From c00281a9f9c3f79fb88ff8537d941394fee09ca2 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 23 Mar 2009 15:20:43 -0400 Subject: Name update files so they can be easily sorted. We want to process some updates in a particular order (schema, structural). Using an init-inspired ordering mechanism. --- install/updates/10-RFC2307bis.update | 65 ++++++++++++++ install/updates/10-RFC4876.update | 146 ++++++++++++++++++++++++++++++++ install/updates/20-dna.update | 3 + install/updates/20-indices.update | 18 ++++ install/updates/20-nss_ldap.update | 33 ++++++++ install/updates/20-replication.update | 9 ++ install/updates/20-winsync_index.update | 10 +++ install/updates/30-automount.update | 18 ++++ install/updates/30-groupofhosts.update | 5 ++ install/updates/30-netgroups.update | 9 ++ install/updates/30-policy.update | 44 ++++++++++ install/updates/30-rolegroup.update | 6 ++ install/updates/30-taskgroup.update | 5 ++ install/updates/40-delegation.update | 124 +++++++++++++++++++++++++++ install/updates/Makefile.am | 26 +++--- install/updates/README | 8 ++ install/updates/RFC2307bis.update | 65 -------------- install/updates/RFC4876.update | 146 -------------------------------- install/updates/automount.update | 18 ---- install/updates/groupofhosts.update | 5 -- install/updates/indices.update | 18 ---- install/updates/netgroups.update | 9 -- install/updates/nss_ldap.update | 33 -------- install/updates/policy.update | 44 ---------- install/updates/replication.update | 9 -- install/updates/rolegroup.update | 5 -- install/updates/taskgroup.update | 5 -- install/updates/winsync_index.update | 10 --- 28 files changed, 517 insertions(+), 379 deletions(-) create mode 100644 install/updates/10-RFC2307bis.update create mode 100644 install/updates/10-RFC4876.update create mode 100644 install/updates/20-dna.update create mode 100644 install/updates/20-indices.update create mode 100644 install/updates/20-nss_ldap.update create mode 100644 install/updates/20-replication.update create mode 100644 install/updates/20-winsync_index.update create mode 100644 install/updates/30-automount.update create mode 100644 install/updates/30-groupofhosts.update create mode 100644 install/updates/30-netgroups.update create mode 100644 install/updates/30-policy.update create mode 100644 install/updates/30-rolegroup.update create mode 100644 install/updates/30-taskgroup.update create mode 100644 install/updates/40-delegation.update create mode 100644 install/updates/README delete mode 100644 install/updates/RFC2307bis.update delete mode 100644 install/updates/RFC4876.update delete mode 100644 install/updates/automount.update delete mode 100644 install/updates/groupofhosts.update delete mode 100644 install/updates/indices.update delete mode 100644 install/updates/netgroups.update delete mode 100644 install/updates/nss_ldap.update delete mode 100644 install/updates/policy.update delete mode 100644 install/updates/replication.update delete mode 100644 install/updates/rolegroup.update delete mode 100644 install/updates/taskgroup.update delete mode 100644 install/updates/winsync_index.update (limited to 'install/updates') diff --git a/install/updates/10-RFC2307bis.update b/install/updates/10-RFC2307bis.update new file mode 100644 index 000000000..afb17bbfb --- /dev/null +++ b/install/updates/10-RFC2307bis.update @@ -0,0 +1,65 @@ +# +# Schema derived from RFC 2307bis: +# "An Approach for Using LDAP as a Network Information Service" +# +dn: cn=schema +add: attributeTypes: + ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' + DESC 'nisPublickey' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' + DESC 'nisSecretkey' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' + DESC 'NIS domain' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' + DESC 'mgrpRFC822MailMember' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' + DESC 'nisNetIdUser' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' + DESC 'nisNetIdGroup' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:attributeTypes: + ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' + DESC 'nisNetIdHost' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC2307bis' ) +add:objectClasses: + ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' + DESC 'nisKeyObject' SUP top + MUST ( cn $$ nisPublickey $$ nisSecretkey ) + MAY ( uidNumber $$ description ) ) +add:objectClasses: + ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' + DESC 'nisDomainObject' SUP top AUXILIARY + MUST ( nisDomain ) ) +add:objectClasses: + ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' + DESC 'mailGroup' SUP top + MUST ( mail ) + MAY ( cn $$ mgrpRFC822MailMember ) ) +add:objectClasses: + ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' + DESC 'nisNetId' SUP top + MUST ( cn ) + MAY ( nisNetIdUser $$ nisNetIdGroup $$ nisNetIdHost ) ) diff --git a/install/updates/10-RFC4876.update b/install/updates/10-RFC4876.update new file mode 100644 index 000000000..c743b4bc6 --- /dev/null +++ b/install/updates/10-RFC4876.update @@ -0,0 +1,146 @@ +# +# Schema more or less verbatim from RFC 4876: +# "A Configuration Profile Schema for Lightweight Directory Access +# Protocol (LDAP)-Based Agents" +# +dn: cn=schema +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' + DESC 'List of default servers' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' + DESC 'Default base for searches' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' + DESC 'List of preferred servers' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' + DESC 'Maximum time an agent or service allows for a + search to complete' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' + DESC 'Maximum time an agent or service allows for a + bind operation to complete' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' + DESC 'An agent or service does or should follow referrals' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' + DESC 'Identifies the types of authentication methods either + used, required, or provided by a service or peer' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' + DESC 'Time to live, in seconds, before a profile is + considered stale' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' + DESC 'Attribute mappings used, required, or supported by an + agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' + DESC 'Identifies type of credentials either used, required, + or supported by an agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' + DESC 'Object class mappings used, required, or supported by + an agent or service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' + DESC 'Default scope used when performing a search' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' + DESC 'Specifies the type of credentials either used, required, + or supported by a specific service' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' + DESC 'Specifies search descriptors required, used, or + supported by a particular service or agent' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' + DESC 'Specifies types authentication methods either + used, required, or supported by a particular service' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC4876' ) +add:attributeTypes: + ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' + DESC 'Specifies if a service or agent either requires, + supports, or uses dereferencing of aliases.' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE + X-ORIGIN 'RFC4876' ) +add:objectClasses: + ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' + SUP top STRUCTURAL + DESC 'Abstraction of a base configuration for a DUA' + MUST ( cn ) + MAY ( defaultServerList $$ preferredServerList $$ + defaultSearchBase $$ defaultSearchScope $$ + searchTimeLimit $$ bindTimeLimit $$ + credentialLevel $$ authenticationMethod $$ + followReferrals $$ dereferenceAliases $$ + serviceSearchDescriptor $$ serviceCredentialLevel $$ + serviceAuthenticationMethod $$ objectclassMap $$ + attributeMap $$ profileTTL ) + X-ORIGIN 'RFC4876' ) diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update new file mode 100644 index 000000000..b83a3703d --- /dev/null +++ b/install/updates/20-dna.update @@ -0,0 +1,3 @@ +# Enable the DNA plugin +dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config +only:nsslapd-pluginEnabled: on diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update new file mode 100644 index 000000000..3d0e42af6 --- /dev/null +++ b/install/updates/20-indices.update @@ -0,0 +1,18 @@ +# +# Some nss_ldap implementations will always ask for memberuid so we must +# have an index for it. +# +dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberuid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq,pres + +dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberof +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq + diff --git a/install/updates/20-nss_ldap.update b/install/updates/20-nss_ldap.update new file mode 100644 index 000000000..e8c1e00f7 --- /dev/null +++ b/install/updates/20-nss_ldap.update @@ -0,0 +1,33 @@ +# +# Add profile for RFC 4876 agents (Solaris and HP/ux) +# + +# Update the top-level entry +dn: $SUFFIX +add:objectClass: domain +add:objectClass: domainRelatedObject +add:objectClass: nisDomainObject +add:associatedDomain: $DOMAIN +add:nisDomain: $DOMAIN + +# Add a place to store the nss_ldap default profile +dn: ou=profile,$SUFFIX +add: objectClass: top +add: objectClass: organizationalUnit +add: ou: profiles + +# The DUA profile. On Solaris one can run: +# ldap_client init ipa.example.com +dn: cn=default,ou=profile,$SUFFIX +default:ObjectClass: top +default:ObjectClass: DUAConfigProfile +default:defaultServerList: $FQDN +default:defaultSearchBase: $SUFFIX +default:authenticationMethod: none +default:searchTimeLimit: 15 +default:cn: default +default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX +default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX +default:bindTimeLimit: 5 +default:objectClassMap: shadow:shadowAccount=posixAccount +default:followReferrals:TRUE diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update new file mode 100644 index 000000000..29823a6fa --- /dev/null +++ b/install/updates/20-replication.update @@ -0,0 +1,9 @@ +# +# Counter used to store the next replica id +# +# Start at 3 to avoid conflicts with v1.0 replica ids. The value itself +# isn't important but each replica needs a unique id. +dn: cn=replication,cn=etc,$SUFFIX +add: objectclass: nsDS5Replica +add: nsDS5ReplicaId: 3 +add: nsDS5ReplicaRoot: '$SUFFIX' diff --git a/install/updates/20-winsync_index.update b/install/updates/20-winsync_index.update new file mode 100644 index 000000000..f24bdf8bd --- /dev/null +++ b/install/updates/20-winsync_index.update @@ -0,0 +1,10 @@ +# +# Make sure winsync attributes have the correct indexing +# + +dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: nsIndexType: eq,pres + +dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: nsIndexType: eq,pres + diff --git a/install/updates/30-automount.update b/install/updates/30-automount.update new file mode 100644 index 000000000..c89d583ae --- /dev/null +++ b/install/updates/30-automount.update @@ -0,0 +1,18 @@ +# Add the default automount entries + +dn: cn=automount,$SUFFIX +add:objectClass: nsContainer +add:cn: automount + +dn: automountmapname=auto.master,cn=automount,$SUFFIX +add:objectClass: automountMap +add:automountMapName: auto.master + +dn: automountkey=/-,automountmapname=auto.master,cn=automount,$SUFFIX +add:objectClass: automount +add:automountKey: '/-' +add:automountInformation: auto.direct + +dn: automountmapname=auto.direct,cn=automount,$SUFFIX +add:objectClass: automountMap +add:automountMapName: auto.direct diff --git a/install/updates/30-groupofhosts.update b/install/updates/30-groupofhosts.update new file mode 100644 index 000000000..fb39c5e25 --- /dev/null +++ b/install/updates/30-groupofhosts.update @@ -0,0 +1,5 @@ +dn: cn=hostgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nsContainer +add:cn: hostgroups + diff --git a/install/updates/30-netgroups.update b/install/updates/30-netgroups.update new file mode 100644 index 000000000..0a8609e3e --- /dev/null +++ b/install/updates/30-netgroups.update @@ -0,0 +1,9 @@ +# Add the default netgroup entries + +dn: cn=alt,$SUFFIX +add:objectClass: nsContainer +add:cn: alt + +dn: cn=ng,cn=alt,$SUFFIX +add:objectClass: nsContainer +add:cn: ng diff --git a/install/updates/30-policy.update b/install/updates/30-policy.update new file mode 100644 index 000000000..c3615d281 --- /dev/null +++ b/install/updates/30-policy.update @@ -0,0 +1,44 @@ +# bootstrap the policy DIT structure + +dn: cn=policies,$SUFFIX +add: objectclass: nsContainer +add: objectclass: ipaContainer +add: cn: policies +add: description: Root of the policy related sub tree + +dn: cn=configs,cn=policies,$SUFFIX +add: objectclass: nsContainer +add: objectclass: ipaContainer +add: cn: configs +add: description: Root of the sub tree that holds configuration policies for different applications + +dn: cn=applications,cn=configs,cn=policies,$SUFFIX +add: objectclass: nsContainer +add: objectclass: ipaContainer +add: cn: applications +add: description: Root of the tree that hold all definitions of the supported applications + +dn: cn=Shell Applications,cn=applications,cn=configs,cn=policies,$SUFFIX +add: objectclass: nsContainer +add: objectclass: ipaContainer +add: cn: Shell Applications +add: description: Shell Applications - special application that holds templates for actions + +dn: cn=roles,cn=policies,$SUFFIX +add: objectclass: nsContainer +add: objectclass: ipaContainer +add: cn: roles +add: description: Root of the sub tree that holds role management data + +dn: cn=policygroups,cn=configs,cn=policies,$SUFFIX +add: objectclass: ipaContainer +add: objectclass: ipaOrderedContainer +add: cn: policygroups +add: description: Sub tree to hold policy groups + +dn: cn=policylinks,cn=configs,cn=policies,$SUFFIX +add: objectclass: ipaContainer +add: objectclass: ipaOrderedContainer +add: cn: policylinks +add: description: Sub tree to hold policy links + diff --git a/install/updates/30-rolegroup.update b/install/updates/30-rolegroup.update new file mode 100644 index 000000000..1417167de --- /dev/null +++ b/install/updates/30-rolegroup.update @@ -0,0 +1,6 @@ +# Add the rolegroup container + +dn: cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: nsContainer +add:cn: rolegroups + diff --git a/install/updates/30-taskgroup.update b/install/updates/30-taskgroup.update new file mode 100644 index 000000000..a98960657 --- /dev/null +++ b/install/updates/30-taskgroup.update @@ -0,0 +1,5 @@ +# Add the taskgroup container + +dn: cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: nsContainer +add:cn: taskgroups diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update new file mode 100644 index 000000000..307fb8cd9 --- /dev/null +++ b/install/updates/40-delegation.update @@ -0,0 +1,124 @@ +# Add the default roles + +dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: helpdesk +add:description: Helpdesk + +dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: useradmin +add:description: User Administrators + +dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: groupadmin +add:description: Group Administrators + +dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: hostadmin +add:description: Host Administrators + +dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: delegationadmin +add:description: Role administration + +dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: serviceadmin +add:description: Service Administrators + +dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: automountadmin +add:description: Automount Administrators + +dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: netgroupadmin +add:description: Netgroups Administrators + +dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:objectClass: nestedgroup +add:cn: useradmins +add:description: User Administrators + +# Add the taskgroups referenced by the ACIs for user administration + +dn: cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: nsContainer +add:objectClass: top +add:cn: taskgroups + +dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: addusers +add:description: Add Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: change_password +add:description: Change a user password +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: add_user_to_default_group +add:description: Add user to default group +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: removeusers +add:description: Remove Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: modifyusers +add:description: Modify Users +add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX" + +# Add the ACIs that grant these permissions for user administration + +dn: $SUFFIX +add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version + 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups + ,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb + aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri + te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX + ";) +add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun + ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri + te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts + ,$SUFFIX";) +add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version + 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t + askgroups,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials + || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN + umber || telephoneNumber || street || roomNumber || l || st || postalCode || + manager || secretary || description || carLicense || labeledURI || inetUserHT + TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/ + //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User + s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";) + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 68e93b4f6..4b49cb1b0 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -2,18 +2,20 @@ NULL = appdir = $(IPA_DATA_DIR)/updates app_DATA = \ - automount.update \ - groupofhosts.update \ - indices.update \ - nss_ldap.update \ - replication.update \ - RFC2307bis.update \ - RFC4876.update \ - netgroups.update \ - policy.update \ - rolegroup.update \ - taskgroup.update \ - winsync_index.update \ + 10-RFC2307bis.update \ + 10-RFC4876.update \ + 20-dna.update \ + 20-indices.update \ + 20-nss_ldap.update \ + 20-replication.update \ + 20-winsync_index.update \ + 30-automount.update \ + 30-groupofhosts.update \ + 30-netgroups.update \ + 30-policy.update \ + 30-rolegroup.update \ + 30-taskgroup.update \ + 40-delegation.update \ $(NULL) EXTRA_DIST = \ diff --git a/install/updates/README b/install/updates/README new file mode 100644 index 000000000..064c6159f --- /dev/null +++ b/install/updates/README @@ -0,0 +1,8 @@ +The update files are sorted before being processed because there are +cases where order matters (such as getting schema added first, creating +parent entries, etc). + +10 - 20: Schema +20 - 30: FDS Configuration, new indices +30 - 40: Structual elements of the DIT +40 - 50: Pre-loaded data diff --git a/install/updates/RFC2307bis.update b/install/updates/RFC2307bis.update deleted file mode 100644 index 1ddebc1a2..000000000 --- a/install/updates/RFC2307bis.update +++ /dev/null @@ -1,65 +0,0 @@ -# -# Schema derived from RFC 2307bis: -# "An Approach for Using LDAP as a Network Information Service" -# -dn: cn=schema -add: attributeTypes: - ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' - DESC 'nisPublickey' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' - DESC 'nisSecretkey' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' - DESC 'NIS domain' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' - DESC 'mgrpRFC822MailMember' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' - DESC 'nisNetIdUser' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' - DESC 'nisNetIdGroup' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' - DESC 'nisNetIdHost' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:objectClasses: - ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' - DESC 'nisKeyObject' SUP top - MUST ( cn $ nisPublickey $ nisSecretkey ) - MAY ( uidNumber $ description ) ) -add:objectClasses: - ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' - DESC 'nisDomainObject' SUP top AUXILIARY - MUST ( nisDomain ) ) -add:objectClasses: - ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' - DESC 'mailGroup' SUP top - MUST ( mail ) - MAY ( cn $ mgrpRFC822MailMember ) ) -add:objectClasses: - ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' - DESC 'nisNetId' SUP top - MUST ( cn ) - MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) diff --git a/install/updates/RFC4876.update b/install/updates/RFC4876.update deleted file mode 100644 index 5a372c201..000000000 --- a/install/updates/RFC4876.update +++ /dev/null @@ -1,146 +0,0 @@ -# -# Schema more or less verbatim from RFC 4876: -# "A Configuration Profile Schema for Lightweight Directory Access -# Protocol (LDAP)-Based Agents" -# -dn: cn=schema -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' - DESC 'List of default servers' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' - DESC 'Default base for searches' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' - DESC 'List of preferred servers' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' - DESC 'Maximum time an agent or service allows for a - search to complete' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' - DESC 'Maximum time an agent or service allows for a - bind operation to complete' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' - DESC 'An agent or service does or should follow referrals' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' - DESC 'Identifies the types of authentication methods either - used, required, or provided by a service or peer' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' - DESC 'Time to live, in seconds, before a profile is - considered stale' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' - DESC 'Attribute mappings used, required, or supported by an - agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' - DESC 'Identifies type of credentials either used, required, - or supported by an agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' - DESC 'Object class mappings used, required, or supported by - an agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' - DESC 'Default scope used when performing a search' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' - DESC 'Specifies the type of credentials either used, required, - or supported by a specific service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' - DESC 'Specifies search descriptors required, used, or - supported by a particular service or agent' - EQUALITY caseExactMatch - SUBSTR caseExactSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' - DESC 'Specifies types authentication methods either - used, required, or supported by a particular service' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' - DESC 'Specifies if a service or agent either requires, - supports, or uses dereferencing of aliases.' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:objectClasses: - ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' - SUP top STRUCTURAL - DESC 'Abstraction of a base configuration for a DUA' - MUST ( cn ) - MAY ( defaultServerList $ preferredServerList $ - defaultSearchBase $ defaultSearchScope $ - searchTimeLimit $ bindTimeLimit $ - credentialLevel $ authenticationMethod $ - followReferrals $ dereferenceAliases $ - serviceSearchDescriptor $ serviceCredentialLevel $ - serviceAuthenticationMethod $ objectclassMap $ - attributeMap $ profileTTL ) - X-ORIGIN 'RFC4876' ) diff --git a/install/updates/automount.update b/install/updates/automount.update deleted file mode 100644 index c89d583ae..000000000 --- a/install/updates/automount.update +++ /dev/null @@ -1,18 +0,0 @@ -# Add the default automount entries - -dn: cn=automount,$SUFFIX -add:objectClass: nsContainer -add:cn: automount - -dn: automountmapname=auto.master,cn=automount,$SUFFIX -add:objectClass: automountMap -add:automountMapName: auto.master - -dn: automountkey=/-,automountmapname=auto.master,cn=automount,$SUFFIX -add:objectClass: automount -add:automountKey: '/-' -add:automountInformation: auto.direct - -dn: automountmapname=auto.direct,cn=automount,$SUFFIX -add:objectClass: automountMap -add:automountMapName: auto.direct diff --git a/install/updates/groupofhosts.update b/install/updates/groupofhosts.update deleted file mode 100644 index fb39c5e25..000000000 --- a/install/updates/groupofhosts.update +++ /dev/null @@ -1,5 +0,0 @@ -dn: cn=hostgroups,cn=accounts,$SUFFIX -add:objectClass: top -add:objectClass: nsContainer -add:cn: hostgroups - diff --git a/install/updates/indices.update b/install/updates/indices.update deleted file mode 100644 index 3d0e42af6..000000000 --- a/install/updates/indices.update +++ /dev/null @@ -1,18 +0,0 @@ -# -# Some nss_ldap implementations will always ask for memberuid so we must -# have an index for it. -# -dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -default:cn: memberuid -default:ObjectClass: top -default:ObjectClass: nsIndex -default:nsSystemIndex: false -default:nsIndexType: eq,pres - -dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -default:cn: memberof -default:ObjectClass: top -default:ObjectClass: nsIndex -default:nsSystemIndex: false -default:nsIndexType: eq - diff --git a/install/updates/netgroups.update b/install/updates/netgroups.update deleted file mode 100644 index 0a8609e3e..000000000 --- a/install/updates/netgroups.update +++ /dev/null @@ -1,9 +0,0 @@ -# Add the default netgroup entries - -dn: cn=alt,$SUFFIX -add:objectClass: nsContainer -add:cn: alt - -dn: cn=ng,cn=alt,$SUFFIX -add:objectClass: nsContainer -add:cn: ng diff --git a/install/updates/nss_ldap.update b/install/updates/nss_ldap.update deleted file mode 100644 index e8c1e00f7..000000000 --- a/install/updates/nss_ldap.update +++ /dev/null @@ -1,33 +0,0 @@ -# -# Add profile for RFC 4876 agents (Solaris and HP/ux) -# - -# Update the top-level entry -dn: $SUFFIX -add:objectClass: domain -add:objectClass: domainRelatedObject -add:objectClass: nisDomainObject -add:associatedDomain: $DOMAIN -add:nisDomain: $DOMAIN - -# Add a place to store the nss_ldap default profile -dn: ou=profile,$SUFFIX -add: objectClass: top -add: objectClass: organizationalUnit -add: ou: profiles - -# The DUA profile. On Solaris one can run: -# ldap_client init ipa.example.com -dn: cn=default,ou=profile,$SUFFIX -default:ObjectClass: top -default:ObjectClass: DUAConfigProfile -default:defaultServerList: $FQDN -default:defaultSearchBase: $SUFFIX -default:authenticationMethod: none -default:searchTimeLimit: 15 -default:cn: default -default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX -default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX -default:bindTimeLimit: 5 -default:objectClassMap: shadow:shadowAccount=posixAccount -default:followReferrals:TRUE diff --git a/install/updates/policy.update b/install/updates/policy.update deleted file mode 100644 index c3615d281..000000000 --- a/install/updates/policy.update +++ /dev/null @@ -1,44 +0,0 @@ -# bootstrap the policy DIT structure - -dn: cn=policies,$SUFFIX -add: objectclass: nsContainer -add: objectclass: ipaContainer -add: cn: policies -add: description: Root of the policy related sub tree - -dn: cn=configs,cn=policies,$SUFFIX -add: objectclass: nsContainer -add: objectclass: ipaContainer -add: cn: configs -add: description: Root of the sub tree that holds configuration policies for different applications - -dn: cn=applications,cn=configs,cn=policies,$SUFFIX -add: objectclass: nsContainer -add: objectclass: ipaContainer -add: cn: applications -add: description: Root of the tree that hold all definitions of the supported applications - -dn: cn=Shell Applications,cn=applications,cn=configs,cn=policies,$SUFFIX -add: objectclass: nsContainer -add: objectclass: ipaContainer -add: cn: Shell Applications -add: description: Shell Applications - special application that holds templates for actions - -dn: cn=roles,cn=policies,$SUFFIX -add: objectclass: nsContainer -add: objectclass: ipaContainer -add: cn: roles -add: description: Root of the sub tree that holds role management data - -dn: cn=policygroups,cn=configs,cn=policies,$SUFFIX -add: objectclass: ipaContainer -add: objectclass: ipaOrderedContainer -add: cn: policygroups -add: description: Sub tree to hold policy groups - -dn: cn=policylinks,cn=configs,cn=policies,$SUFFIX -add: objectclass: ipaContainer -add: objectclass: ipaOrderedContainer -add: cn: policylinks -add: description: Sub tree to hold policy links - diff --git a/install/updates/replication.update b/install/updates/replication.update deleted file mode 100644 index 29823a6fa..000000000 --- a/install/updates/replication.update +++ /dev/null @@ -1,9 +0,0 @@ -# -# Counter used to store the next replica id -# -# Start at 3 to avoid conflicts with v1.0 replica ids. The value itself -# isn't important but each replica needs a unique id. -dn: cn=replication,cn=etc,$SUFFIX -add: objectclass: nsDS5Replica -add: nsDS5ReplicaId: 3 -add: nsDS5ReplicaRoot: '$SUFFIX' diff --git a/install/updates/rolegroup.update b/install/updates/rolegroup.update deleted file mode 100644 index ef8cd7890..000000000 --- a/install/updates/rolegroup.update +++ /dev/null @@ -1,5 +0,0 @@ -# Add the rolegroup container - -dn: cn=rolegroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: rolegroups diff --git a/install/updates/taskgroup.update b/install/updates/taskgroup.update deleted file mode 100644 index a98960657..000000000 --- a/install/updates/taskgroup.update +++ /dev/null @@ -1,5 +0,0 @@ -# Add the taskgroup container - -dn: cn=taskgroups,cn=accounts,$SUFFIX -add:objectClass: nsContainer -add:cn: taskgroups diff --git a/install/updates/winsync_index.update b/install/updates/winsync_index.update deleted file mode 100644 index f24bdf8bd..000000000 --- a/install/updates/winsync_index.update +++ /dev/null @@ -1,10 +0,0 @@ -# -# Make sure winsync attributes have the correct indexing -# - -dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -only: nsIndexType: eq,pres - -dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -only: nsIndexType: eq,pres - -- cgit