Project
|
|
|
|
dn: cn=certificate store issuer/serial uniqueness,cn=plugins,cn=config
|
|
default:objectClass: top
|
|
default:objectClass: nsSlapdPlugin
|
|
default:objectClass: extensibleObject
|
|
default:cn: certificate store issuer/serial uniqueness
|
|
default:nsslapd-pluginDescription: Enforce unique attribute values
|
|
default:nsslapd-pluginPath: libattr-unique-plugin
|
|
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
|
default:nsslapd-pluginType: preoperation
|
|
default:nsslapd-pluginEnabled: on
|
|
default:uniqueness-attribute-name: ipaCertIssuerSerial
|
|
default:uniqueness-subtrees: cn=certificates,cn=ipa,cn=etc,$SUFFIX
|
|
default:nsslapd-plugin-depends-on-type: database
|
|
default:nsslapd-pluginId: NSUniqueAttr
|
|
default:nsslapd-pluginVersion: 1.1.0
|
|
default:nsslapd-pluginVendor: Fedora Project
|
|
|
|
dn: cn=uid uniqueness,cn=plugins,cn=config
|
|
default:objectClass: top
|
|
default:objectClass: nsSlapdPlugin
|
|
default:objectClass: extensibleObject
|
|
default:cn: uid uniqueness
|
|
default:nsslapd-pluginPath: libattr-unique-plugin
|
|
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
|
default:nsslapd-pluginType: preoperation
|
|
default:nsslapd-pluginEnabled: on
|
|
default:uniqueness-attribute-name: uid
|
|
default:uniqueness-subtrees: $SUFFIX
|
|
default:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
|
|
default:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
|
default:uniqueness-across-all-subtrees: on
|
|
default:uniqueness-subtree-entries-oc: posixAccount
|
|
default:nsslapd-plugin-depends-on-type: database
|
|
default:nsslapd-pluginId: NSUniqueAttr
|
|
default:nsslapd-pluginVersion: 1.1.0
|
|
default:nsslapd-pluginVendor: Fedora Project
|
|
default:nsslapd-pluginDescription: Enforce unique attribute values
|
|
|
|
# uid uniqueness scopes Active/Delete containers
|
|
dn: cn=uid uniqueness,cn=plugins,cn=config
|
|
add:uniqueness-exclude-subtrees: cn=compat,$SUFFIX
|
|
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
|
remove:uniqueness-across-all-subtrees: off
|
|
add:uniqueness-across-all-subtrees: on
|
|
add:uniqueness-subtree-entries-oc: posixAccount
|
|
|
|
# krbPrincipalName uniqueness scopes Active/Delete containers
|
|
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
|
|
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
|
add:uniqueness-across-all-subtrees: on
|
|
|
|
# krbCanonicalName uniqueness scopes Active/Delete containers
|
|
dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
|
|
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
|
add:uniqueness-across-all-subtrees: on
|
|
|
|
# ipaUniqueID uniqueness scopes Active/Delete containers
|
|
dn: cn=ipaUniqueID uniqueness,cn=plugins,cn=config
|
|
add:uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
|
|
add:uniqueness-across-all-subtrees: on
|
|
|
|
dn: cn=caacl name uniqueness,cn=plugins,cn=config
|
|
default:objectClass: top
|
|
default:objectClass: nsSlapdPlugin
|
|
default:objectClass: extensibleObject
|
|
default:cn: caacl name uniqueness
|
|
default:nsslapd-pluginDescription: Enforce unique attribute values
|
|
default:nsslapd-pluginPath: libattr-unique-plugin
|
|
default:nsslapd-pluginInitfunc: NSUniqueAttr_Init
|
|
default:nsslapd-pluginType: preoperation
|
|
default:nsslapd-pluginEnabled: on
|
|
default:uniqueness-attribute-name: cn
|
|
default:uniqueness-subtrees: cn=caacls,cn=ca,$SUFFIX
|
|
default:nsslapd-plugin-depends-on-type: database
|
|
default:nsslapd-pluginId: NSUniqueAttr
|
|
default:nsslapd-pluginVersion: 1.1.0
|
|
default:nsslapd-pluginVendor: Fedora Project
|