Hi,

this patch enables SASL mapping fallback in IPA DS instance, see <https://fedorahosted.org/freeipa/ticket/3330>. Automated replication recovery and external user mapping is not part of the patch.

In order to test this, you need 389-ds-base 1.3.1 packages with patches from <https://fedorahosted.org/389/ticket/534> including the last patch, which is not yet in git.

Honza

--
Jan Cholasta
>From 2e16ca6a5c8c60f59bd8cb4e5eb75bb51ca0fa03 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 22 Mar 2013 11:15:51 +0100
Subject: [PATCH] Enable SASL mapping fallback.

Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
---
 freeipa.spec.in                          |  8 ++++++--
 install/share/Makefile.am                |  1 +
 install/share/sasl-mapping-fallback.ldif |  4 ++++
 install/updates/10-config.update         | 10 ++++++++++
 ipaserver/install/dsinstance.py          |  4 ++++
 ipaserver/install/krbinstance.py         |  5 +++--
 6 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 install/share/sasl-mapping-fallback.ldif

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1a39064..11f1abc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -19,7 +19,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.0
+BuildRequires:  389-ds-base-devel >= 1.3.1
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -86,7 +86,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.0
+Requires: 389-ds-base >= 1.3.1
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
@@ -769,6 +769,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Fri Mar 22 2013 Jan Cholasta <jchol...@redhat.com> - 3.0.99-15
+- Bump minimum version of 389-ds-base to 1.3.1 for SASL mapping priority
+  support.
+
 * Tue Jan 29 2013 Petr Viktorin <pvikt...@redhat.com> - 3.0.99-14
 - Use ipa-ldap-updater --quiet instead of redirecting to /dev/null
 
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index f8f9b74..20bf99f 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -62,6 +62,7 @@ app_DATA =				\
 	replica-s4u2proxy.ldif		\
 	copy-schema-to-ca.py		\
 	upload-cacert.ldif		\
+	sasl-mapping-fallback.ldif	\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/sasl-mapping-fallback.ldif b/install/share/sasl-mapping-fallback.ldif
new file mode 100644
index 0000000..ef7f1cc
--- /dev/null
+++ b/install/share/sasl-mapping-fallback.ldif
@@ -0,0 +1,4 @@
+dn: cn=config
+changetype: modify
+replace: nsslapd-sasl-mapping-fallback
+nsslapd-sasl-mapping-fallback: on
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index e377689..c631b2c 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -47,3 +47,13 @@ only:nsslapd-minssf-exclude-rootdse:on
 # POSIX winsync plugin
 dn: cn=ipa-winsync,cn=plugins,cn=config
 only: nsslapd-pluginPrecedence: 60
+
+# Enable SASL mapping fallback
+dn: cn=config
+only:nsslapd-sasl-mapping-fallback: on
+
+dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
+addifnew:nsSaslMapPriority: 10
+
+dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
+addifnew:nsSaslMapPriority: 10
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c744c9c..02c1e02 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -211,6 +211,7 @@ class DsInstance(service.Service):
         self.step("configuring certmap.conf", self.__certmap_conf)
         self.step("configure autobind for root", self.__root_autobind)
         self.step("configure new location for managed entries", self.__repoint_managed_entries)
+        self.step("enable SASL mapping fallback", self.__enable_sasl_mapping_fallback)
         self.step("restarting directory server", self.__restart_instance)
 
     def __common_post_setup(self):
@@ -617,6 +618,9 @@ class DsInstance(service.Service):
     def __enable_ldapi(self):
         self._ldap_mod("ldapi.ldif", self.sub_dict)
 
+    def __enable_sasl_mapping_fallback(self):
+        self._ldap_mod("sasl-mapping-fallback.ldif", self.sub_dict)
+
     def add_hbac(self):
         self._ldap_mod("default-hbac.ldif", self.sub_dict)
 
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 51c5427..9a73a5c 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -280,6 +280,7 @@ class KrbInstance(service.Service):
             nsSaslMapRegexString=['\(.*\)@\(.*\)'],
             nsSaslMapBaseDNTemplate=[self.suffix],
             nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'],
+            nsSaslMapPriority=['10'],
         )
         self.admin_conn.add_entry(entry)
 
@@ -291,8 +292,8 @@ class KrbInstance(service.Service):
             cn=["Name Only"],
             nsSaslMapRegexString=['^[^:@]+$'],
             nsSaslMapBaseDNTemplate=[self.suffix],
-            nsSaslMapFilterTemplate=[
-                '(krbPrincipalName=&@%s)' % self.realm],
+            nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm],
+            nsSaslMapPriority=['10'],
         )
         self.admin_conn.add_entry(entry)
 
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to