diff options
Diffstat (limited to 'ipa-server/ipa-install/updates')
-rw-r--r-- | ipa-server/ipa-install/updates/Makefile.am | 17 | ||||
-rw-r--r-- | ipa-server/ipa-install/updates/RFC2307bis.update | 65 | ||||
-rw-r--r-- | ipa-server/ipa-install/updates/RFC4876.update | 146 | ||||
-rw-r--r-- | ipa-server/ipa-install/updates/nss_ldap.update | 33 | ||||
-rw-r--r-- | ipa-server/ipa-install/updates/schema_compatibility.update | 50 |
5 files changed, 311 insertions, 0 deletions
diff --git a/ipa-server/ipa-install/updates/Makefile.am b/ipa-server/ipa-install/updates/Makefile.am new file mode 100644 index 000000000..56ec3b25f --- /dev/null +++ b/ipa-server/ipa-install/updates/Makefile.am @@ -0,0 +1,17 @@ +NULL = + +appdir = $(IPA_DATA_DIR)/updates +app_DATA = \ + RFC4876.update \ + RFC2307bis.update \ + schema_compatibility.update \ + nss_ldap.update \ + $(NULL) + +EXTRA_DIST = \ + $(app_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/ipa-server/ipa-install/updates/RFC2307bis.update b/ipa-server/ipa-install/updates/RFC2307bis.update new file mode 100644 index 000000000..6d08d5786 --- /dev/null +++ b/ipa-server/ipa-install/updates/RFC2307bis.update @@ -0,0 +1,65 @@ +# +# Schema derived from RFC 2307bis: +# "An Approach for Using LDAP as a Network Information Service" +# +dn: cn=schema +add: attributeTypes: + ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' + DESC 'nisPublickey' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' + DESC 'nisSecretkey' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' + DESC 'NIS domain' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' + DESC 'mgrpRFC822MailMember' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' + DESC 'nisNetIdUser' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' + DESC 'nisNetIdGroup' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' + DESC 'nisNetIdHost' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:objectClasses: + ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' + DESC 'nisKeyObject' SUP top + MUST ( cn $ nisPublickey $ nisSecretkey ) + MAY ( uidNumber $ description ) ) +add:objectClasses: + ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' + DESC 'nisDomainObject' SUP top AUXILIARY + MUST ( nisDomain ) ) +add:objectClasses: + ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' + DESC 'mailGroup' SUP top + MUST ( mail ) + MAY ( cn $ mgrpRFC822MailMember ) ) +add:objectClasses: + ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' + DESC 'nisNetId' SUP top + MUST ( cn ) + MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) diff --git a/ipa-server/ipa-install/updates/RFC4876.update b/ipa-server/ipa-install/updates/RFC4876.update new file mode 100644 index 000000000..5a372c201 --- /dev/null +++ b/ipa-server/ipa-install/updates/RFC4876.update @@ -0,0 +1,146 @@ +# +# Schema more or less verbatim from RFC 4876: +# "A Configuration Profile Schema for Lightweight Directory Access +# Protocol (LDAP)-Based Agents" +# +dn: cn=schema +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' + DESC 'List of default servers' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' + DESC 'Default base for searches' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' + DESC 'List of preferred servers' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' + DESC 'Maximum time an agent or service allows for a + search to complete' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' + DESC 'Maximum time an agent or service allows for a + bind operation to complete' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' + DESC 'An agent or service does or should follow referrals' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' + DESC 'Identifies the types of authentication methods either + used, required, or provided by a service or peer' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' + DESC 'Time to live, in seconds, before a profile is + considered stale' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' + DESC 'Attribute mappings used, required, or supported by an + agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' + DESC 'Identifies type of credentials either used, required, + or supported by an agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' + DESC 'Object class mappings used, required, or supported by + an agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' + DESC 'Default scope used when performing a search' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' + DESC 'Specifies the type of credentials either used, required, + or supported by a specific service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' + DESC 'Specifies search descriptors required, used, or + supported by a particular service or agent' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' + DESC 'Specifies types authentication methods either + used, required, or supported by a particular service' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' + DESC 'Specifies if a service or agent either requires, + supports, or uses dereferencing of aliases.' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:objectClasses: + ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' + SUP top STRUCTURAL + DESC 'Abstraction of a base configuration for a DUA' + MUST ( cn ) + MAY ( defaultServerList $ preferredServerList $ + defaultSearchBase $ defaultSearchScope $ + searchTimeLimit $ bindTimeLimit $ + credentialLevel $ authenticationMethod $ + followReferrals $ dereferenceAliases $ + serviceSearchDescriptor $ serviceCredentialLevel $ + serviceAuthenticationMethod $ objectclassMap $ + attributeMap $ profileTTL ) + X-ORIGIN 'RFC4876' ) diff --git a/ipa-server/ipa-install/updates/nss_ldap.update b/ipa-server/ipa-install/updates/nss_ldap.update new file mode 100644 index 000000000..e8c1e00f7 --- /dev/null +++ b/ipa-server/ipa-install/updates/nss_ldap.update @@ -0,0 +1,33 @@ +# +# Add profile for RFC 4876 agents (Solaris and HP/ux) +# + +# Update the top-level entry +dn: $SUFFIX +add:objectClass: domain +add:objectClass: domainRelatedObject +add:objectClass: nisDomainObject +add:associatedDomain: $DOMAIN +add:nisDomain: $DOMAIN + +# Add a place to store the nss_ldap default profile +dn: ou=profile,$SUFFIX +add: objectClass: top +add: objectClass: organizationalUnit +add: ou: profiles + +# The DUA profile. On Solaris one can run: +# ldap_client init ipa.example.com +dn: cn=default,ou=profile,$SUFFIX +default:ObjectClass: top +default:ObjectClass: DUAConfigProfile +default:defaultServerList: $FQDN +default:defaultSearchBase: $SUFFIX +default:authenticationMethod: none +default:searchTimeLimit: 15 +default:cn: default +default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX +default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX +default:bindTimeLimit: 5 +default:objectClassMap: shadow:shadowAccount=posixAccount +default:followReferrals:TRUE diff --git a/ipa-server/ipa-install/updates/schema_compatibility.update b/ipa-server/ipa-install/updates/schema_compatibility.update new file mode 100644 index 000000000..71732c995 --- /dev/null +++ b/ipa-server/ipa-install/updates/schema_compatibility.update @@ -0,0 +1,50 @@ +# +# Enable the Schema Compatibility plugin provided by slapi-nis. +# +# http://slapi-nis.fedorahosted.org/ +# +dn: cn=Schema Compatibility, cn=plugins, cn=config +default:objectclass: top +default:objectclass: nsSlapdPlugin +default:objectclass: extensibleObject +default:cn: Schema Compatibility +default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so +default:nsslapd-plugininitfunc: schema_compat_plugin_init +default:nsslapd-plugintype: object +default:nsslapd-pluginenabled: on +default:nsslapd-pluginid: schema-compat-plugin +default:nsslapd-pluginversion: 0.8 +default:nsslapd-pluginvendor: redhat.com +default:nsslapd-plugindescription: Schema Compatibility Plugin + +dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: users +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=users +default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixAccount +default:schema-compat-entry-rdn: uid=%{uid} +default:schema-compat-entry-attribute: objectclass=posixAccount +default:schema-compat-entry-attribute: gecos=%{cn} +default:schema-compat-entry-attribute: cn=%{cn} +default:schema-compat-entry-attribute: uidNumber=%{uidNumber} +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: loginShell=%{loginShell} +default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} + +dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config +default:objectClass: top +default:objectClass: extensibleObject +default:cn: groups +default:schema-compat-container-group: cn=compat, $SUFFIX +default:schema-compat-container-rdn: cn=groups +default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX +default:schema-compat-search-filter: objectclass=posixGroup +default:schema-compat-entry-rdn: cn=%{cn} +default:schema-compat-entry-attribute: objectclass=posixGroup +default:schema-compat-entry-attribute: gidNumber=%{gidNumber} +default:schema-compat-entry-attribute: memberUid=%{memberUid} +default:schema-compat-entry-attribute: memberUid=%deref("member","uid") +default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid") |