Set labels on all attributes in the config object.

Make the cert subject base read-only. This is here only so replicated servers
know their base.

ticket 466

2 files changed, 36 insertions, 2 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 423922754..d725cd5c1 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -18,7 +18,7 @@ changetype: modify
 add: aci
 aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
 
-dn: cn=ipaConfig,cn=etc,$SUFFIX
+dn: cn=etc,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 9ac196a24..44e4eabb0 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -49,8 +49,19 @@ how many records may be returned on a given search.
 Server Configuration.
 
   --enable-migration=BOOL Enable migration mode
-  --subject=STR           Base for certificate subjects (OU=Test,O=Example)
+  --pwdexpnotify=INT      Password Expiration Notification (days)
 
+The password notification value is stored here so it will be replicated.
+It is not currently used to notify users in advance of an expiring
+password.
+
+Some attributes are read-only, provided for information purposes. These
+include:
+
+Certificate Subject base: the configured certificate subject base,
+  e.g. O=EXAMPLE.COM.  This is configurable only at install time.
+Password plugin features: currently defines additional hashes that the
+  password will generate (there may be other conditions).
 """
 
 from ipalib import api
@@ -130,6 +141,29 @@ class config(LDAPObject):
             cli_name='subject',
             label=_('Certificate Subject base'),
             doc=_('Base for certificate subjects (OU=Test,O=Example)'),
+            flags=['no_update'],
+        ),
+        List('ipagroupobjectclasses?',
+            cli_name='groupobjectclasses',
+            label=_('Default group objectclasses'),
+            doc=_('Default group objectclassses (comma-separated list)'),
+        ),
+        List('ipauserobjectclasses?',
+            cli_name='userobjectclasses',
+            label=_('Default user objectclasses'),
+            doc=_('Default user objectclassses (comma-separated list)'),
+        ),
+        Int('ipapwdexpadvnotify?',
+            cli_name='pwdexpnotify',
+            label=_('Password Expiration Notification'),
+            doc=_('Password Expiration Notification (days)'),
+            minvalue=0,
+        ),
+        Str('ipaconfigstring?',
+            cli_name='ipaconfigstring',
+            label=_('Password plugin features'),
+            doc=_('Extra hashes to generate in password plugin'),
+            flags=['no_update'],
         ),
     )