IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
c0630950a1
freeipa/install/updates
History
Martin Kosek c0630950a1 Expand Referential Integrity checks 
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:27 -04:00
..
10-60basev2.update Disallow direct modifications to enrolledBy. 2011-07-14 19:11:49 -04:00
10-60basev3.update Amend memberAllowCmd and memberDenyCmd attribute types 2012-09-16 17:59:12 -04:00
10-bind-schema.update Add safe updates for objectClasses 2012-09-04 22:45:27 -04:00
10-config.update Support the new Winsync POSIX API. 2012-09-06 14:29:14 +02:00
10-RFC2307bis.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
10-RFC4876.update Fix quoting to work with new csv handler in ldapupdate 2009-05-19 11:50:39 -06:00
10-schema_compat.update - create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-26 09:00:17 +02:00
10-selinuxusermap.update Add per-service option to store the types of PAC it supports 2012-08-01 16:15:51 +02:00
10-ssh.update Add LDAP schema for SSH public keys. 2012-02-13 22:20:18 -05:00
10-sudo.update Add support for sudoOrder 2012-03-01 21:02:33 -05:00
19-managed-entries.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-aci.update Add LDAP ACIs for SSH public key schema. 2012-02-13 22:20:23 -05:00
20-dna.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-host_nis_groups.update Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
20-indices.update Expand Referential Integrity checks 2012-09-16 17:59:27 -04:00
20-nss_ldap.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-replication.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
20-user_private_groups.update Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
20-winsync_index.update Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00
21-ca_renewal_container.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
21-replicas_container.update Store list of non-master replicas in DIT and provide way to list them 2011-03-02 09:46:46 -05:00
25-referint.update Expand Referential Integrity checks 2012-09-16 17:59:27 -04:00
30-policy.update Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
30-s4u2proxy.update Add S4U2Proxy delegation permissions on upgrades 2012-02-15 18:00:46 +01:00
40-automember.update Enable automember for upgraded servers 2011-11-29 09:02:06 +01:00
40-delegation.update Use certmonger to renew CA subsystem certificates 2012-07-30 13:39:08 +02:00
40-dns.update Per-domain DNS record permissions 2012-06-28 15:21:21 +02:00
45-roles.update Reorder privileges so that memberof for permissions are generated properly. 2011-12-08 10:08:10 +01:00
50-groupuuid.update The default groups we create should have ipaUniqueId set 2011-04-15 13:02:17 +02:00
50-hbacservice.update Add additional pam ftp services to HBAC, and a ftp HBAC service group 2011-08-24 15:21:41 -04:00
50-ipaconfig.update Set SELinux default context to unconfined_u:s0-s0:c0.c1023 2012-09-13 12:35:43 +02:00
50-lockout-policy.update Disallow direct modifications to enrolledBy. 2011-07-14 19:11:49 -04:00
50-nis.update - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
55-pbacmemberof.update Reorder privileges so that memberof for permissions are generated properly. 2011-12-08 10:08:10 +01:00
60-trusts.update Add ACI to allow regenerating ipaNTHash from ipasam 2012-08-22 17:21:27 +03:00
61-trusts-s4u2proxy.update Add separate attribute to store trusted domain SID 2012-06-07 09:39:09 +02:00
62-ranges.update Create default range entry after upgrade 2012-07-02 16:27:33 +02:00
Makefile.am Expand Referential Integrity checks 2012-09-16 17:59:27 -04:00
README Name update files so they can be easily sorted. 2009-03-25 11:03:07 -04:00

README 

The update files are sorted before being processed because there are
cases where order matters (such as getting schema added first, creating
parent entries, etc).

10 - 20: Schema
20 - 30: FDS Configuration, new indices
30 - 40: Structual elements of the DIT
40 - 50: Pre-loaded data