freeipa/install/updates/73-subid.update

# subordinate ids

# create memberOf attributes for ipaOwner
dn: cn=MemberOf Plugin,cn=plugins,cn=config
add: memberofgroupattr: ipaOwner

# container
dn: cn=subids,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: subids

# self-service RBAC
dn: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:objectClass: top
default:cn: Subordinate ID Selfservice User
default:description: User that can self-request subordinate ids
replace:description: User that can self-request subordiante ids::User that can self-request subordinate ids
# default: member: cn=ipausers,cn=groups,cn=accounts,$SUFFIX

dn: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Subordinate ID Selfservice Users
default:description: Subordinate ID Selfservice User
default:member: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX

dn: cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Self-service subordinate ID
default:ipapermissiontype: SYSTEM
default:member: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX

# Administrator RBAC
dn: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: nestedgroup
default:cn: Subordinate ID Administrators
default:description: Subordinate ID Administrators
default:member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX

dn: cn=Manage subordinate ID,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Manage subordinate ID
default:ipapermissiontype: SYSTEM
default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX

# ACIs (in domain database root so they also apply to staging area)
#
# - allow users to request new subid with DNA_MAGIC value, subid count=65536,
#   and subgid == subuid.
# - allow user admins to set subids. count=65536 and subgid == subuid
#   properties are enforced as wel.
#
# The delete-when-empty check is required because IPA uses MOD_REPLACE to
# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
#
dn: cn=subids,cn=accounts,$SUFFIX
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)

# DNA plugin and idrange configuration
dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: subordinate-ids

dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
default: objectclass: top
default: objectclass: extensibleObject
default: cn: Subordinate IDs
default: dnaType: ipasubuidnumber
default: dnaType: ipasubgidnumber
default: dnaNextValue: eval($SUBID_RANGE_START)
default: dnaMaxValue: eval($SUBID_RANGE_MAX)
default: dnaMagicRegen: -1
default: dnaFilter: (objectClass=ipaSubordinateId)
default: dnaScope: $SUFFIX
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: dnaExcludeScope: cn=provisioning,$SUFFIX
default: dnaInterval: eval($SUBID_COUNT)
add: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)

dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
default: objectClass: ipaIDrange
default: objectClass: ipaTrustedADDomainRange
default: cn: ${REALM}_subid_range
default: ipaBaseID: $SUBID_RANGE_START
default: ipaIDRangeSize: $SUBID_RANGE_SIZE
# HACK: RIDs to work around adtrust sidgen issue
default: ipaBaseRID: eval($SUBID_BASE_RID)
default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
# see https://github.com/SSSD/sssd/issues/5571
default: ipaRangeType: ipa-ad-trust