[Freeipa-devel] [PATCH] ldif and acis for config

Kevin McCarthy kmccarth at redhat.com
Mon Oct 22 21:08:24 UTC 2007


This is a proposal for config entries.  I've created a global and local
entry.  The idea (which will be coded next) is to read the global entry
first, then overwrite with values in local (if any).  So each ipa "node"
could tweek independently.

Also, I've currently created anonymous access to the config entries.
I'd ideally like to cache the config at startup, or maybe first hit.

Feedback welcome (and expected) as I haven't touched our schema before.

Thanks,

-Kevin

-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193088002 25200
# Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
# Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
Add entries to store the config in LDAP.
Add anonymous ACI's  so we can cache on startup.

diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/bootstrap-template.ldif
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif	Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif	Mon Oct 22 14:20:02 2007 -0700
@@ -32,6 +32,30 @@ objectClass: nsContainer
 objectClass: nsContainer
 objectClass: top
 cn: etc
+
+dn: cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: config
+
+dn: cn=global,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: global
+userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
+searchTimeLimit: 2
+maxUidLength: 8
+passwordExpireNotifyDays: 7
+
+dn: cn=local,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: local
 
 dn: cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/default-aci.ldif
--- a/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/default-aci.ldif	Mon Oct 22 14:20:02 2007 -0700
@@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth 
 aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0; acl "Enable anonymous access to config"; allow (read, search, compare) userdn="ldap:///anyone";)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/4532b43f/attachment.bin>


More information about the Freeipa-devel mailing list