diff options
author | Sumit Bose <sbose@nb.localdomain> | 2008-12-09 13:14:22 +0100 |
---|---|---|
committer | Sumit Bose <sbose@nb.localdomain> | 2008-12-09 13:14:22 +0100 |
commit | f3a9fb68633d3c77225607bb45be7cd97e0217c5 (patch) | |
tree | 8e8a3cd542aef60ca951bb9353970e04f6bbbc74 /policy_dit.txt | |
parent | 73635bb1b32450a86c78866ed8c485cc1ce3a1de (diff) | |
download | ipa_policy-f3a9fb68633d3c77225607bb45be7cd97e0217c5.tar.gz ipa_policy-f3a9fb68633d3c77225607bb45be7cd97e0217c5.tar.xz ipa_policy-f3a9fb68633d3c77225607bb45be7cd97e0217c5.zip |
added example of the DS tree
Diffstat (limited to 'policy_dit.txt')
-rw-r--r-- | policy_dit.txt | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/policy_dit.txt b/policy_dit.txt new file mode 100644 index 0000000..39e19c0 --- /dev/null +++ b/policy_dit.txt @@ -0,0 +1,255 @@ +dn: cn=policies_and_roles,... +| objectclass: +| cn: policies_and_roles, +| +\--- dn: cn=applications,... +| | objectclass: +| | cn: applications +| | # The "applications" object is just a container to store the +| | # containers for the policy templates of a specific application. +| | +| | +| | +| \--- dn: cn=sudo,... +| | | objectclass: +| | | cn: sudo +| | | description: sudo gives root priviledges for certain applications +| | | # This is an example of an application specific container for +| | | # policy templates, i.e. a schema file with corresponding +| | | # transformation file. In addition to the URLs of the files the +| | | # type of the policy is stored, too. This is important for the +| | | # UI/CLI. While config and action policies are explicitly linked +| | | # to hosts or group of hosts, role policies will be linked +| | | # implicitly by defining a relation between roles, users and +| | | # hosts. +| | | +| | \--- dn: nsuniqueid=9123751325,... +| | | objectclass: IPAPolicyTemplate +| | | nsuniqueid: 9123751325 +| | | cn: sudo_config_1 +| | | description: blahblah +| | | policytype: config +| | | schema: file:///var/lib/ipa/policy/sudo_config_1.rng +| | | transformation: file:///var/lib/ipa/policy/sudo_config_1.xslt +| | | +| | \--- dn: nsuniqueid=3124324214,... +| | objectclass: IPAPolicyTemplate +| | nsuniqueid: 3124324214 +| | description: yadayada +| | cn: sudo_config_2 +| | policytype: config +| | schema: file:///var/lib/ipa/policy/sudo_config_2.rng +| | transformation: file:///var/lib/ipa/policy/sudo_config_2.xslt +| | +| \--- dn: cn=IPAAction,... +| | | objectclass: +| | | cn: IPAAction +| | | description: Location of the generic policy template for action policies +| | | +| | \--- dn: nsuniqueid=0432412,... +| | objectclass: IPAPolicyTemplate +| | nsuniqueid: 0432412 +| | cn: IPAAction +| | description: Template for action policies +| | policytype: action +| | schema: file:///var/lib/ipa/policy/ipaaction.rng +| | transformation: file:///var/lib/ipa/policy/empty.xslt +| | +| \--- dn: cn=Application1,... +| | objectclass: +| | cn: Application1 +| | description: an application +| | +| \--- dn: nsuniqueid=324624365,... +| objectclass: IPAPolicyTemplate +| nsuniqueid: 324624365 +| description: An example of a role policy template +| cn: role_example_1 +| policytype: role +| schema: file:///var/lib/ipa/policy/role_example_1.rng +| transformation: file:///var/lib/ipa/policy/role_example_1.xslt +| +\--- dn: cn=policies,... +| | objectclass: +| | cn: policies +| | # The container "policies" is used to store the policy objects. +| | # These object mainly define a connection between the policy templates +| | # and the blobs containing the actual, user defined policies. But +| | # because of the importance of these objects and the necessity of +| | # some specific attributes we will not use the generic association +| | # object here, but the objectclass IPAPolicy. +| | +| \--- dn: nsuniqueid=943943594351,... +| | objectclass: IPAPolicy +| | nsuniqueid=943943594351 +| | description: A Sudo Policy +| | policytemplate: ldap://.../nsuniqueid=9123751325,... +| | # policytemplate links the policy to its template, this can be +| | # used to access the type of the policy for the UI or the schema +| | # file to validate the policy. +| | priority: 1 +| | # priority defines the priority of the policy with respect to +| | # the other policies from the same template. I would suggest to +| | # define 1 or 0 as the highest priority. This way you can easy +| | # add new policies to the end, i.e. with the lowest priority. +| | enabledPolicy: true +| | appliedPolicy: ldap://.../nsuniqueid=1324242,... +| | # this is the blob of the currently applied policy, single-value +| | # attribute +| | editedPolicy: ldap://.../nsuniqueid=6454235,... +| | # multi-value attribute with pointers to other versions of the +| | # blob. The idea is to store a lastChangeType with the blob to +| | # reflect the state of the blob: +| | # +| | # edited: last action was a change of the blob +| | # rolledback: blob was applied, but replaced by the latest +| | # 'superseded' one +| | # applied: the currently active blob +| | # superseded: blob was applied, but replaye by a newer version +| | # +| | # With this classification the following action are allowed: +| | # +| | # edit: edit a 'edited', 'rolledback' or 'superseded' policy. +| | # New state: edited. +| | # copy: create a new blob from any existing. New state: edited. +| | # apply: make an 'edited' blob 'applied'. Old 'applied' is now +| | # 'superseded'. +| | # rollback: make the lastest 'supersede' active. Old 'applied' +| | # is now 'rolledback'. +| | # +| | policyVersion: 11 +| | # version of the policy, updated every time appliedPolicy or +| | # priority change +| | +| \--- dn: nsuniqueid=3565435,... +| | objectclass: IPAPolicy +| | nsuniqueid=3565435 +| | description: Another Sudo Policy +| | policytemplate: ldap://.... +| | priority: 2 +| | enabledPolicy: true +| | appliedPolicy: ldap://..... +| | editedPolicy: ldap://............. +| | policyVersion: 16 +| | +| \--- dn: nsuniqueid=4555555,... +| | objectclass: IPAPolicy +| | nsuniqueid=4555555 +| | description: An example of a role policy +| | policytemplate: ldap://.../nsuniqueid=324624365,... +| | priority: 1 +| | enabledPolicy: true +| | appliedPolicy: ldap://.../nsuniqueid=3213122312,... +| | editedPolicy: ldap://.../nsuniqueid=,... +| | policyVersion: 12 +| | +| \--- dn: nsuniqueid=87887888,... +| objectclass: IPAPolicy +| nsuniqueid=87887888,... +| description: An example of an action policy +| policytemplate: ldap://.../nsuniqueid=0432412,... +| priority: 1 +| enabledPolicy: true +| appliedPolicy: ldap://.../nsuniqueid=2121332432,... +| editedPolicy: ldap://.../nsuniqueid=,... +| policyVersion: 16 +| +\--- dn: cn=policydata,... +| | objectclass: +| | cn: policydata +| | # policydata is a container for the compressed XML policy blobs +| | # together with some metadata. If the blob should not be stored in +| | # the DS an attribute like policyBlobUri can be used. +| | +| \--- dn: nsuniqueid=1324242,... +| | objectlass: IPAPolicyData +| | nsuniqueid: 1324242 +| | policyBlob: <base64> +| | lastChageBy: sbose +| | lastChanged: 4214425532 +| | lastChangeType: activated +| | policy: ldap://.../nsuniqueid=943943594351,... +| | +| \--- dn: nsuniqueid=6454235,... +| | objectlass: IPAPolicyData +| | nsuniqueid: 6454235 +| | policyBlob: <base64> +| | lastChageBy: sbose +| | lastChanged: 4214425532 +| | lastChangeType: superseded +| | policy: ldap://.../nsuniqueid=943943594351,... +| | +| \--- dn: nsuniqueid=3213122312,... +| | objectlass: IPAPolicyData +| | nsuniqueid: 3213122312 +| | policyBlob: <base64> +| | lastChageBy: sbose +| | lastChanged: 4214425532 +| | lastChangeType: activated +| | policy: ldap://.../nsuniqueid=4555555,... +| | +| \--- dn: nsuniqueid=2121332432,... +| objectlass: IPAPolicyData +| nsuniqueid: 2121332432 +| policyBlob: <base64> +| lastChageBy: sbose +| lastChanged: 4214425532 +| lastChangeType: activated +| policy: ldap://.../nsuniqueid=943943594351,... +| +\--- dn: cn=policy_and_role_links,... +| | objectclass: +| | cn: policy_and_role_links +| | # policy_and_role_links contains the policy links, i.e. the +| | # connection between policies and hosts. This example tries to use +| | # the generic ipaAssociation objectclass to make the connection. Here +| | # we have the attributes memberWho, memberWhat, memberWhere, +| | # memberContext, memberFrom and memberWhen. +| | # With respect to the mapping of policies to host the attribute +| | # memberWhere clearly will hold the hosts the policies should be +| | # applied to. For the policies I think memberWhat might be the best +| | # choice (What? apply this policy). +| | # When coming to role policies we have to include a list of users and +| | # groups, clearly memberWho, and the name of a role. While memberFrom +| | # and memberWhen does not seem to fit we still have memberContext for +| | # the name of the role. +| | # It would still be possible not to use ipaAssociation for this +| | # purpose, but a special IPAPolicyLink class together with an +| | # auxilary class to hold the additional attributes for role policies. +| | +| \--- dn: nsuniqueid=58958437,... +| | objectclass: ipaAssociation +| | nsuniqueid: 58958437 +| | memberWhere: ldap://..... # hosts and hostsgroups +| | memberWhat: ldap://.../nsuniqueid=943943594351,... # corresponding config or action policy +| | enabledFlag: true +| | description: Link a sudo policy and other policies to a number of hosts +| | +| \--- dn: nsuniqueid=435143511,... +| | objectclass: ipaAssociation +| | nsuniqueid: 435143511 +| | memberWhere: ldap://..... +| | memberWhat: ldap://.... +| | enabledFlag: true +| | description: Another policy link +| | +| \--- dn: nsuniqueid=59435949843,... +| | objectclass: ipaAssociation +| | nsuniqueid: 59435949843 +| | memberWhere: ldap://.... # hosts and hostsgroups +| | memberWhat: ldap://.../nsuniqueid=4555555,... # corresponding role policy +| | memberWho: ldap://.... # users and group +| | memberContext: ipa://rolenames/guest # name of the role +| | enabledFlag: true +| | description: A role relation +| | +| \--- dn: nsuniqueid=45324324,... +| objectclass: ipaAssociation +| nsuniqueid: 45324324 +| memberWhere: ldap://.... +| memberWhat: ldap://.../nsuniqueid=4555555,... +| memberWho: ldap://.... +| memberContext: ipa://rolename/author +| enabledFlag: false +| description: Another role relation +| |