On Mon, Nov 22, 2010 at 07:18:42PM +0000, JR Aquino wrote: > On 11/18/10 3:11 PM, "Dmitri Pal" <d...@redhat.com> wrote: > >JR Aquino wrote: > >> The IPA SudoRule Structure has largely been based off of what we are > >>doing > >> today with HBAC. > >> > >> HBAC does not distinguish between memberGroup or memberNetgroup... Its > >> simply, memberHost and memberUser for both HBAC and IPASudoRules. > >> > >> Also, when HBAC or IPASudoRules add a member, there is no resulting > >> 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, > >> hostgroup, command group, etc... Whereas, if you add a host to a > >> hostgroup, the host ends up with a pointer referring back to the > >> hostgroup. I believe this was done to provide referential integrity.
No problem. References to memberOf were there before mainly to try to cover unusual cases, but they can be dropped so long as people aren't going to go around adding memberOf values just for kicks. > >Nalin is working on a solution to this. We do not need to modify schema. > >Instead he is adding code to make checks on the object type and have a > >way to transform the value in different ways based on this check. > > Excellent! > > I'll retest as soon as the new patch is available! Attached. You'll need the current snapshot of slapi-nis in order to get functionality that the new configuration patch depends on. Cheers, Nalin
>From 96e6467b20c69051147ed1dc9d7023169cce7c7e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai <na...@redhat.com> Date: Tue, 23 Nov 2010 15:38:40 -0500 Subject: [PATCH] - fix quoting of netgroup entries - use newer slapi-nis functionality to produce cn=sudoers - drop the real cn=sudoers container --- install/share/bootstrap-template.ldif | 6 ----- install/share/schema_compat.uldif | 35 ++++++++++++++++++++++++++++++-- ipa.spec.in | 2 +- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 7946526..283d226 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -64,12 +64,6 @@ objectClass: top objectClass: nsContainer cn: sudorules -dn: cn=SUDOers,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: SUDOers - dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 22e3141..d74a9c0 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -56,14 +56,43 @@ add:cn: ng add:schema-compat-container-group: 'cn=compat, $SUFFIX' add:schema-compat-container-rdn: cn=ng add:schema-compat-check-access: yes -add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX' -add:schema-compat-search-filter: !(cn=ng) +add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX' +add:schema-compat-search-filter: (objectclass=ipaNisNetgroup) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-attribute: objectclass=nisNetgroup add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")' add:schema-compat-entry-attribute: 'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")' -add:schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) +add:schema-compat-entry-attribute: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' + +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add:objectClass: top +add:objectClass: extensibleObject +add:cn: sudoers +add:schema-compat-container-group: 'cn=sudoers, $SUFFIX' +add:schema-compat-search-base: 'cn=sudorules, $SUFFIX' +add:schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) +add:schema-compat-entry-rdn: cn=%{cn} +add:schema-compat-entry-attribute: objectclass=sudoRole +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_rf(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' +add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}' +add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' # Enable anonymous VLV browsing for Solaris dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )' + diff --git a/ipa.spec.in b/ipa.spec.in index 5a3ea2b..ab47535 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -91,7 +91,7 @@ Requires: libcap Requires: selinux-policy %endif Requires(post): selinux-policy-base -Requires: slapi-nis >= 0.15 +Requires: slapi-nis >= 0.21 Requires: pki-ca >= 1.3.6 Requires: pki-silent >= 1.3.4 -- 1.7.3.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel