On Mon, Nov 22, 2010 at 07:18:42PM +0000, JR Aquino wrote:
> On 11/18/10 3:11 PM, "Dmitri Pal" <d...@redhat.com> wrote:
> >JR Aquino wrote:
> >> The IPA SudoRule Structure has largely been based off of what we are
> >>doing
> >> today with HBAC.
> >>
> >> HBAC does not distinguish between memberGroup or memberNetgroup... Its
> >> simply, memberHost and memberUser for both HBAC and IPASudoRules.
> >>
> >> Also, when HBAC or IPASudoRules add a member, there is no resulting
> >> 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup,
> >> hostgroup, command group, etc... Whereas, if you add a host to a
> >> hostgroup, the host ends up with a pointer referring back to the
> >> hostgroup. I believe this was done to provide referential integrity.
No problem. References to memberOf were there before mainly to try to
cover unusual cases, but they can be dropped so long as people aren't
going to go around adding memberOf values just for kicks.
> >Nalin is working on a solution to this. We do not need to modify schema.
> >Instead he is adding code to make checks on the object type and have a
> >way to transform the value in different ways based on this check.
>
> Excellent!
>
> I'll retest as soon as the new patch is available!
Attached. You'll need the current snapshot of slapi-nis in order to get
functionality that the new configuration patch depends on.
Cheers,
Nalin
>From 96e6467b20c69051147ed1dc9d7023169cce7c7e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <na...@redhat.com>
Date: Tue, 23 Nov 2010 15:38:40 -0500
Subject: [PATCH] - fix quoting of netgroup entries
- use newer slapi-nis functionality to produce cn=sudoers
- drop the real cn=sudoers container
---
install/share/bootstrap-template.ldif | 6 -----
install/share/schema_compat.uldif | 35 ++++++++++++++++++++++++++++++--
ipa.spec.in | 2 +-
3 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/install/share/bootstrap-template.ldif
b/install/share/bootstrap-template.ldif
index 7946526..283d226 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,12 +64,6 @@ objectClass: top
objectClass: nsContainer
cn: sudorules
-dn: cn=SUDOers,$SUFFIX
-changetype: add
-objectClass: nsContainer
-objectClass: top
-cn: SUDOers
-
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/share/schema_compat.uldif
b/install/share/schema_compat.uldif
index 22e3141..d74a9c0 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -56,14 +56,43 @@ add:cn: ng
add:schema-compat-container-group: 'cn=compat, $SUFFIX'
add:schema-compat-container-rdn: cn=ng
add:schema-compat-check-access: yes
-add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX'
-add:schema-compat-search-filter: !(cn=ng)
+add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'
+add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-attribute: objectclass=nisNetgroup
add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
add:schema-compat-entry-attribute:
'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")'
-add:schema-compat-entry-attribute:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
+add:schema-compat-entry-attribute:
'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})'
+
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+add:objectClass: top
+add:objectClass: extensibleObject
+add:cn: sudoers
+add:schema-compat-container-group: 'cn=sudoers, $SUFFIX'
+add:schema-compat-search-base: 'cn=sudorules, $SUFFIX'
+add:schema-compat-search-filter:
(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
+add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-attribute: objectclass=sudoRole
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_rf(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
+add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
+add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
+add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
+add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'
# Enable anonymous VLV browsing for Solaris
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow
(read, search, compare, proxy) userdn = "ldap:///anyone";; )'
+
diff --git a/ipa.spec.in b/ipa.spec.in
index 5a3ea2b..ab47535 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -91,7 +91,7 @@ Requires: libcap
Requires: selinux-policy
%endif
Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.15
+Requires: slapi-nis >= 0.21
Requires: pki-ca >= 1.3.6
Requires: pki-silent >= 1.3.4
--
1.7.3.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
