[Freeipa-devel] [PATCH] ldif and acis for config
Kevin McCarthy
kmccarth at redhat.com
Mon Oct 22 21:08:24 UTC 2007
This is a proposal for config entries. I've created a global and local
entry. The idea (which will be coded next) is to read the global entry
first, then overwrite with values in local (if any). So each ipa "node"
could tweek independently.
Also, I've currently created anonymous access to the config entries.
I'd ideally like to cache the config at startup, or maybe first hit.
Feedback welcome (and expected) as I haven't touched our schema before.
Thanks,
-Kevin
-------------- next part --------------
# HG changeset patch
# User Kevin McCarthy <kmccarth at redhat.com>
# Date 1193088002 25200
# Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
# Parent 934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
Add entries to store the config in LDAP.
Add anonymous ACI's so we can cache on startup.
diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/bootstrap-template.ldif
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif Mon Oct 22 14:20:02 2007 -0700
@@ -32,6 +32,30 @@ objectClass: nsContainer
objectClass: nsContainer
objectClass: top
cn: etc
+
+dn: cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: config
+
+dn: cn=global,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: global
+userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
+searchTimeLimit: 2
+maxUidLength: 8
+passwordExpireNotifyDays: 7
+
+dn: cn=local,cn=config,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: extensibleObject
+cn: local
dn: cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
diff -r 934aee640cf9 -r 6b6364a5a292 ipa-server/ipa-install/share/default-aci.ldif
--- a/ipa-server/ipa-install/share/default-aci.ldif Mon Oct 22 08:57:29 2007 -0700
+++ b/ipa-server/ipa-install/share/default-aci.ldif Mon Oct 22 14:20:02 2007 -0700
@@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth
aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0; acl "Enable anonymous access to config"; allow (read, search, compare) userdn="ldap:///anyone";)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071022/4532b43f/attachment.bin>
More information about the Freeipa-devel
mailing list