mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
34d06b2be7
Due to optimizations in 389-ds performed as result of https://pagure.io/389-ds-base/issue/49372, LDAP search filter is rewritten to include parentID information. It implies that parentID has to be readable for a bound identity performing the search. This is what 389-ds expects right now but FreeIPA DS instance does not allow it. As result, searches with a one-level scope fail to return results that otherwise are matched in a sub scope search. While 389-ds developers are working on the fix for issue https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an explicit ACI to allow reading parentID attribute at the suffix level. Fixes: https://pagure.io/freeipa/issue/7466 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> |
||
|---|---|---|
| .. | ||
| certmonger | ||
| html | ||
| migration | ||
| oddjob | ||
| restart_scripts | ||
| share | ||
| tools | ||
| ui | ||
| updates | ||
| wsgi | ||
| Makefile.am | ||
| README.schema | ||
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.