diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-06-06 11:51:05 +0300 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2016-06-10 13:39:02 +0200 |
commit | b506fd178edbf1553ca581c44ac6697f88ead125 (patch) | |
tree | 54c63c4644cd83468e736623ed9a7563337037b9 /install/updates | |
parent | a0f953e0ff89900d9767df3e6ed868ae662616b4 (diff) | |
download | freeipa-b506fd178edbf1553ca581c44ac6697f88ead125.tar.gz freeipa-b506fd178edbf1553ca581c44ac6697f88ead125.tar.xz freeipa-b506fd178edbf1553ca581c44ac6697f88ead125.zip |
adtrust: support GSSAPI authentication to LDAP as Active Directory user
In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.
This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.
Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/20-idoverride_index.update | 19 | ||||
-rw-r--r-- | install/updates/71-idviews-sasl-mapping.update | 8 | ||||
-rw-r--r-- | install/updates/Makefile.am | 2 |
3 files changed, 29 insertions, 0 deletions
diff --git a/install/updates/20-idoverride_index.update b/install/updates/20-idoverride_index.update new file mode 100644 index 000000000..bfc9c6e23 --- /dev/null +++ b/install/updates/20-idoverride_index.update @@ -0,0 +1,19 @@ +# +# Make sure ID override attributes have the correct indexing +# + +dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres + +dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres diff --git a/install/updates/71-idviews-sasl-mapping.update b/install/updates/71-idviews-sasl-mapping.update new file mode 100644 index 000000000..cc19c43f4 --- /dev/null +++ b/install/updates/71-idviews-sasl-mapping.update @@ -0,0 +1,8 @@ +dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config +default:cn: ID Overridden Principal +default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX +default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride)) +default:nsSaslMapPriority: 20 +default:nsSaslMapRegexString: \(.*\)@\(.*\) +default:objectClass: top +default:objectClass: nsSaslMapping diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 737a8bbbd..fde69175c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -21,6 +21,7 @@ app_DATA = \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ + 20-idoverride_index.update \ 20-uuid.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ @@ -53,6 +54,7 @@ app_DATA = \ 61-trusts-s4u2proxy.update \ 62-ranges.update \ 71-idviews.update \ + 71-idviews-sasl-mapping.update \ 72-domainlevels.update \ 73-custodia.update \ 73-winsync.update \ |