summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-03-23 15:20:43 -0400
committerRob Crittenden <rcritten@redhat.com>2009-03-25 11:03:07 -0400
commitc00281a9f9c3f79fb88ff8537d941394fee09ca2 (patch)
tree019c8f72200e78b58699afe327f8f212898d659a
parentd6814f3aae1e3af371eaf9d10ae37bfee464015a (diff)
downloadfreeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.gz
freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.xz
freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.zip
Name update files so they can be easily sorted.
We want to process some updates in a particular order (schema, structural). Using an init-inspired ordering mechanism.
-rw-r--r--install/updates/10-RFC2307bis.update (renamed from install/updates/RFC2307bis.update)8
-rw-r--r--install/updates/10-RFC4876.update (renamed from install/updates/RFC4876.update)16
-rw-r--r--install/updates/20-dna.update3
-rw-r--r--install/updates/20-indices.update (renamed from install/updates/indices.update)0
-rw-r--r--install/updates/20-nss_ldap.update (renamed from install/updates/nss_ldap.update)0
-rw-r--r--install/updates/20-replication.update (renamed from install/updates/replication.update)0
-rw-r--r--install/updates/20-winsync_index.update (renamed from install/updates/winsync_index.update)0
-rw-r--r--install/updates/30-automount.update (renamed from install/updates/automount.update)0
-rw-r--r--install/updates/30-groupofhosts.update (renamed from install/updates/groupofhosts.update)0
-rw-r--r--install/updates/30-netgroups.update (renamed from install/updates/netgroups.update)0
-rw-r--r--install/updates/30-policy.update (renamed from install/updates/policy.update)0
-rw-r--r--install/updates/30-rolegroup.update (renamed from install/updates/rolegroup.update)1
-rw-r--r--install/updates/30-taskgroup.update (renamed from install/updates/taskgroup.update)0
-rw-r--r--install/updates/40-delegation.update124
-rw-r--r--install/updates/Makefile.am26
-rw-r--r--install/updates/README8
16 files changed, 162 insertions, 24 deletions
diff --git a/install/updates/RFC2307bis.update b/install/updates/10-RFC2307bis.update
index 1ddebc1a2..afb17bbfb 100644
--- a/install/updates/RFC2307bis.update
+++ b/install/updates/10-RFC2307bis.update
@@ -47,8 +47,8 @@ add:attributeTypes:
add:objectClasses:
( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject'
DESC 'nisKeyObject' SUP top
- MUST ( cn $ nisPublickey $ nisSecretkey )
- MAY ( uidNumber $ description ) )
+ MUST ( cn $$ nisPublickey $$ nisSecretkey )
+ MAY ( uidNumber $$ description ) )
add:objectClasses:
( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject'
DESC 'nisDomainObject' SUP top AUXILIARY
@@ -57,9 +57,9 @@ add:objectClasses:
( 2.16.840.1.113730.3.2.4 NAME 'mailGroup'
DESC 'mailGroup' SUP top
MUST ( mail )
- MAY ( cn $ mgrpRFC822MailMember ) )
+ MAY ( cn $$ mgrpRFC822MailMember ) )
add:objectClasses:
( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId'
DESC 'nisNetId' SUP top
MUST ( cn )
- MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
+ MAY ( nisNetIdUser $$ nisNetIdGroup $$ nisNetIdHost ) )
diff --git a/install/updates/RFC4876.update b/install/updates/10-RFC4876.update
index 5a372c201..c743b4bc6 100644
--- a/install/updates/RFC4876.update
+++ b/install/updates/10-RFC4876.update
@@ -135,12 +135,12 @@ add:objectClasses:
SUP top STRUCTURAL
DESC 'Abstraction of a base configuration for a DUA'
MUST ( cn )
- MAY ( defaultServerList $ preferredServerList $
- defaultSearchBase $ defaultSearchScope $
- searchTimeLimit $ bindTimeLimit $
- credentialLevel $ authenticationMethod $
- followReferrals $ dereferenceAliases $
- serviceSearchDescriptor $ serviceCredentialLevel $
- serviceAuthenticationMethod $ objectclassMap $
- attributeMap $ profileTTL )
+ MAY ( defaultServerList $$ preferredServerList $$
+ defaultSearchBase $$ defaultSearchScope $$
+ searchTimeLimit $$ bindTimeLimit $$
+ credentialLevel $$ authenticationMethod $$
+ followReferrals $$ dereferenceAliases $$
+ serviceSearchDescriptor $$ serviceCredentialLevel $$
+ serviceAuthenticationMethod $$ objectclassMap $$
+ attributeMap $$ profileTTL )
X-ORIGIN 'RFC4876' )
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
new file mode 100644
index 000000000..b83a3703d
--- /dev/null
+++ b/install/updates/20-dna.update
@@ -0,0 +1,3 @@
+# Enable the DNA plugin
+dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
diff --git a/install/updates/indices.update b/install/updates/20-indices.update
index 3d0e42af6..3d0e42af6 100644
--- a/install/updates/indices.update
+++ b/install/updates/20-indices.update
diff --git a/install/updates/nss_ldap.update b/install/updates/20-nss_ldap.update
index e8c1e00f7..e8c1e00f7 100644
--- a/install/updates/nss_ldap.update
+++ b/install/updates/20-nss_ldap.update
diff --git a/install/updates/replication.update b/install/updates/20-replication.update
index 29823a6fa..29823a6fa 100644
--- a/install/updates/replication.update
+++ b/install/updates/20-replication.update
diff --git a/install/updates/winsync_index.update b/install/updates/20-winsync_index.update
index f24bdf8bd..f24bdf8bd 100644
--- a/install/updates/winsync_index.update
+++ b/install/updates/20-winsync_index.update
diff --git a/install/updates/automount.update b/install/updates/30-automount.update
index c89d583ae..c89d583ae 100644
--- a/install/updates/automount.update
+++ b/install/updates/30-automount.update
diff --git a/install/updates/groupofhosts.update b/install/updates/30-groupofhosts.update
index fb39c5e25..fb39c5e25 100644
--- a/install/updates/groupofhosts.update
+++ b/install/updates/30-groupofhosts.update
diff --git a/install/updates/netgroups.update b/install/updates/30-netgroups.update
index 0a8609e3e..0a8609e3e 100644
--- a/install/updates/netgroups.update
+++ b/install/updates/30-netgroups.update
diff --git a/install/updates/policy.update b/install/updates/30-policy.update
index c3615d281..c3615d281 100644
--- a/install/updates/policy.update
+++ b/install/updates/30-policy.update
diff --git a/install/updates/rolegroup.update b/install/updates/30-rolegroup.update
index ef8cd7890..1417167de 100644
--- a/install/updates/rolegroup.update
+++ b/install/updates/30-rolegroup.update
@@ -3,3 +3,4 @@
dn: cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: nsContainer
add:cn: rolegroups
+
diff --git a/install/updates/taskgroup.update b/install/updates/30-taskgroup.update
index a98960657..a98960657 100644
--- a/install/updates/taskgroup.update
+++ b/install/updates/30-taskgroup.update
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
new file mode 100644
index 000000000..307fb8cd9
--- /dev/null
+++ b/install/updates/40-delegation.update
@@ -0,0 +1,124 @@
+# Add the default roles
+
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: helpdesk
+add:description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: useradmin
+add:description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: groupadmin
+add:description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: hostadmin
+add:description: Host Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: delegationadmin
+add:description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: serviceadmin
+add:description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: automountadmin
+add:description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: netgroupadmin
+add:description: Netgroups Administrators
+
+dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:objectClass: nestedgroup
+add:cn: useradmins
+add:description: User Administrators
+
+# Add the taskgroups referenced by the ACIs for user administration
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: nsContainer
+add:objectClass: top
+add:cn: taskgroups
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: addusers
+add:description: Add Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: change_password
+add:description: Change a user password
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: add_user_to_default_group
+add:description: Add user to default group
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: removeusers
+add:description: Remove Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: modifyusers
+add:description: Modify Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACIs that grant these permissions for user administration
+
+dn: $SUFFIX
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+ 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
+ ,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
+ aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
+ te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+ ";)
+add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
+ ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
+ te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
+ ,$SUFFIX";)
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+ 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
+ askgroups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials
+ || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
+ umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
+ manager || secretary || description || carLicense || labeledURI || inetUserHT
+ TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
+ //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
+ s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";)
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 68e93b4f6..4b49cb1b0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -2,18 +2,20 @@ NULL =
appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
- automount.update \
- groupofhosts.update \
- indices.update \
- nss_ldap.update \
- replication.update \
- RFC2307bis.update \
- RFC4876.update \
- netgroups.update \
- policy.update \
- rolegroup.update \
- taskgroup.update \
- winsync_index.update \
+ 10-RFC2307bis.update \
+ 10-RFC4876.update \
+ 20-dna.update \
+ 20-indices.update \
+ 20-nss_ldap.update \
+ 20-replication.update \
+ 20-winsync_index.update \
+ 30-automount.update \
+ 30-groupofhosts.update \
+ 30-netgroups.update \
+ 30-policy.update \
+ 30-rolegroup.update \
+ 30-taskgroup.update \
+ 40-delegation.update \
$(NULL)
EXTRA_DIST = \
diff --git a/install/updates/README b/install/updates/README
new file mode 100644
index 000000000..064c6159f
--- /dev/null
+++ b/install/updates/README
@@ -0,0 +1,8 @@
+The update files are sorted before being processed because there are
+cases where order matters (such as getting schema added first, creating
+parent entries, etc).
+
+10 - 20: Schema
+20 - 30: FDS Configuration, new indices
+30 - 40: Structual elements of the DIT
+40 - 50: Pre-loaded data