diff options
author | Rob Crittenden <rcritten@redhat.com> | 2007-11-20 22:45:29 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2007-11-20 22:45:29 -0500 |
commit | f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42 (patch) | |
tree | 5e3907c33efe15f9a7f04bc973a341d0851b6dd4 /ipa-server/ipa-install | |
parent | 56d67b86e18112c9f059e7bcd3ac51fc21f941af (diff) | |
download | freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.gz freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.tar.xz freeipa-f42f1f44c81e15ac9ecbc6684cbc4dfc9395fd42.zip |
Enable group inactivation by using the Class of Service plugin.
This adds 2 new groups: activated and inactivated.
If you, or a group you are a member of, is in inactivated then you are too.
If you, or a group you are a member of, is in the activated group, then you
are too.
In a fight between activated and inactivated, activated wins.
The DNs for doing this matching is case and white space sensitive.
The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.
We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index f443b6cb9..257f865be 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -116,3 +116,42 @@ ipaDefaultLoginShell: /bin/sh ipaDefaultPrimaryGroup: ipausers ipaMaxUsernameLength: 8 ipaPwdExpAdvNotify: 4 + +dn: cn=account inactivation,cn=accounts,$SUFFIX +description: Lock accounts based on group membership +objectClass: top +objectClass: ldapsubentry +objectClass: cosSuperDefinition +objectClass: cosClassicDefinition +cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX +cosAttribute: nsAccountLock operational +cosAttribute: pager +cosSpecifier: memberOf +cn: Account Inactivation + +dn: cn=cosTemplates,cn=accounts,$SUFFIX +objectclass: top +objectclass: nsContainer +cn: cosTemplates + +dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +objectClass: top +objectClass: cosTemplate +objectClass: extensibleobject +nsAccountLock: true +cosPriority: 1 + +dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX +objectclass: top +objectclass: groupofuniquenames + +dn: cn="cn=activated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +objectClass: top +objectClass: cosTemplate +objectClass: extensibleobject +nsAccountLock: false +cosPriority: 0 + +dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX +objectclass: top +objectclass: groupofuniquenames |