freeipa/install/updates
Alexander Bokovoy e6f8d8bc9b ipasam: implement PASSDB getgrnam call
ipasam already implemented retrieval of groups for MS-SAMR calls.
However, it did not have implementation of a group retrieval for the
path of lookup_name() function in Samba. The lookup_name() is used in
many places in smbd and winbindd.

With this change it will be possible to resolve IPA groups in Windows UI
(Security tab) and console (net localgroup ...). When Global Catalog
service is enabled, it will be possible to search for those groups as
well.

In Active Directory, security groups can be domain, domain local, local
and so on. In IPA, only domain groups exposed through ipasam because
SID generation plugin only supports adding SIDs to POSIX groups and
users. Thus, non-POSIX groups are not going to have SIDs associated and
will not be visible in both UNIX and Windows environments.

Group retrieval in Samba is implemented as a mapping between NT and
POSIX groups. IPA doesn't have explicit mapping tables. Instead, any
POSIX group in IPA that has a SID associated with it is considered a
domain group for Samba.

Finally, additional ACI is required to ensure attributes looked up by
ipasam are always readable by the trust agents.

Fixes: https://pagure.io/freeipa/issue/8660
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
..
05-pre_upgrade_plugins.update Issue 8407 - Support changelog integration into main database 2020-08-04 10:54:57 +03:00
10-config.update Disable password schema update on LDAP bind 2020-05-11 14:36:39 +02:00
10-db-locks.update Fix nsslapd-db-lock tuning of BDB backend 2020-09-24 17:03:00 +02:00
10-enable-betxn.update Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
10-ipapwd.update Make sure ipapwd_extop takes precedence over passwd_modify_extop 2016-06-20 19:09:45 +02:00
10-rootdse.update Set the default attributes for RootDSE 2014-09-24 10:02:44 +02:00
10-selinuxusermap.update Remove schema modifications from update files 2013-11-18 16:54:21 +01:00
10-uniqueness.update Add uniqueness constraint on CA ACL name 2017-12-12 14:36:44 +01:00
19-managed-entries.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
20-aci.update Accept 389-ds JSON replication status messages 2020-12-01 08:45:07 +01:00
20-autobind.update Remove root-autobind configuration 2020-10-05 15:02:14 +02:00
20-default_password_policy.update Define default password policy for sysaccounts 2020-04-28 11:28:29 +02:00
20-dna.update Moved update of DNA plugin among update plugins 2016-11-11 12:13:56 +01:00
20-enable_dirsrv_plugins.update ensuring 389-ds plugins are enabled after install 2017-12-14 16:41:01 +01:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-indices.update Add more indices 2020-09-29 12:05:20 +02:00
20-ipaservers_hostgroup.update aci: add IPA servers host group 'ipaservers' 2015-12-07 08:13:23 +01:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update Issue 8407 - Support changelog integration into main database 2020-08-04 10:54:57 +03:00
20-sslciphers.update Configure 389ds with "default" cipher suite 2016-03-09 10:04:58 +01:00
20-syncrepl.update ldap: limit the retro changelog to dns subtree 2017-10-26 12:40:28 +02:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-uuid.update DNSSEC: DNS key synchronization daemon 2014-10-21 12:23:03 +02:00
20-whoami.update Adds whoami DS plugin in case that plugin is missing 2017-09-05 14:07:02 +02:00
21-ca_renewal_container.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
21-certstore_container.update Add container for certificate store. 2014-07-30 16:04:21 +02:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
25-referint.update Add group membership management 2019-11-11 09:31:14 +01:00
30-ipservices.update Add index and container for RFC 2307 IP services 2018-12-11 12:16:00 +01:00
30-provisioning.update ACI: grant access to admins group instead of admin user 2018-02-19 15:51:44 +01:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
37-locations.update DNS Locations: location-* commands 2016-06-03 15:58:21 +02:00
40-automember.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-certprofile.update Add certprofile plugin 2015-06-04 08:27:33 +00:00
40-delegation.update Issue 8456 - Add new aci's for the new replication changelog entries 2020-08-17 10:44:03 +02:00
40-dns.update Allow hosts to read DNS records for IP SAN 2020-03-16 13:04:17 +01:00
40-otp.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
40-realm_domains.update Add list of domains associated to our realm to cn=etc 2013-02-19 14:15:46 +02:00
40-replication.update Update ACIs with the correct syntax 2020-05-04 20:49:23 +02:00
40-vault.update vault: fix private service vault creation 2015-10-13 14:34:00 +02:00
41-caacl.update Add CA ACL plugin 2015-06-11 10:50:31 +00:00
41-lightweight-cas.update Add 'ca' plugin 2016-06-15 07:13:38 +02:00
45-roles.update Add Role 'Enrollment Administrator' 2017-06-09 16:37:40 +02:00
50-7_bit_check.update Do not check userPassword with 7-bit plugin 2013-06-06 18:12:50 +02:00
50-dogtag10-migration.update Add profiles and default CA ACL on migration 2015-11-24 10:12:24 +01:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add crond as a default HBAC service 2013-01-17 09:50:48 -05:00
50-ipaconfig.update Fix test_webui.test_selinuxusermap 2019-07-15 14:41:23 +03:00
50-krbenctypes.update Block camellia in krbenctypes update in FIPS 2019-11-05 11:48:28 -05:00
50-nis.update Upgrade: Fix upgrade of NIS Server configuration 2016-01-11 09:45:54 +01:00
55-pbacmemberof.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
59-trusts-sysacount.update Upgrade: fix trusts objectclass violationi 2014-11-13 13:31:17 +01:00
60-trusts.update ipasam: implement PASSDB getgrnam call 2021-01-22 12:21:33 -05:00
61-trusts-s4u2proxy.update Server Upgrade: remove CSV from upgrade files 2015-05-11 16:08:01 +00:00
62-ranges.update Remove changetype attribute from update plugin 2014-10-17 12:02:25 +02:00
71-idviews-sasl-mapping.update adtrust: support GSSAPI authentication to LDAP as Active Directory user 2016-06-10 13:39:02 +02:00
71-idviews.update idviews: Create container for ID views under cn=accounts 2014-09-30 10:42:06 +02:00
72-domainlevels.update Add Domain Level feature 2015-05-26 11:59:47 +00:00
73-certmap.update Support for Certificate Identity Mapping 2017-03-02 15:09:42 +01:00
73-custodia.update Setup lightweight CA key retrieval on install/upgrade 2016-06-09 09:04:27 +02:00
73-winsync.update winsync: Add inetUser objectclass to the passsync sysaccount 2015-09-16 17:13:42 +02:00
75-user-trust-attributes.update Add SMB attributes for users 2019-07-01 13:21:21 +02:00
80-schema_compat.update compat plugin: Update link to slapi-nis project 2017-04-24 17:11:51 +02:00
81-externalmembers.update install/updates: move external members past schema compat update 2020-02-12 11:45:39 +01:00
90-post_upgrade_plugins.update Add ipwpwdpolicy objectclass to all policies on upgrade 2020-11-06 16:29:41 -05:00
Makefile.am Remove root-autobind configuration 2020-10-05 15:02:14 +02:00
README Remove schema modifications from update files 2013-11-18 16:54:21 +01:00

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

Updates are applied in blocks of ten so that any entries that are dependant
on another can be added successfully without having to rely on the length
of the DN to get the sorting correct.

The file names should use the format #-<description>.update where # conforms
to this:

10 - 19: Configuration
20 - 29: 389-ds configuration, new indices
30 - 39: Structual elements of the DIT
40 - 49: Pre-loaded data
50 - 59: Cleanup existing data
60 - 69: AD Trust
70 - 79: Reserved
80 - 89: Reserved

These numbers aren't absolute, there may be reasons to put an update
into one place or another, but by adhereing to the scheme it will be
easier to find existing updates and know where to put new ones.