mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-30 10:47:08 -06:00
2606f5aecd
This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
21 lines
1.4 KiB
Plaintext
21 lines
1.4 KiB
Plaintext
# add IPA CA managed suffix to master entry
|
|
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
|
|
add: objectclass: ipaReplTopoManagedServer
|
|
add: ipaReplTopoManagedSuffix: o=ipaca
|
|
|
|
# add IPA CA topology configuration area
|
|
dn: cn=ipaca,cn=topology,cn=ipa,cn=etc,$SUFFIX
|
|
default: objectclass: top
|
|
default: objectclass: iparepltopoconf
|
|
default: ipaReplTopoConfRoot: o=ipaca
|
|
default: cn: ipaca
|
|
|
|
# Update CA replication settings
|
|
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
|
|
add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
|
|
|
|
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
|
|
onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
|