# Changelog: after the call 2008-12-04 I've made the follwoing changes: # - introduced a 'uniqueName' attribute for all objects with nsuniqueid as # RDN. So far this attribute does not exist in a commen schema, maybe we # should call it ipaUniqueName if we define it ourself. # - introducded policygroups # - renamed cn=IPAAction,cn=applications,... to cn=allApps,cn=applications,... dn: cn=policies_and_roles,... | objectclass: | cn: policies_and_roles, | \--- dn: cn=applications,... | | objectclass: | | cn: applications | | # The "applications" object is just a container to store the | | # containers for the policy templates of a specific application. | | | | | | | \--- dn: cn=sudo,... | | | objectclass: | | | cn: sudo | | | description: sudo gives root priviledges for certain applications | | | # This is an example of an application specific container for | | | # policy templates, i.e. a schema file with corresponding | | | # transformation file. In addition to the URLs of the files the | | | # type of the policy is stored, too. This is important for the | | | # UI/CLI. While config and action policies are explicitly linked | | | # to hosts or group of hosts, role policies will be linked | | | # implicitly by defining a relation between roles, users and | | | # hosts. | | | | | \--- dn: nsuniqueid=9123751325,... | | | objectclass: IPAPolicyTemplate | | | nsuniqueid: 9123751325 | | | uniqueName: sudo_config_1 | | | description: blahblah | | | policytype: config | | | schema: file:///var/lib/ipa/policy/sudo_config_1.rng | | | transformation: file:///var/lib/ipa/policy/sudo_config_1.xslt | | | | | \--- dn: nsuniqueid=3124324214,... | | objectclass: IPAPolicyTemplate | | nsuniqueid: 3124324214 | | uniqueName: sudo_config_2 | | description: yadayada | | policytype: config | | schema: file:///var/lib/ipa/policy/sudo_config_2.rng | | transformation: file:///var/lib/ipa/policy/sudo_config_2.xslt | | | \--- dn: cn=allApps,... | | | objectclass: | | | cn: allApps | | | description: Location of the generic policy template for action policies and maybe other templates which are valid for all applications | | | | | \--- dn: nsuniqueid=0432412,... | | objectclass: IPAPolicyTemplate | | nsuniqueid: 0432412 | | uniqueName: IPAAction | | description: Template for action policies | | policytype: action | | schema: file:///var/lib/ipa/policy/ipaaction.rng | | transformation: file:///var/lib/ipa/policy/empty.xslt | | | \--- dn: cn=Application1,... | | objectclass: | | cn: Application1 | | description: an application | | | \--- dn: nsuniqueid=324624365,... | objectclass: IPAPolicyTemplate | nsuniqueid: 324624365 | uniqueName: role_example_1 | description: An example of a role policy template | policytype: role | schema: file:///var/lib/ipa/policy/role_example_1.rng | transformation: file:///var/lib/ipa/policy/role_example_1.xslt | \--- dn: cn=policygroups,... | | objectclass: | | cn: policygroups | | # A policy group is a collection of one or more policies which can be | | # associated as a whole to a host or a groups of hosts. Besides this | | # another reason to introduce policy groups is delegation. With the | | # proposed structure it is easy to set ACIs and delegate the | | # administration. | | # To define an order if more than one policy group is assigned to a | | # host we use an order attribute holding the nsuniqueid of all policy | | # groups | | order: nsuniqueid=..., nsuniqueid=..., nsuniqueid=... | | # Each policy group will have an order attribute, too. This is use to | | # give a priority to the policies in the policy group. | | # | | # | | # | | | \--- dn: nsuniqueid=90093212,... | | | objectclass: ipaPolicyGroup | | | nsuniqueid: 90093212 | | | uniqueName: Example_PolGrp | | | description: this is an example of a policy group | | | order: nsuniqueid=..., nsuniqueid=..., nsuniqueid=... | | | enabledPolicyGroup: true | | | allowedTemplate: nsuniqueid= | | | allowedTemplate: nsuniqueid= | | | allowedTemplate: nsuniqueid= | | | # allowedTemplate is a multi value attribute where the | | | # administrator can list policy templates which are allowed to | | | # be added to the policy group. This restriction should be | | | # checked by the UL/CLI and by the client, too. | | | # The policies belonging to a policy group will be stored as | | | # children of the policy group object: | | | # | | \--- dn: nsuniqueid=943943594351,... | | | | objectclass: IPAPolicy | | | | nsuniqueid=943943594351 | | | | uniqueName=sudoPolicy_1 | | | | description: A Sudo Policy | | | | policytemplate: ldap://.../nsuniqueid=9123751325,... | | | | # policytemplate links the policy to its template, this can be | | | | # used to access the type of the policy for the UI or the schema | | | | # file to validate the policy. | | | | priority: 1 | | | | # priority defines the priority of the policy with respect to | | | | # the other policies from the same template. I would suggest to | | | | # define 1 or 0 as the highest priority. This way you can easy | | | | # add new policies to the end, i.e. with the lowest priority. | | | | enabledPolicy: true | | | | appliedPolicy: ldap://.../nsuniqueid=1324242,... | | | | # this is the blob of the currently applied policy, single-value | | | | # attribute | | | | editedPolicy: ldap://.../nsuniqueid=6454235,... | | | | # multi-value attribute with pointers to other versions of the | | | | # blob. The idea is to store a lastChangeType with the blob to | | | | # reflect the state of the blob: | | | | # | | | | # edited: last action was a change of the blob | | | | # rolledback: blob was applied, but replaced by the latest | | | | # 'superseded' one | | | | # applied: the currently active blob | | | | # superseded: blob was applied, but replaye by a newer version | | | | # | | | | # With this classification the following action are allowed: | | | | # | | | | # edit: edit a 'edited', 'rolledback' or 'superseded' policy. | | | | # New state: edited. | | | | # copy: create a new blob from any existing. New state: edited. | | | | # apply: make an 'edited' blob 'applied'. Old 'applied' is now | | | | # 'superseded'. | | | | # rollback: make the lastest 'supersede' active. Old 'applied' | | | | # is now 'rolledback'. | | | | # | | | | policyVersion: 11 | | | | # version of the policy, updated every time appliedPolicy or | | | | # priority change | | | \--- dn: nsuniqueid=1324242,... | | | | # I still not see the necessity for an extra blob object. | | | | # What do you think about this, make policyBlob a MAY attribute | | | | # and policyBlobUrl a MUST. If the blob is stored in the DS | | | | # policyBlobUrl will point to itself? | | | | # | | | | objectlass: IPAPolicyData | | | | nsuniqueid: 1324242 | | | | uniqueName: sudoPolicyData_1 | | | | policyBlobUrl: ldap://.../nsuniqueid=1324242,... | | | | policyBlob: | | | | lastChageBy: sbose | | | | lastChanged: 4214425532 | | | | lastChangeType: activated | | | | | | | \--- dn: nsuniqueid=6454235,... | | | objectlass: IPAPolicyData | | | nsuniqueid: 6454235 | | | uniqueName: sudoPolicyData_2 | | | policyBlobUrl: ldap://.../nsuniqueid=6454235,... | | | policyBlob: | | | lastChageBy: sbose | | | lastChanged: 4214425532 | | | lastChangeType: superseded | | | | | \--- dn: nsuniqueid=3565435,... | | | objectclass: IPAPolicy | | | nsuniqueid=3565435 | | | uniqueName=sudoPolicy_2 | | | description: Another Sudo Policy | | | policytemplate: ldap://.... | | | priority: 2 | | | enabledPolicy: true | | | appliedPolicy: ldap://..... | | | editedPolicy: ldap://............. | | | policyVersion: 16 | | | | | \--- dn: nsuniqueid=4555555,... | | | | objectclass: IPAPolicy | | | | nsuniqueid=4555555 | | | | uniqueName=app1_role1 | | | | description: An example of a role policy | | | | policytemplate: ldap://.../nsuniqueid=324624365,... | | | | priority: 1 | | | | enabledPolicy: true | | | | appliedPolicy: ldap://.../nsuniqueid=3213122312,... | | | | editedPolicy: ldap://.../nsuniqueid=,... | | | | policyVersion: 12 | | | | | | | \--- dn: nsuniqueid=3213122312,... | | | objectlass: IPAPolicyData | | | nsuniqueid: 3213122312 | | | uniqueName: role_data_4_app1 | | | policyBlobUrl: ldap://.../nsuniqueid=3213122312,... | | | policyBlob: | | | lastChageBy: sbose | | | lastChanged: 4214425532 | | | lastChangeType: activated | | | | | \--- dn: nsuniqueid=87887888,... | | | objectclass: IPAPolicy | | | nsuniqueid=87887888 | | | uniqueName=app2_action1 | | | description: An example of an action policy | | | policytemplate: ldap://.../nsuniqueid=0432412,... | | | priority: 1 | | | enabledPolicy: true | | | appliedPolicy: ldap://.../nsuniqueid=2121332432,... | | | editedPolicy: ldap://.../nsuniqueid=,... | | | policyVersion: 16 | | | | | \--- dn: nsuniqueid=2121332432,... | | objectlass: IPAPolicyData | | nsuniqueid: 2121332432 | | uniqueName: action1_app2 | | policyBlobUrl: ldap://.../nsuniqueid=2121332432,... | | policyBlob: | | lastChageBy: sbose | | lastChanged: 4214425532 | | lastChangeType: activated | | | | | | | \--- dn: cn=policylinks,... | | objectclass: | | cn: policylinks | | # policylinks contains the policy links, i.e. the | | # connection between policy groups and hosts. This example uses | | # the objectclass ipaPolicyLink which is an extension to the generic | | # ipaAssociation objectclass. | | | \--- dn: nsuniqueid=58958437,... | | objectclass: ipaPolicyLink | | nsuniqueid: 58958437 | | uniqueName: link_sudo_1 | | memberWhere: ldap://..... # hosts and hostsgroups | | memberPolicyGroup: ldap://.../nsuniqueid=943943594351,... # corresponding config or action policy | | enabledFlag: true | | description: Link a sudo policy and other policies to a number of hosts | | | \--- dn: nsuniqueid=435143511,... | | objectclass: ipaPolicyLink | | nsuniqueid: 435143511 | | uniqueName: link_sudo_2 | | memberWhere: ldap://..... | | memberPolicyGroup: ldap://.... | | enabledFlag: true | | description: Another policy link | \--- dn: cn=roleRelations,... | | objectclass: | | cn: roleRelations | | # This container will store the individual role relations of a role | | # policy. The role policies in the policy groups has to be access | | # separately, because in general it might not be disireable to have a | | # common relation for all role policies in a policy group. | | # By role relation we meant the association between a user and its role, | | # with respect to a role policy/an application on a specific host. | | # The objectclass ipaRoleRelation is used here which is an extentions of | | # the generic ipaAssociation. | | | \--- dn: nsuniqueid=59435949843,... | | objectclass: ipaRoleRelation | | nsuniqueid: 59435949843 | | uniqueName: role_relation_4_app1 | | memberWhere: ldap://.... # hosts and hostsgroups | | memberRolePolicy: ldap://.../nsuniqueid=4555555,... # corresponding role policy | | memberWho: ldap://.... # users and group | | memberRole: ipa://rolenames/guest # name of the role | | enabledFlag: true | | description: A role relation | | | \--- dn: nsuniqueid=45324324,... | objectclass: rolipaRoleRelation | nsuniqueid: 45324324 | uniqueName: role2_relation_4_app1 | memberWhere: ldap://.... | memberRolePolicy: ldap://.../nsuniqueid=4555555,... | memberWho: ldap://.... | memberRole: ipa://rolename/author | enabledFlag: false | description: Another role relation | | |