From c6ef39b2c04c7b09848226d7454c983924cbdfed Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 1 Feb 2011 11:57:18 -0500 Subject: Add new schema to store information about permissions. There are some permissions we can't display because they are stored outside of the basedn (such as the replication permissions). We are adding a new attribute to store extra information to make this clear, in this case SYSTEM. ticket 853 --- install/share/60basev2.ldif | 2 ++ install/share/delegation.ldif | 49 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) (limited to 'install') diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index 7eb346b0..f5f7a656 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -13,6 +13,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY case attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2') objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) @@ -23,6 +24,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IPA permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index e154f6b0..18d045d8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -147,6 +147,7 @@ dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -154,6 +155,7 @@ dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Change a user password member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -161,6 +163,7 @@ dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add user to default group member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -168,6 +171,7 @@ dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectclass: top objectclass: groupofnames +objectClass: ipapermission cn: Unlock user accounts member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX @@ -176,6 +180,7 @@ dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -183,6 +188,7 @@ dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Users member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -192,6 +198,7 @@ dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -199,6 +206,7 @@ dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -206,6 +214,7 @@ dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Groups member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -213,6 +222,7 @@ dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Group membership member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -222,6 +232,7 @@ dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -229,6 +240,7 @@ dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -236,6 +248,7 @@ dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hosts member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -245,6 +258,7 @@ dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -252,6 +266,7 @@ dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -259,6 +274,7 @@ dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hostgroups member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -266,6 +282,7 @@ dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Hostgroup membership member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -275,6 +292,7 @@ dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -282,6 +300,7 @@ dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -289,6 +308,7 @@ dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Services member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -298,6 +318,7 @@ dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -305,6 +326,7 @@ dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -312,6 +334,7 @@ dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Roles member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -319,6 +342,7 @@ dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Role membership member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -326,6 +350,7 @@ dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify privilege membership member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -335,6 +360,7 @@ dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Automount maps member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -342,6 +368,7 @@ dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Automount maps member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -349,6 +376,7 @@ dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Automount keys member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -356,6 +384,7 @@ dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Automount keys member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -365,6 +394,7 @@ dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -372,6 +402,7 @@ dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -379,6 +410,7 @@ dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify netgroups member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -386,6 +418,7 @@ dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify netgroup membership member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -395,6 +428,7 @@ dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Manage host keytab member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX @@ -403,6 +437,7 @@ dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Manage service keytab member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=admins,cn=groups,cn=accounts,$SUFFIX @@ -415,6 +450,7 @@ dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Enroll a host member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX @@ -425,21 +461,27 @@ dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Add Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Modify Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Remove Replication Agreements +ipapermissiontype: SYSTEM member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX # Entitlement management @@ -448,6 +490,7 @@ dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: addentitlements description: Add Entitlements member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX @@ -619,6 +662,7 @@ dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Retrieve Certificates from the CA member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -638,6 +682,7 @@ dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Request Certificate member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -657,6 +702,7 @@ dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Request Certificates from a different host member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -676,6 +722,7 @@ dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Get Certificates status from the CA member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -695,6 +742,7 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Revoke Certificate member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -714,6 +762,7 @@ dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames +objectClass: ipapermission cn: Certificate Remove Hold member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX -- cgit