Name update files so they can be easily sorted.

We want to process some updates in a particular order (schema, structural). Using an init-inspired ordering mechanism.
author: Rob Crittenden <rcritten@redhat.com> 2009-03-23 15:20:43 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2009-03-25 11:03:07 -0400
commit: c00281a9f9c3f79fb88ff8537d941394fee09ca2 (patch)
tree: 019c8f72200e78b58699afe327f8f212898d659a /install
parent: d6814f3aae1e3af371eaf9d10ae37bfee464015a (diff)
download: freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.gz
freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.xz
freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.zip
16 files changed, 162 insertions, 24 deletions
diff --git a/install/updates/RFC2307bis.update b/install/updates/10-RFC2307bis.update
index 1ddebc1a..afb17bbf 100644
--- a/install/updates/RFC2307bis.update
+++ b/install/updates/10-RFC2307bis.update
@@ -47,8 +47,8 @@ add:attributeTypes:
 add:objectClasses:
    ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject'
      DESC 'nisKeyObject' SUP top
-     MUST ( cn $ nisPublickey $ nisSecretkey )
-     MAY ( uidNumber $ description ) )
+     MUST ( cn $$ nisPublickey $$ nisSecretkey )
+     MAY ( uidNumber $$ description ) )
 add:objectClasses:
    ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject'
      DESC 'nisDomainObject' SUP top AUXILIARY
@@ -57,9 +57,9 @@ add:objectClasses:
    ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup'
      DESC 'mailGroup' SUP top
      MUST ( mail )
-     MAY ( cn $ mgrpRFC822MailMember ) )
+     MAY ( cn $$ mgrpRFC822MailMember ) )
 add:objectClasses:
    ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId'
      DESC 'nisNetId' SUP top
      MUST ( cn )
-     MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )
+     MAY ( nisNetIdUser $$ nisNetIdGroup $$ nisNetIdHost ) )
diff --git a/install/updates/RFC4876.update b/install/updates/10-RFC4876.update
index 5a372c20..c743b4bc 100644
--- a/install/updates/RFC4876.update
+++ b/install/updates/10-RFC4876.update
@@ -135,12 +135,12 @@ add:objectClasses:
      SUP top STRUCTURAL
      DESC 'Abstraction of a base configuration for a DUA'
      MUST ( cn )
-     MAY ( defaultServerList $ preferredServerList $
-           defaultSearchBase $ defaultSearchScope $
-           searchTimeLimit $ bindTimeLimit $
-           credentialLevel $ authenticationMethod $
-           followReferrals $ dereferenceAliases $
-           serviceSearchDescriptor $ serviceCredentialLevel $
-           serviceAuthenticationMethod $ objectclassMap $
-           attributeMap $ profileTTL ) 
+     MAY ( defaultServerList $$ preferredServerList $$
+           defaultSearchBase $$ defaultSearchScope $$
+           searchTimeLimit $$ bindTimeLimit $$
+           credentialLevel $$ authenticationMethod $$
+           followReferrals $$ dereferenceAliases $$
+           serviceSearchDescriptor $$ serviceCredentialLevel $$
+           serviceAuthenticationMethod $$ objectclassMap $$
+           attributeMap $$ profileTTL ) 
      X-ORIGIN 'RFC4876' )
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
new file mode 100644
index 00000000..b83a3703
--- /dev/null
+++ b/install/updates/20-dna.update
@@ -0,0 +1,3 @@
+# Enable the DNA plugin
+dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:nsslapd-pluginEnabled: on
diff --git a/install/updates/indices.update b/install/updates/20-indices.update
index 3d0e42af..3d0e42af 100644
--- a/install/updates/indices.update
+++ b/install/updates/20-indices.update
diff --git a/install/updates/nss_ldap.update b/install/updates/20-nss_ldap.update
index e8c1e00f..e8c1e00f 100644
--- a/install/updates/nss_ldap.update
+++ b/install/updates/20-nss_ldap.update
diff --git a/install/updates/replication.update b/install/updates/20-replication.update
index 29823a6f..29823a6f 100644
--- a/install/updates/replication.update
+++ b/install/updates/20-replication.update
diff --git a/install/updates/winsync_index.update b/install/updates/20-winsync_index.update
index f24bdf8b..f24bdf8b 100644
--- a/install/updates/winsync_index.update
+++ b/install/updates/20-winsync_index.update
diff --git a/install/updates/automount.update b/install/updates/30-automount.update
index c89d583a..c89d583a 100644
--- a/install/updates/automount.update
+++ b/install/updates/30-automount.update
diff --git a/install/updates/groupofhosts.update b/install/updates/30-groupofhosts.update
index fb39c5e2..fb39c5e2 100644
--- a/install/updates/groupofhosts.update
+++ b/install/updates/30-groupofhosts.update
diff --git a/install/updates/netgroups.update b/install/updates/30-netgroups.update
index 0a8609e3..0a8609e3 100644
--- a/install/updates/netgroups.update
+++ b/install/updates/30-netgroups.update
diff --git a/install/updates/policy.update b/install/updates/30-policy.update
index c3615d28..c3615d28 100644
--- a/install/updates/policy.update
+++ b/install/updates/30-policy.update
diff --git a/install/updates/rolegroup.update b/install/updates/30-rolegroup.update
index ef8cd789..1417167d 100644
--- a/install/updates/rolegroup.update
+++ b/install/updates/30-rolegroup.update
@@ -3,3 +3,4 @@
 dn: cn=rolegroups,cn=accounts,$SUFFIX
 add:objectClass: nsContainer
 add:cn: rolegroups
+
diff --git a/install/updates/taskgroup.update b/install/updates/30-taskgroup.update
index a9896065..a9896065 100644
--- a/install/updates/taskgroup.update
+++ b/install/updates/30-taskgroup.update
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
new file mode 100644
index 00000000..307fb8cd
--- /dev/null
+++ b/install/updates/40-delegation.update
@@ -0,0 +1,124 @@
+# Add the default roles 
+
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: helpdesk
+add:description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: useradmin
+add:description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: groupadmin
+add:description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: hostadmin
+add:description: Host Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: delegationadmin
+add:description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: serviceadmin
+add:description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: automountadmin
+add:description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: netgroupadmin
+add:description: Netgroups Administrators
+
+dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:objectClass: nestedgroup
+add:cn: useradmins
+add:description: User Administrators
+
+# Add the taskgroups referenced by the ACIs for user administration
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: nsContainer
+add:objectClass: top
+add:cn: taskgroups
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: addusers
+add:description: Add Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: change_password
+add:description: Change a user password
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: add_user_to_default_group
+add:description: Add user to default group
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: removeusers
+add:description: Remove Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: modifyusers
+add:description: Modify Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACIs that grant these permissions for user administration
+
+dn: $SUFFIX
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+  3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
+ ,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
+ aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
+ te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+ ";)
+add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
+ ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
+ te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
+ ,$SUFFIX";)
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+  3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
+ askgroups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials 
+ || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
+ umber || telephoneNumber || street || roomNumber || l || st || postalCode || 
+ manager || secretary || description || carLicense || labeledURI || inetUserHT
+ TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
+ //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
+ s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";)
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 68e93b4f..4b49cb1b 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -2,18 +2,20 @@ NULL =
 
 appdir = $(IPA_DATA_DIR)/updates
 app_DATA =				\
-	automount.update		\
-	groupofhosts.update		\
-	indices.update			\
-	nss_ldap.update			\
-	replication.update		\
-	RFC2307bis.update		\
-	RFC4876.update			\
-	netgroups.update		\
-	policy.update			\
-	rolegroup.update		\
-	taskgroup.update		\
-	winsync_index.update		\
+	10-RFC2307bis.update		\
+	10-RFC4876.update		\
+	20-dna.update			\
+	20-indices.update		\
+	20-nss_ldap.update		\
+	20-replication.update		\
+	20-winsync_index.update		\
+	30-automount.update		\
+	30-groupofhosts.update		\
+	30-netgroups.update		\
+	30-policy.update		\
+	30-rolegroup.update		\
+	30-taskgroup.update		\
+	40-delegation.update		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/updates/README b/install/updates/README
new file mode 100644
index 00000000..064c6159
--- /dev/null
+++ b/install/updates/README
@@ -0,0 +1,8 @@
+The update files are sorted before being processed because there are
+cases where order matters (such as getting schema added first, creating
+parent entries, etc).
+
+10 - 20: Schema
+20 - 30: FDS Configuration, new indices
+30 - 40: Structual elements of the DIT
+40 - 50: Pre-loaded data
author	Rob Crittenden <rcritten@redhat.com>	2009-03-23 15:20:43 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2009-03-25 11:03:07 -0400
commit	c00281a9f9c3f79fb88ff8537d941394fee09ca2 (patch)
tree	019c8f72200e78b58699afe327f8f212898d659a /install
parent	d6814f3aae1e3af371eaf9d10ae37bfee464015a (diff)
download	freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.gz freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.tar.xz freeipa-c00281a9f9c3f79fb88ff8537d941394fee09ca2.zip