Re: [Freeipa-devel] Host groups and netgroups
JR Aquino wrote: On 11/24/10 11:19 AM, Dmitri Pal d...@redhat.com wrote: Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed nisnetgroup entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way: 1) When the host group is created the netgroup also will be created with the same name and memberHost attribute pointing to the DN of the newly created host group 2) The deletion of the host group will automatically remove managed netgroup 3) The rename of the host group (if allowed) should cause the managed group to be renamed too. In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin. The work will consist of: 1) Defining the managed entry plugin config for this case 2) Adding this configuration to the installation sequence 3) Updating netgroup searches to filter out managed entries 4) Allow all netgroups in SUDO plugin (I think this is already the case). If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. I opened a ticket https://fedorahosted.org/freeipa/ticket/543 JR do you have a Fedora account? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs
On Mon, 29 Nov 2010 17:12:41 -0500 Rob Crittenden rcrit...@redhat.com wrote: Add ipaUniqueId to user private groups. If we didn't then when the group is detached we need to add it and this makes the acis more problematic. I had to move where we load the UPG ldif until after the restart so the schema is available. rob ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 620 add ipaUniqueId to UPGs
Simo Sorce wrote: On Mon, 29 Nov 2010 17:12:41 -0500 Rob Crittendenrcrit...@redhat.com wrote: Add ipaUniqueId to user private groups. If we didn't then when the group is detached we need to add it and this makes the acis more problematic. I had to move where we load the UPG ldif until after the restart so the schema is available. rob ACK. Simo. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce wrote: On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittendenrcrit...@redhat.com wrote: +aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. These are already attributes that the admin cannot write. Can I just remove the duplicate krbMKey? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 614 Display user and host membership in netgroups.
Simo Sorce wrote: On Wed, 24 Nov 2010 09:00:24 +0100 Jan Zelenýjzel...@redhat.com wrote: Rob Crittendenrcrit...@redhat.com wrote: This uses an enhanced memberof plugin that allows multiple attributes to be configured to create memberOf attributes. This patch requires a new 389-ds-base, 1.2.7. This is currently only available in updates-testing. tickets 109 and 110 To validate: # ipa user-add --first=Jim --last=User juser # ipa netgroup-add --desc=netgroup net1 # ipa netgroup-add-member --users=juser --hosts=`hostname` net1 # ipa netgroup-show net1 (should have the host and user as members) # ipa user-show juser (should have Member of netgroups) # ipa host-show `hostname` (should have Member of netgroups) rob ACK Ok pushed to master after rebasing the patch. Rob please check as one chunk had to be removed. I believe the change is correct but I prefer you to double-check. Simo. Just to close the loop on thisk, yes your rebase is fine. Thanks. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
On Tue, 30 Nov 2010 10:28:41 -0500 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittendenrcrit...@redhat.com wrote: +aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. These are already attributes that the admin cannot write. Can I just remove the duplicate krbMKey? I guess so. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 621 drop install/tools/README
The README in install/tools is really for v1 and contains almost nothing useful for v2 so I'm proposing to drop it altogether. I'm also adding a link to the QuickStart guide on the trac wiki. The guide itself needs a lot of work but its a start. rob From d72412ed1af20fa0ddf743a8e23b13bea05ae5c9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Tue, 30 Nov 2010 14:00:01 -0500 Subject: [PATCH] Drop outdated install/tools/README and add QuickStart link to top README ticket 420 --- README |6 install/tools/README | 67 -- 2 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 install/tools/README diff --git a/README b/README index 86c01f1..aa80301 100644 --- a/README +++ b/README @@ -38,6 +38,12 @@ The most up-to-date documentation can be found at http://freeipa.org/page/Documentation/. + Quick Start + --- + + To get started quickly, start here: + https://fedorahosted.org/freeipa/wiki/QuickStartGuide + Licensing - diff --git a/install/tools/README b/install/tools/README deleted file mode 100644 index 219e74c..000 --- a/install/tools/README +++ /dev/null @@ -1,67 +0,0 @@ - -Required packages: - -krb5-server -fedora-ds-base -fedora-ds-base-devel -openldap-clients -openldap-devel -krb5-server-ldap -cyrus-sasl-gssapi -httpd -mod_auth_kerb -ntp -openssl-devel -nspr-devel -nss-devel -mozldap-devel -mod_wsgi -gcc -python-ldap -TurboGears -python-kerberos -python-krbV -python-tgexpandingformwidget -python-pyasn1 - -Installation example: - -TEMPORARY: until bug https://bugzilla.redhat.com/show_bug.cgi?id=248169 is - fixed. - -Please apply the fedora-ds.init.patch in freeipa/ipa-server/ipa-install/share/ -to patch your init scripts before running ipa-server-install. This tells -FDS where to find its kerberos keytab. - -Things done as root are denoted by #. Things done as a unix user are denoted -by %. - -# cd freeipa -# patch -p0 ipa-server/ipa-install/share/fedora-ds.init.patch - -Now to do the installation. - -# cd freeipa -# make install - -To start an interactive installation use: -# /usr/sbin/ipa-server-install - -For more verbose output add the -d flag run the command with -h to see all options - -You have a basic working system with one super administrator (named admin). - -To create another administrative user: - -% kinit ad...@freeipa.org -% /usr/sbin/ipa-adduser -f Test -l User test -% ldappasswd -Y GSSAPI -h localhost -s password uid=test,cn=users,cn=accounts,dc=freeipa,dc=org -% /usr/sbin/ipa-groupmod -a test admins - -An admin user is just a regular user in the group admin. - -Now you can destroy the old ticket and log in as test: - -% kdestroy -% kinit t...@freeipa.org -% /usr/sbin/ipa-finduser test -- 1.7.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 622 fix passwd output
A couple of Password attributes had no label so prompting looked bad.
When printing exceptions we need to convert the label and error to
unicode so translations work.
Use standard output routines instead of output_for_cli() in passwd plugin.
ticket 352
rob
From 0fce432d1f94382cb5257955db0027263c17e45a Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 30 Nov 2010 15:07:26 -0500
Subject: [PATCH] Add labels for passwords, fix output of exceptions, fix passwd output.
Passwords didn't have internationalizable labels.
Exceptions that occured during required input weren't printed as unicode
so weren't being translated properly.
Don't use output_for_cli() directly in the passwd plugin, use output.Output.
ticket 352
---
ipalib/cli.py |4 ++--
ipalib/plugins/migration.py |3 ++-
ipalib/plugins/passwd.py| 18 +++---
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/ipalib/cli.py b/ipalib/cli.py
index 3120e01..57a041e 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -887,7 +887,7 @@ class cli(backend.Executioner):
``self.env.prompt_all`` is ``True``, this method will prompt for any
params that have a missing values, even if the param is optional.
-for param in cmd.params():
+for param in cmd.params():
if (param.required and param.name not in kw) or self.env.prompt_all:
if param.password:
kw[param.name] = self.Backend.textui.prompt_password(
@@ -900,7 +900,7 @@ class cli(backend.Executioner):
error = None
while True:
if error is not None:
-print ' %s: %s' % (param.label, error)
+print ' %s: %s' % (unicode(param.label), unicode(error))
raw = self.Backend.textui.prompt(param.label, default)
try:
value = param(raw, **kw)
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 6dc9934..9f31191 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -124,7 +124,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx):
def validate_ldapuri(ugettext, ldapuri):
m = re.match('^ldaps?://[-\w\.]+(:\d+)?$', ldapuri)
if not m:
-err_msg = 'Invalid LDAP URI.'
+err_msg = _('Invalid LDAP URI.')
raise errors.ValidationError(name='ldap_uri', error=err_msg)
@@ -171,6 +171,7 @@ class migrate_ds(Command):
),
Password('bindpw',
cli_name='password',
+label=_('Password'),
doc=_('bind password'),
),
)
diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py
index ef51560..3d65f01 100644
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@@ -39,6 +39,7 @@ from ipalib import api, errors, util
from ipalib import Command
from ipalib import Str, Password
from ipalib import _
+from ipalib import output
class passwd(Command):
@@ -54,9 +55,14 @@ class passwd(Command):
autofill=True,
create_default=lambda **kw: util.get_current_principal(),
),
-Password('password'),
+Password('password',
+ label=_('Password'),
+),
)
+has_output = output.standard_value
+msg_summary = _('Changed password for %(value)s')
+
def execute(self, principal, password):
Execute the passwd operation.
@@ -84,11 +90,9 @@ class passwd(Command):
ldap.modify_password(dn, password)
-return dict(result=True)
-
-def output_for_cli(self, textui, result, principal, password):
-assert password is None
-textui.print_name(self.name)
-textui.print_dashed('Changed password for %s.' % principal)
+return dict(
+result=True,
+value=principal,
+)
api.register(passwd)
--
1.7.2.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Prompt correctly for required Password params.
Pavel Zuna wrote: Required Password params were prompted for like any other non-Password params, resulting in the password being displayed on the command line and there was no confirmation. Ticket #361 Pavel Ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
On 2010-11-30 04:06, Rob Crittenden wrote:
Pavel Zůna wrote:
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Any class that extends LDAPSearch can benefit from this functionality.
This patch enables it for the following objects:
group, netgroup, rolegroup, hostgroup, taskgroup
Example:
ipa group-find --no-users=admin
Only direct members are taken into account, but if we need indirect
members as well - it's not a problem.
Ticket #288
Pavel
This works as advertised but I wonder what would happen if a huge list
of members was passed in to ignore. Is there a limit on the search
filter size (remember that the member will be translated into a full dn
so will quickly grow in size).
Should we impose a cofigurable limit on the # of members to be excluded?
Is there a max search filter size and should we check that we haven't
exceeded that before doing a search?
rob
I tried it out with more than a 1000 users and was getting an unwilling
to perform error (search filter nested too deep).
After a little bit of investigation, I figured the filter was being
generated like this:
(((!(a=v))(!(a2=v2
We were going deeper with each additional DN!
I updated the patch to generate the filter like this instead:
(!(|(a=v)(a2=v2)))
Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
even slow.
Updated patch attached.
I also had to fix a bug in ldap2 filter generator, as a result this
patch depends on my patch number 43.
Pavel
From b8c6fa683715d0221b1be33dde6b8065283125d3 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Mon, 29 Nov 2010 06:44:09 -0500
Subject: [PATCH 2/2] Enable filtering search results by member attributes.
LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.
Example:
ipa group-find --no-users=admin
Only direct members are taken into account.
Ticket #288
---
ipalib/plugins/baseldap.py | 34 +-
ipalib/plugins/group.py |2 ++
ipalib/plugins/hostgroup.py |2 +-
ipalib/plugins/netgroup.py |1 +
ipalib/plugins/rolegroup.py |2 +-
ipalib/plugins/taskgroup.py |2 +-
6 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index a67b84d..ea5454b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1091,6 +1091,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
Retrieve all LDAP entries matching the given criteria.
+member_attributes = []
+member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
takes_options = (
Int('timelimit?',
label=_('Time Limit'),
@@ -1118,6 +1121,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
def get_options(self):
for option in super(LDAPSearch, self).get_options():
yield option
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+ldap_obj = self.api.Object[ldap_obj_name]
+name = to_cli(ldap_obj_name)
+doc = self.member_param_doc % (
+self.obj.object_name_plural, ldap_obj.object_name_plural
+)
+yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+ label=ldap_obj.object_name)
+
+def get_member_filter(self, ldap, **options):
+filter = ''
+for attr in self.member_attributes:
+for ldap_obj_name in self.obj.attribute_members[attr]:
+param_name = 'no_%s' % to_cli(ldap_obj_name)
+if param_name in options:
+dns = []
+ldap_obj = self.api.Object[ldap_obj_name]
+for pkey in options[param_name]:
+dns.append(ldap_obj.get_dn(pkey))
+flt = ldap.make_filter_from_attr(
+attr, dns, ldap.MATCH_NONE
+)
+filter = ldap.combine_filters(
+(filter, flt), ldap.MATCH_ALL
+)
+return filter
has_output_params = global_output_params
@@ -1159,8 +1189,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
search_kw[a] = term
term_filter = ldap.make_filter(search_kw, exact=False)
+member_filter = self.get_member_filter(ldap, **options)
+
filter = ldap.combine_filters(
-(term_filter, attr_filter), rules=ldap.MATCH_ALL
+(term_filter, attr_filter, member_filter), rules=ldap.MATCH_ALL
)
scope = ldap.SCOPE_ONELEVEL
diff --git
[Freeipa-devel] [PATCH] admiyo-0105-action-panel-sibling
A note on this patch: I changed the labels on a couple of the entities
for consitancy sake, including:
Added 'HBAC' to the label for HBAC services
Capitalized SUDO
Removed the word Rule from the SUDO label
Not sure if these will have any effect on the CLI. I suspect not, and
that the QW team isn't writing tests for SUDO yet that makes use of the
Label field.
From 0ed90c1174c03db1cbe8301cff1f6ced435e240e Mon Sep 17 00:00:00 2001
From: Adam Young ayo...@redhat.com
Date: Mon, 29 Nov 2010 14:26:55 -0500
Subject: [PATCH] action panel sibling
added function to get sibling entities from the tab set.
remove explicit sibling code from entity pages
Modified the Label fields on HBAC and SUDO to make them appear cleaner in the UI
---
install/static/entity.js | 143
install/static/hbac.js | 36 +
install/static/hbacsvc.js | 22 +-
install/static/hbacsvcgroup.js | 23 +-
install/static/sudocmd.js | 17 +
install/static/sudocmdgroup.js | 20 +
install/static/sudorule.js | 37 +
install/static/test/data/ipa_init.json | 109 ++--
install/static/webui.js|2 +-
ipalib/plugins/hbacsvc.py |2 +-
ipalib/plugins/sudocmd.py |2 +-
ipalib/plugins/sudocmdgroup.py |2 +-
ipalib/plugins/sudorule.py |2 +-
13 files changed, 166 insertions(+), 251 deletions(-)
diff --git a/install/static/entity.js b/install/static/entity.js
index 5d59b3c727287f062f96f7d6f279640359ca0407..9b62ce375f58909b27aba7910ce49bdf16f38443 100644
--- a/install/static/entity.js
+++ b/install/static/entity.js
@@ -367,40 +367,89 @@ function ipa_entity_setup(container) {
facet.refresh();
}
+
+
+/*Returns the entity requested, as well as:
+ any nested tabs underneath it or
+ its parent tab and the others nested at the same level*/
+
+IPA.nested_tabs = function(entity_name){
+
+var siblings = [];
+
+for (var top_tab_index = 0;
+ top_tab_index IPA.tab_set.length;
+ top_tab_index += 1){
+var top_tab = IPA.tab_set[top_tab_index];
+for (var subtab_index = 0;
+ subtab_index top_tab.children.length;
+ subtab_index += 1){
+if(top_tab.children[subtab_index].name){
+if (top_tab.children[subtab_index].name === entity_name){
+siblings.push(entity_name);
+if (top_tab.children[subtab_index].children){
+var nested_entities = top_tab.children[subtab_index].children;
+for (var nested_index = 0;
+ nested_index nested_entities.length;
+ nested_index += 1){
+siblings.push (nested_entities[nested_index].name);
+}
+}
+}else{
+if (top_tab.children[subtab_index].children){
+var nested_entities = top_tab.children[subtab_index].children;
+for (var nested_index = 0;
+ nested_index nested_entities.length;
+ nested_index += 1){
+if (nested_entities[nested_index].name === entity_name){
+siblings.push(top_tab.children[subtab_index].name);
+for (var nested_index2 = 0;
+ nested_index2 nested_entities.length;
+ nested_index2 += 1){
+siblings.push(nested_entities[nested_index2].name);
+}
+}
+}
+}
+}
+}
+}
+}
+return siblings;
+}
+
+
+
function ipa_facet_create_action_panel(container) {
var that = this;
var entity_name = that.entity_name;
-
var action_panel = $('div/', {
class: action-panel,
html: $('h3',{
text: IPA.metadata[entity_name].label
})
}).appendTo(container);
-
function build_link(other_facet,label){
var li = $('li/', {
class : other_facet.display_class,
title: other_facet.name,
text: label,
click: function(entity_name, other_facet_name) {
-return function() {
-if($(this).hasClass('entity-facet-disabled')){
-return false;
-}
-var this_pkey = $('input[id=pkey]', action_panel).val();
-IPA.switch_and_show_page(
-entity_name, other_facet_name,
-this_pkey);
-
+return function() {
+
Re: [Freeipa-devel] [PATCH] 0022 Enable EntryUSN plugin by default
Simo Sorce wrote: This patch enables the entryUSN plugin by default at install time. EntryUSN numbers are ususful fro clients that want to track newest objects w/o having to care about timestamps dated in the past and replicated by other masters. EntrUSN numbers are valid only in the context of a single server, as each master in the domain keeps its own entryUSN numbers. Fixes 526 Simo. ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
This is what I've got now; I think it's correct.
- fix quoting in the netgroup compat configuration entry
- don't bother looking for members of netgroups by looking for entries
which list memberOf: $netgroup -- the netgroup should list them as
member or memberUser or memberHost values
- use newer slapi-nis functionality to produce cn=sudoers
- drop the real cn=sudoers container to make room for the compat
container
Feel free to adjust the schema-compat-container-group for the
cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config entry -- the
location of the compat sudo entries is of no concern to me.
Cheers,
Nalin
From 9baefea23f5b944d244eed4bef3f85df3203ae45 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai na...@redhat.com
Date: Tue, 30 Nov 2010 18:25:33 -0500
Subject: [PATCH] sudo and netgroup schema compat updates
- fix quoting in the netgroup compat configuration entry
- don't bother looking for members of netgroups by looking for entries
which list memberOf: $netgroup -- the netgroup should list them as
member or memberUser or memberHost values
- use newer slapi-nis functionality to produce cn=sudoers
- drop the real cn=sudoers container to make room for the compat
container
---
install/share/bootstrap-template.ldif |6 -
install/share/schema_compat.uldif | 37
ipa.spec.in |2 +-
3 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/install/share/bootstrap-template.ldif
b/install/share/bootstrap-template.ldif
index 7946526..283d226 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,12 +64,6 @@ objectClass: top
objectClass: nsContainer
cn: sudorules
-dn: cn=SUDOers,$SUFFIX
-changetype: add
-objectClass: nsContainer
-objectClass: top
-cn: SUDOers
-
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/share/schema_compat.uldif
b/install/share/schema_compat.uldif
index 22e3141..52c8d5a 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -47,7 +47,6 @@ default:schema-compat-entry-attribute: objectclass=posixGroup
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: memberUid=%{memberUid}
default:schema-compat-entry-attribute: memberUid=%deref(member,uid)
-default:schema-compat-entry-attribute:
memberUid=%referred(cn=users,memberOf,uid)
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
@@ -56,14 +55,42 @@ add:cn: ng
add:schema-compat-container-group: 'cn=compat, $SUFFIX'
add:schema-compat-container-rdn: cn=ng
add:schema-compat-check-access: yes
-add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX'
-add:schema-compat-search-filter: !(cn=ng)
+add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'
+add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-attribute: objectclass=nisNetgroup
add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r(member,cn)'
-add:schema-compat-entry-attribute:
'memberNisNetgroup=%referred_r(cn=ng,memberOf,cn)'
-add:schema-compat-entry-attribute:
nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),-,,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),-),%{nisDomainName:-})
+add:schema-compat-entry-attribute:
'nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),-,,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),-),%{nisDomainName:-})'
+
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+add:objectClass: top
+add:objectClass: extensibleObject
+add:cn: sudoers
+add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX'
+add:schema-compat-search-base: 'cn=sudorules, $SUFFIX'
+add:schema-compat-search-filter:
((objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
+add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-attribute: objectclass=sudoRole
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq(userCategory,all,ALL,%{externalUser})'
+add:schema-compat-entry-attribute:
