added example of the DS tree

1 files changed, 255 insertions, 0 deletions

diff --git a/policy_dit.txt b/policy_dit.txt
new file mode 100644
index 0000000..39e19c0
--- /dev/null
+++ b/policy_dit.txt
@@ -0,0 +1,255 @@
+dn: cn=policies_and_roles,...
+|   objectclass:
+|   cn: policies_and_roles,
+|
+\--- dn: cn=applications,...
+|    |   objectclass:
+|    |   cn: applications
+|    |   # The "applications" object is just a container to store the
+|    |   # containers for the policy templates of a specific application.
+|    |
+|    |
+|    |
+|    \--- dn: cn=sudo,...
+|    |    |   objectclass:
+|    |    |   cn: sudo
+|    |    |   description: sudo gives root priviledges for certain applications
+|    |    |   # This is an example of an application specific container for
+|    |    |   # policy templates, i.e. a schema file with corresponding
+|    |    |   # transformation file. In addition to the URLs of the files the
+|    |    |   # type of the policy is stored, too. This is important for the
+|    |    |   # UI/CLI. While config and action policies are explicitly linked
+|    |    |   # to hosts or group of hosts, role policies will be linked
+|    |    |   # implicitly by defining a relation between roles, users and
+|    |    |   # hosts.
+|    |    |
+|    |    \--- dn: nsuniqueid=9123751325,...
+|    |    |        objectclass: IPAPolicyTemplate
+|    |    |        nsuniqueid: 9123751325
+|    |    |        cn: sudo_config_1
+|    |    |        description: blahblah
+|    |    |        policytype: config
+|    |    |        schema: file:///var/lib/ipa/policy/sudo_config_1.rng
+|    |    |        transformation: file:///var/lib/ipa/policy/sudo_config_1.xslt
+|    |    |
+|    |    \--- dn: nsuniqueid=3124324214,...
+|    |             objectclass: IPAPolicyTemplate
+|    |             nsuniqueid: 3124324214
+|    |             description: yadayada
+|    |             cn: sudo_config_2
+|    |             policytype: config
+|    |             schema: file:///var/lib/ipa/policy/sudo_config_2.rng
+|    |             transformation: file:///var/lib/ipa/policy/sudo_config_2.xslt
+|    |
+|    \--- dn: cn=IPAAction,...
+|    |    |   objectclass:
+|    |    |   cn: IPAAction
+|    |    |   description: Location of the generic policy template for action policies 
+|    |    |
+|    |    \--- dn: nsuniqueid=0432412,...
+|    |             objectclass: IPAPolicyTemplate
+|    |             nsuniqueid: 0432412
+|    |             cn: IPAAction
+|    |             description: Template for action policies
+|    |             policytype: action
+|    |             schema: file:///var/lib/ipa/policy/ipaaction.rng
+|    |             transformation: file:///var/lib/ipa/policy/empty.xslt
+|    |     
+|    \--- dn: cn=Application1,...
+|         |   objectclass:
+|         |   cn: Application1
+|         |   description: an application
+|         |
+|         \--- dn: nsuniqueid=324624365,...
+|                  objectclass: IPAPolicyTemplate
+|                  nsuniqueid: 324624365
+|                  description: An example of a role policy template
+|                  cn: role_example_1
+|                  policytype: role
+|                  schema: file:///var/lib/ipa/policy/role_example_1.rng
+|                  transformation: file:///var/lib/ipa/policy/role_example_1.xslt
+|
+\--- dn: cn=policies,...
+|    |   objectclass:
+|    |   cn: policies
+|    |   # The container "policies" is used to store the policy objects.
+|    |   # These object mainly define a connection between the policy templates
+|    |   # and the blobs containing the actual, user defined policies. But
+|    |   # because of the importance of these objects and the necessity of
+|    |   # some specific attributes we will not use the generic association
+|    |   # object here, but the objectclass IPAPolicy.
+|    |
+|    \--- dn: nsuniqueid=943943594351,...
+|    |        objectclass: IPAPolicy
+|    |        nsuniqueid=943943594351
+|    |        description: A Sudo Policy
+|    |        policytemplate: ldap://.../nsuniqueid=9123751325,...
+|    |        # policytemplate links the policy to its template, this can be
+|    |        # used to access the type of the policy for the UI or the schema
+|    |        # file to validate the policy.
+|    |        priority: 1
+|    |        # priority defines the priority of the policy with respect to
+|    |        # the other policies from the same template. I would suggest to
+|    |        # define 1 or 0 as the highest priority. This way you can easy
+|    |        # add new policies to the end, i.e. with the lowest priority.
+|    |        enabledPolicy: true
+|    |        appliedPolicy: ldap://.../nsuniqueid=1324242,...
+|    |        # this is the blob of the currently applied policy, single-value
+|    |        # attribute
+|    |        editedPolicy: ldap://.../nsuniqueid=6454235,...
+|    |        # multi-value attribute with pointers to other versions of the
+|    |        # blob. The idea is to store a lastChangeType with the blob to
+|    |        # reflect the state of the blob:
+|    |        # 
+|    |        # edited: last action was a change of the blob
+|    |        # rolledback: blob was applied, but replaced by the latest
+|    |        #             'superseded' one
+|    |        # applied: the currently active blob 
+|    |        # superseded: blob was applied, but replaye by a newer version
+|    |        # 
+|    |        # With this classification the following action are allowed:
+|    |        # 
+|    |        # edit: edit a 'edited', 'rolledback' or 'superseded' policy.
+|    |        #       New state: edited. 
+|    |        # copy: create a new blob from any existing. New state: edited. 
+|    |        # apply: make an 'edited' blob 'applied'. Old 'applied' is now
+|    |        #        'superseded'.
+|    |        # rollback: make the lastest 'supersede' active. Old 'applied'
+|    |        # is now 'rolledback'.
+|    |        # 
+|    |        policyVersion: 11
+|    |        # version of the policy, updated every time appliedPolicy or
+|    |        # priority change
+|    | 
+|    \--- dn: nsuniqueid=3565435,...
+|    |        objectclass: IPAPolicy
+|    |        nsuniqueid=3565435
+|    |        description: Another Sudo Policy
+|    |        policytemplate: ldap://....
+|    |        priority: 2
+|    |        enabledPolicy: true
+|    |        appliedPolicy: ldap://.....
+|    |        editedPolicy: ldap://.............
+|    |        policyVersion: 16
+|    |
+|    \--- dn: nsuniqueid=4555555,...
+|    |        objectclass: IPAPolicy
+|    |        nsuniqueid=4555555
+|    |        description: An example of a role policy 
+|    |        policytemplate: ldap://.../nsuniqueid=324624365,...
+|    |        priority: 1
+|    |        enabledPolicy: true
+|    |        appliedPolicy: ldap://.../nsuniqueid=3213122312,...
+|    |        editedPolicy: ldap://.../nsuniqueid=,...
+|    |        policyVersion: 12
+|    | 
+|    \--- dn: nsuniqueid=87887888,...
+|             objectclass: IPAPolicy
+|             nsuniqueid=87887888,...
+|             description: An example of an action policy 
+|             policytemplate: ldap://.../nsuniqueid=0432412,...
+|             priority: 1
+|             enabledPolicy: true
+|             appliedPolicy: ldap://.../nsuniqueid=2121332432,...
+|             editedPolicy: ldap://.../nsuniqueid=,...
+|             policyVersion: 16
+|      
+\--- dn: cn=policydata,...
+|    |   objectclass:
+|    |   cn: policydata
+|    |   # policydata is a container for the compressed XML policy blobs
+|    |   # together with some metadata. If the blob should not be stored in
+|    |   # the DS an attribute like policyBlobUri can be used.
+|    |
+|    \--- dn: nsuniqueid=1324242,...
+|    |        objectlass: IPAPolicyData
+|    |        nsuniqueid: 1324242
+|    |        policyBlob: <base64>
+|    |        lastChageBy: sbose
+|    |        lastChanged: 4214425532
+|    |        lastChangeType: activated
+|    |        policy: ldap://.../nsuniqueid=943943594351,...
+|    |
+|    \--- dn: nsuniqueid=6454235,...
+|    |        objectlass: IPAPolicyData
+|    |        nsuniqueid: 6454235
+|    |        policyBlob: <base64>
+|    |        lastChageBy: sbose
+|    |        lastChanged: 4214425532
+|    |        lastChangeType: superseded
+|    |        policy: ldap://.../nsuniqueid=943943594351,...
+|    |
+|    \--- dn: nsuniqueid=3213122312,...
+|    |        objectlass: IPAPolicyData
+|    |        nsuniqueid: 3213122312
+|    |        policyBlob: <base64>
+|    |        lastChageBy: sbose
+|    |        lastChanged: 4214425532
+|    |        lastChangeType: activated
+|    |        policy: ldap://.../nsuniqueid=4555555,...
+|    |
+|    \--- dn: nsuniqueid=2121332432,...
+|             objectlass: IPAPolicyData
+|             nsuniqueid: 2121332432
+|             policyBlob: <base64>
+|             lastChageBy: sbose
+|             lastChanged: 4214425532
+|             lastChangeType: activated
+|             policy: ldap://.../nsuniqueid=943943594351,...
+|
+\--- dn: cn=policy_and_role_links,...
+|    |   objectclass:
+|    |   cn: policy_and_role_links
+|    |   # policy_and_role_links contains the policy links, i.e. the
+|    |   # connection between policies and hosts. This example tries to use
+|    |   # the generic ipaAssociation objectclass to make the connection. Here
+|    |   # we have the attributes memberWho, memberWhat, memberWhere,
+|    |   # memberContext, memberFrom and memberWhen. 
+|    |   # With respect to the mapping of policies to host the attribute
+|    |   # memberWhere clearly will hold the hosts the policies should be
+|    |   # applied to. For the policies I think memberWhat might be the best
+|    |   # choice (What? apply this policy).
+|    |   # When coming to role policies we have to include a list of users and
+|    |   # groups, clearly memberWho, and the name of a role. While memberFrom
+|    |   # and memberWhen does not seem to fit we still have memberContext for
+|    |   # the name of the role.
+|    |   # It would still be possible not to use ipaAssociation for this
+|    |   # purpose, but a special IPAPolicyLink class together with an
+|    |   # auxilary class to hold the additional attributes for role policies.
+|    |
+|    \--- dn: nsuniqueid=58958437,...
+|    |        objectclass: ipaAssociation
+|    |        nsuniqueid: 58958437
+|    |        memberWhere: ldap://.....                                                 # hosts and hostsgroups
+|    |        memberWhat: ldap://.../nsuniqueid=943943594351,...                        # corresponding config or action policy
+|    |        enabledFlag: true
+|    |        description: Link a sudo policy and other policies to a number of hosts
+|    |
+|    \--- dn: nsuniqueid=435143511,...
+|    |        objectclass: ipaAssociation
+|    |        nsuniqueid: 435143511
+|    |        memberWhere: ldap://.....
+|    |        memberWhat: ldap://....
+|    |        enabledFlag: true
+|    |        description: Another policy link
+|    |
+|    \--- dn: nsuniqueid=59435949843,...
+|    |        objectclass: ipaAssociation
+|    |        nsuniqueid: 59435949843
+|    |        memberWhere: ldap://....                                                # hosts and hostsgroups 
+|    |        memberWhat: ldap://.../nsuniqueid=4555555,...                           # corresponding role policy
+|    |        memberWho: ldap://....                                                  # users and group
+|    |        memberContext: ipa://rolenames/guest                                    # name of the role
+|    |        enabledFlag: true
+|    |        description: A role relation
+|    |
+|    \--- dn: nsuniqueid=45324324,...
+|             objectclass: ipaAssociation
+|             nsuniqueid: 45324324
+|             memberWhere: ldap://....               
+|             memberWhat: ldap://.../nsuniqueid=4555555,...
+|             memberWho: ldap://....
+|             memberContext: ipa://rolename/author
+|             enabledFlag: false
+|             description: Another role relation
+|