mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-16 11:21:56 -06:00
f1f1b4e7f2
The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
114 lines
7.2 KiB
Plaintext
114 lines
7.2 KiB
Plaintext
#
|
|
# Enable the Schema Compatibility plugin provided by slapi-nis.
|
|
#
|
|
# http://slapi-nis.fedorahosted.org/
|
|
#
|
|
dn: cn=Schema Compatibility, cn=plugins, cn=config
|
|
default:objectclass: top
|
|
default:objectclass: nsSlapdPlugin
|
|
default:objectclass: extensibleObject
|
|
default:cn: Schema Compatibility
|
|
default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
|
|
default:nsslapd-plugininitfunc: schema_compat_plugin_init
|
|
default:nsslapd-plugintype: object
|
|
default:nsslapd-pluginenabled: on
|
|
default:nsslapd-pluginid: schema-compat-plugin
|
|
default:nsslapd-pluginversion: 0.8
|
|
default:nsslapd-pluginbetxn: on
|
|
default:nsslapd-pluginvendor: redhat.com
|
|
default:nsslapd-plugindescription: Schema Compatibility Plugin
|
|
|
|
dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
|
|
default:objectClass: top
|
|
default:objectClass: extensibleObject
|
|
default:cn: users
|
|
default:schema-compat-container-group: cn=compat, $SUFFIX
|
|
default:schema-compat-container-rdn: cn=users
|
|
default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
|
|
default:schema-compat-search-filter: objectclass=posixAccount
|
|
default:schema-compat-entry-rdn: uid=%{uid}
|
|
default:schema-compat-entry-attribute: objectclass=posixAccount
|
|
default:schema-compat-entry-attribute: gecos=%{cn}
|
|
default:schema-compat-entry-attribute: cn=%{cn}
|
|
default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
|
|
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
|
default:schema-compat-entry-attribute: loginShell=%{loginShell}
|
|
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
|
|
|
|
dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
|
|
default:objectClass: top
|
|
default:objectClass: extensibleObject
|
|
default:cn: groups
|
|
default:schema-compat-container-group: cn=compat, $SUFFIX
|
|
default:schema-compat-container-rdn: cn=groups
|
|
default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
|
|
default:schema-compat-search-filter: objectclass=posixGroup
|
|
default:schema-compat-entry-rdn: cn=%{cn}
|
|
default:schema-compat-entry-attribute: objectclass=posixGroup
|
|
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
|
|
default:schema-compat-entry-attribute: memberUid=%{memberUid}
|
|
default:schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
|
|
|
|
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
|
|
add:objectClass: top
|
|
add:objectClass: extensibleObject
|
|
add:cn: ng
|
|
add:schema-compat-container-group: 'cn=compat, $SUFFIX'
|
|
add:schema-compat-container-rdn: cn=ng
|
|
add:schema-compat-check-access: yes
|
|
add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'
|
|
add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
|
|
add:schema-compat-entry-rdn: cn=%{cn}
|
|
add:schema-compat-entry-attribute: objectclass=nisNetgroup
|
|
add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
|
|
add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})'
|
|
|
|
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
|
|
add:objectClass: top
|
|
add:objectClass: extensibleObject
|
|
add:cn: sudoers
|
|
add:schema-compat-container-group: 'ou=SUDOers, $SUFFIX'
|
|
add:schema-compat-search-base: 'cn=sudorules, cn=sudo, $SUFFIX'
|
|
add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
|
|
add:schema-compat-entry-rdn: cn=%{cn}
|
|
add:schema-compat-entry-attribute: objectclass=sudoRole
|
|
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
|
|
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
|
|
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")'
|
|
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'
|
|
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
|
|
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
|
|
add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'
|
|
add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'
|
|
add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
|
|
add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
|
|
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")'
|
|
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
|
|
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
|
|
add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'
|
|
|
|
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
|
|
default:objectClass: top
|
|
default:objectClass: extensibleObject
|
|
default:cn: computers
|
|
default:schema-compat-container-group: cn=compat, $SUFFIX
|
|
default:schema-compat-container-rdn: cn=computers
|
|
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
|
|
default:schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
|
|
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
|
|
default:schema-compat-entry-attribute: objectclass=device
|
|
default:schema-compat-entry-attribute: objectclass=ieee802Device
|
|
default:schema-compat-entry-attribute: cn=%{fqdn}
|
|
default:schema-compat-entry-attribute: macAddress=%{macAddress}
|
|
|
|
# Enable anonymous VLV browsing for Solaris
|
|
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
|
|
only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'
|
|
|