mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
3540986a11
New LDAP object class "ipaUserSubordinate" with four new fields: - ipasubuidnumber / ipasubuidcount - ipasubgidnumber / ipasgbuidcount New self-service permission to add subids. New command user-auto-subid to auto-assign subid The code hard-codes counts to 65536, sets subgid equal to subuid, and does not allow removal of subids. There is also a hack that emulates a DNA plugin with step interval 65536 for testing. Work around problem with older SSSD clients that fail with unknown idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571 Related: https://pagure.io/freeipa/issue/8361 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
45 lines
1.4 KiB
Plaintext
45 lines
1.4 KiB
Plaintext
# add plugin configuration for user private groups
|
|
|
|
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: extensibleObject
|
|
cn: Posix IDs
|
|
dnaType: uidNumber
|
|
dnaType: gidNumber
|
|
dnaNextValue: eval($IDSTART)
|
|
dnaMaxValue: eval($IDMAX)
|
|
dnaMagicRegen: -1
|
|
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
|
|
dnaScope: $SUFFIX
|
|
dnaThreshold: 500
|
|
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
dnaExcludeScope: cn=provisioning,$SUFFIX
|
|
|
|
dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
|
changetype: add
|
|
objectclass: top
|
|
objectclass: extensibleObject
|
|
cn: Subordinate IDs
|
|
dnaType: ipasubuidnumber
|
|
dnaType: ipasubgidnumber
|
|
dnaNextValue: eval($SUBID_RANGE_START)
|
|
dnaMaxValue: eval($SUBID_RANGE_MAX)
|
|
dnaMagicRegen: -1
|
|
dnaFilter: (objectClass=ipaSubordinateId)
|
|
dnaScope: $SUFFIX
|
|
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
|
|
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
|
|
# dnaStepAttr: ipaSubUidCount
|
|
# dnaStepAttr: ipaSubGidCount
|
|
# dnaStepAllowedValues: eval($SUBID_COUNT)
|
|
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
|
|
dnaExcludeScope: cn=provisioning,$SUFFIX
|
|
|
|
# Enable the DNA plugin
|
|
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
|
changetype: modify
|
|
replace: nsslapd-pluginEnabled
|
|
nsslapd-pluginEnabled: on
|
|
|