Add Domain Level feature

https://fedorahosted.org/freeipa/ticket/5018 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
author: Tomas Babej <tbabej@redhat.com> 2015-05-14 10:49:55 +0200
committer: Jan Cholasta <jcholast@redhat.com> 2015-05-26 11:59:47 +0000
commit: f3010498af2a4b98512d219b8e09101176c172fe (patch)
tree: d62ef1b1e718abb0c8565ca84371c2d488686761 /ipaserver/install
parent: 9eedffdfa62b4fa64244f048969b45b27a995c7a (diff)
download: freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.gz
freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.xz
freeipa-f3010498af2a4b98512d219b8e09101176c172fe.zip
3 files changed, 29 insertions, 3 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 09139405d..064a2ab1d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -40,6 +40,7 @@ from ipaserver.install import upgradeinstance
 from ipalib import api
 from ipalib import certstore
 from ipalib import errors
+from ipalib import constants
 from ipaplatform.tasks import tasks
 from ipalib.constants import CACERT
 from ipapython.dn import DN
@@ -62,6 +63,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
                     "70ipaotp.ldif",
                     "70topology.ldif",
                     "71idviews.ldif",
+                    "72domainlevels.ldif",
                     "15rfc2307bis.ldif",
                     "15rfc4876.ldif")
 
@@ -186,7 +188,7 @@ info: IPA V2.0
 
 class DsInstance(service.Service):
     def __init__(self, realm_name=None, domain_name=None, dm_password=None,
-                 fstore=None):
+                 fstore=None, domainlevel=None):
         service.Service.__init__(self, "dirsrv",
             service_desc="directory server",
             dm_password=dm_password,
@@ -209,6 +211,7 @@ class DsInstance(service.Service):
         self.subject_base = None
         self.open_ports = []
         self.run_init_memberof = True
+        self.domainlevel = domainlevel
         if realm_name:
             self.suffix = ipautil.realm_to_suffix(self.realm)
             self.__setup_sub_dict()
@@ -254,6 +257,7 @@ class DsInstance(service.Service):
     def __common_post_setup(self):
         self.step("initializing group membership", self.init_memberof)
         self.step("adding master entry", self.__add_master_entry)
+        self.step("initializing domain level", self.__set_domain_level)
         self.step("configuring Posix uid/gid generation",
                   self.__config_uidgid_gen)
         self.step("adding replication acis", self.__add_replication_acis)
@@ -395,7 +399,10 @@ class DsInstance(service.Service):
                              IDMAX=self.idmax, HOST=self.fqdn,
                              ESCAPED_SUFFIX=str(self.suffix),
                              GROUP=DS_GROUP,
-                             IDRANGE_SIZE=idrange_size
+                             IDRANGE_SIZE=idrange_size,
+                             DOMAIN_LEVEL=self.domainlevel,
+                             MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
+                             MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
                          )
 
     def __create_instance(self):
@@ -1011,3 +1018,8 @@ class DsInstance(service.Service):
         root_logger.debug('Unable to find certificate subject base in '
                           'certmap.conf')
         return None
+
+    def __set_domain_level(self):
+        # Create global domain level entry and set the domain level
+        if self.domainlevel is not None:
+            self._ldap_mod("domainlevel.ldif", self.sub_dict)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 5fca37695..f30659fe9 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -39,6 +39,7 @@ from ipaserver.install import installutils
 from ipapython import ipautil, ipaldap
 from ipalib import errors
 from ipalib import api, create_api
+from ipalib import constants
 from ipaplatform.paths import paths
 from ipaplatform import services
 from ipapython.dn import DN
@@ -305,6 +306,10 @@ class LDAPUpdate:
             self.sub_dict["TIME"] = int(time.time())
         if not self.sub_dict.get("DOMAIN") and domain is not None:
             self.sub_dict["DOMAIN"] = domain
+        if not self.sub_dict.get("MIN_DOMAIN_LEVEL"):
+            self.sub_dict["MIN_DOMAIN_LEVEL"] = str(constants.MIN_DOMAIN_LEVEL)
+        if not self.sub_dict.get("MAX_DOMAIN_LEVEL"):
+            self.sub_dict["MAX_DOMAIN_LEVEL"] = str(constants.MAX_DOMAIN_LEVEL)
         self.api = create_api(mode=None)
         self.api.bootstrap(in_server=True, context='updates')
         self.api.finalize()
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 1fbfd9993..11765fba3 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -338,7 +338,16 @@ NONOBJECT_PERMISSIONS = {
             'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap',
             'profileTTL'
         },
-    }
+    },
+    'System: Read Domain Level': {
+        'ipapermlocation': DN('cn=Domain Level,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=ipadomainlevelconfig)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'ipadomainlevel', 'objectclass',
+        },
+    },
 }
author	Tomas Babej <tbabej@redhat.com>	2015-05-14 10:49:55 +0200
committer	Jan Cholasta <jcholast@redhat.com>	2015-05-26 11:59:47 +0000
commit	f3010498af2a4b98512d219b8e09101176c172fe (patch)
tree	d62ef1b1e718abb0c8565ca84371c2d488686761 /ipaserver/install
parent	9eedffdfa62b4fa64244f048969b45b27a995c7a (diff)
download	freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.gz freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.xz freeipa-f3010498af2a4b98512d219b8e09101176c172fe.zip