[Freeipa-devel] [PATCH] ldif and acis for config

Mon Oct 22 22:13:28 UTC 2007

On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> This is a proposal for config entries.  I've created a global and
> local
> entry.  The idea (which will be coded next) is to read the global
> entry
> first, then overwrite with values in local (if any).  So each ipa
> "node"
> could tweek independently.

but cn=etc is replicated globally in all its contents now ...
maybe you can have a container with the server own name to do non-global
conf, but just using "local" on all nodes is not going to help you :)

> Also, I've currently created anonymous access to the config entries.
> I'd ideally like to cache the config at startup, or maybe first hit.

Is there a reason why? Who is going to be the consumer ?

> Feedback welcome (and expected) as I haven't touched our schema
> before.

Se below

> 
> 
> 
> 
> 
> plain text
> document
> attachment
> (freeipa-372-ldap_config_ldif.patch)
> 
> # HG changeset patch
> # User Kevin McCarthy <kmccarth at redhat.com>
> # Date 1193088002 25200
> # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
> # Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
> Add entries to store the config in LDAP.
> Add anonymous ACI's  so we can cache on startup.
> 
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/bootstrap-template.ldif
> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> Oct 22 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
> Oct 22 14:20:02 2007 -0700
> @@ -32,6 +32,30 @@ objectClass: nsContainer
>  objectClass: nsContainer
>  objectClass: top
>  cn: etc
> +
> +dn: cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: nsContainer
> +objectClass: top
> +cn: config
> +
> +dn: cn=global,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
----------------^^^^^^^^^^^^^^^

/me raise eyebrow, are you *sure* ? :)

> +cn: global
> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> +searchTimeLimit: 2
> +maxUidLength: 8
> +passwordExpireNotifyDays: 7

should we keep security policies and GUI configuration in different
entries ?

> +dn: cn=local,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
> +cn: local

As stated above "local" is not going to be unique per server :)

>  dn: cn=sysaccounts,cn=etc,$SUFFIX
>  changetype: add
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif     Mon Oct 22
> 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/default-aci.ldif     Mon Oct 22
> 14:20:02 2007 -0700
> @@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth 
>  aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow
> (read, search, compare, write)
> userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>  aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword
> || sambaNTPassword || krbPasswordExpiration || krbPwdHistory ||
> krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes
> for passowrd changes"; allow (read, write)
> userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=
> $REALM,cn=kerberos,$SUFFIX";)
>  aci:
> (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> acl "Enable anonymous access to config"; allow (read, search, compare)
> userdn="ldap:///anyone";)

Is this not readable right now already?
/me can't remember if we are denying anonymous access right now.

Simo.