freeipa/install/share/bootstrap-template.ldif
Stanislav Levin b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00

501 lines
11 KiB
Plaintext

dn: cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: accounts
dn: cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: users
dn: cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: groups
dn: cn=services,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: services
dn: cn=computers,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: computers
dn: cn=hostgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hostgroups
dn: cn=ipservices,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: ipservices
dn: cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
cn: alt
dn: cn=ng,cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
cn: ng
dn: cn=automount,$SUFFIX
changetype: add
objectClass: nsContainer
cn: automount
dn: cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: nsContainer
cn: default
dn: automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automountMap
automountMapName: auto.master
dn: automountmapname=auto.direct,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automountMap
automountMapName: auto.direct
dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automount
automountKey: /-
automountInformation: auto.direct
description: /- auto.direct
dn: cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbac
dn: cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbacservices
dn: cn=hbacservicegroups,cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbacservicegroups
dn: cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudo
dn: cn=sudocmds,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudocmds
dn: cn=sudocmdgroups,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudocmdgroups
dn: cn=sudorules,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudorules
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: etc
dn: cn=locations,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: locations
dn: cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: sysaccounts
dn: cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ipa
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: masters
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: replicas
dn: cn=dna,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: dna
dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: posix-ids
dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ca_renewal
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: certificates
dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: custodia
dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: dogtag
dn: cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: s4u2proxy
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/$HOST@$REALM
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-ldap-delegation-targets
memberPrincipal: ldap/$HOST@$REALM
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
uid: admin
krbPrincipalName: admin@$REALM
cn: Administrator
sn: Administrator
uidNumber: $IDSTART
gidNumber: $IDSTART
homeDirectory: /home/admin
loginShell: $DEFAULT_ADMIN_SHELL
gecos: Administrator
nsAccountLock: FALSE
ipaUniqueID: autogenerate
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: admins
description: Account administrators group
gidNumber: $IDSTART
member: uid=admin,cn=users,cn=accounts,$SUFFIX
nsAccountLock: FALSE
ipaUniqueID: autogenerate
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: autogenerate
dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
gidNumber: eval($IDSTART+2)
description: Limited admins who can edit other users
cn: editors
ipaUniqueID: autogenerate
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: ipaobject
objectClass: ipahostgroup
description: IPA server hosts
cn: ipaservers
ipaUniqueID: autogenerate
dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sshd
description: sshd
ipauniqueid:autogenerate
dn: cn=ftp,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: ftp
description: ftp
ipauniqueid:autogenerate
dn: cn=su,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: su
description: su
ipauniqueid:autogenerate
dn: cn=login,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: login
description: login
ipauniqueid:autogenerate
dn: cn=su-l,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: su-l
description: su with login shell
ipauniqueid:autogenerate
dn: cn=sudo,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sudo
description: sudo
ipauniqueid:autogenerate
dn: cn=sudo-i,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sudo-i
description: sudo-i
ipauniqueid:autogenerate
dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: systemd-user
description: pam_systemd and systemd user@.service
ipauniqueid:autogenerate
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: gdm
description: gdm
ipauniqueid:autogenerate
dn: cn=gdm-password,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: gdm-password
description: gdm-password
ipauniqueid:autogenerate
dn: cn=kdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: kdm
description: kdm
ipauniqueid:autogenerate
dn: cn=Sudo,cn=hbacservicegroups,cn=hbac,$SUFFIX
changetype: add
objectClass: ipaobject
objectClass: ipahbacservicegroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
cn: Sudo
ipauniqueid:autogenerate
description: Default group of Sudo related services
member: cn=sudo,cn=hbacservices,cn=hbac,$SUFFIX
member: cn=sudo-i,cn=hbacservices,cn=hbac,$SUFFIX
dn: cn=ipaConfig,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
objectClass: ipaGuiConfig
objectClass: ipaConfigObject
ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 100
ipaHomesRootDir: /home
ipaDefaultLoginShell: $DEFAULT_SHELL
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 32
ipaMaxHostnameLength: 64
ipaPwdExpAdvNotify: 4
ipaGroupObjectClasses: top
ipaGroupObjectClasses: groupofnames
ipaGroupObjectClasses: nestedgroup
ipaGroupObjectClasses: ipausergroup
ipaGroupObjectClasses: ipaobject
ipaUserObjectClasses: top
ipaUserObjectClasses: person
ipaUserObjectClasses: organizationalperson
ipaUserObjectClasses: inetorgperson
ipaUserObjectClasses: inetuser
ipaUserObjectClasses: posixaccount
ipaUserObjectClasses: krbprincipalaux
ipaUserObjectClasses: krbticketpolicyaux
ipaUserObjectClasses: ipaobject
ipaUserObjectClasses: ipasshuser
ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash
ipaConfigString: KDC:Disable Last Success
ipaSELinuxUserMapOrder: $SELINUX_USERMAP_ORDER
ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: nsContainer
cn: cosTemplates
# templates for this cos definition are managed by the pwpolicy plugin
dn: cn=Password Policy,cn=accounts,$SUFFIX
changetype: add
description: Password Policy based on group membership
objectClass: top
objectClass: ldapsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
cosAttribute: krbPwdPolicyReference override
cosSpecifier: memberOf
dn: cn=selinux,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: selinux
dn: cn=usermap,cn=selinux,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: usermap
dn: cn=ranges,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: ranges
dn: cn=${REALM}_id_range,cn=ranges,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: ipaIDrange
objectClass: ipaDomainIDRange
cn: ${REALM}_id_range
ipaBaseID: $IDSTART
ipaIDRangeSize: $IDRANGE_SIZE
ipaRangeType: ipa-local
dn: cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ca
dn: cn=certprofiles,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: certprofiles
dn: cn=caacls,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: caacls
dn: cn=cas,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: cas