mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
2f4b3972a0
There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
100 lines
4.5 KiB
Groff
100 lines
4.5 KiB
Groff
.\" A man page for ipa-ldap-updater
|
|
.\" Copyright (C) 2008 Red Hat, Inc.
|
|
.\"
|
|
.\" This program is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the GNU General Public License as published by
|
|
.\" the Free Software Foundation, either version 3 of the License, or
|
|
.\" (at your option) any later version.
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful, but
|
|
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
.\" General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU General Public License
|
|
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
.\"
|
|
.\" Author: Rob Crittenden <rcritten@redhat.com>
|
|
.\"
|
|
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
|
|
.SH "NAME"
|
|
ipa\-ldap\-updater \- Update the IPA LDAP configuration
|
|
.SH "SYNOPSIS"
|
|
ipa\-ldap\-updater [options] input_file(s)
|
|
ipa\-ldap\-updater [options]
|
|
.SH "DESCRIPTION"
|
|
ipa\-ldap\-updater is used to apply updates to the IPA LDAP server when the IPA packages are being updated. It is not intended to be executed by end\-users.
|
|
|
|
When run with no file arguments, ipa\-ldap\-updater will process all files with the extension .update in /usr/share/ipa/updates.
|
|
|
|
An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries.
|
|
|
|
Blank lines and lines beginning with # are ignored.
|
|
|
|
There are 7 keywords:
|
|
|
|
* default: the starting value
|
|
* add: add a value (or values) to an attribute
|
|
* remove: remove a value (or values) from an attribute
|
|
* only: set an attribute to this
|
|
* deleteentry: remove the entry
|
|
* replace: replace an existing value, format is old: new
|
|
* addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single\-value attributes.
|
|
* addifexist: add a new attribute and value only if the entry exists. This is used to update optional entries.
|
|
|
|
Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.
|
|
|
|
The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.
|
|
|
|
It alsos provide some things that can be templated such as architecture (for plugin paths), realm and domain name.
|
|
|
|
The available template variables are:
|
|
|
|
* $REALM \- the kerberos realm (EXAMPLE.COM)
|
|
* $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)
|
|
* $DOMAIN \- the domain name (example.com)
|
|
* $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)
|
|
* $ESCAPED_SUFFIX \- the ldap\-escaped IPA LDAP suffix
|
|
* $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
|
|
* $TIME \- an integer representation of current time
|
|
|
|
A few rules:
|
|
|
|
1. Only one rule per line
|
|
2. Each line stands alone (e.g. an only followed by an only results in the last only being used)
|
|
3. adding a value that exists is ok. The request is ignored, duplicate values are not added
|
|
4. removing a value that doesn't exist is ok. It is simply ignored.
|
|
5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied
|
|
6. If a DN does exist the default values are skipped
|
|
7. Only the first rule on a line is respected
|
|
|
|
Adds and updates are applied from shortest to longest length of DN. Deletes are done from longest to shortest.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
\fB\-d\fR, \fB\-\-debug
|
|
Enable debug logging when more verbose output is needed
|
|
.TP
|
|
\fB\-t\fR, \fB\-\-test\fR
|
|
Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.
|
|
.TP
|
|
\fB\-y\fR
|
|
File containing the Directory Manager password
|
|
.TP
|
|
\fB\-l\fR, \fB\-\-ldapi\fR
|
|
Connect to the LDAP server using the ldapi socket
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-\-plugins\fR
|
|
Execute update plugins as well as any update files. There is no way to execute only the plugins.
|
|
.TP
|
|
\fB\-u\fR, \fB\-\-\-upgrade\fR
|
|
Upgrade an installed server in offline mode (implies \-\-ldapi and \-\-plugins)
|
|
.TP
|
|
\fB\-W\fR, \fB\-\-\-password\fR
|
|
Prompt for the Directory Manager password
|
|
.SH "EXIT STATUS"
|
|
0 if the command was successful
|
|
|
|
1 if an error occurred
|
|
|
|
2 if run with in test mode (\-t) and updates are available
|