[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user

[Alexander Bokovoy]

Hi,

In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149

-- 
/ Alexander Bokovoy
-------------- next part --------------
From 96bd9f454f3080f71d96a01779882f0b1b19e67c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 6 Jun 2016 11:51:05 +0300
Subject: [PATCH 4/4] adtrust: support GSSAPI authentication to LDAP as Active
 Directory user

In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149
---
 install/updates/20-idoverride_index.update     | 20 ++++++++++++++++++++
 install/updates/71-idviews-sasl-mapping.update |  9 +++++++++
 install/updates/Makefile.am                    |  2 ++
 3 files changed, 31 insertions(+)
 create mode 100644 install/updates/20-idoverride_index.update
 create mode 100644 install/updates/71-idviews-sasl-mapping.update

diff --git a/install/updates/20-idoverride_index.update b/install/updates/20-idoverride_index.update
new file mode 100644
index 0000000..a8b9681
--- /dev/null
+++ b/install/updates/20-idoverride_index.update
@@ -0,0 +1,20 @@
+#
+# Make sure ID override attributes have the correct indexing
+#
+
+dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
+
+dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ipaOriginalUid
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+default:nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: pres
+
diff --git a/install/updates/71-idviews-sasl-mapping.update b/install/updates/71-idviews-sasl-mapping.update
new file mode 100644
index 0000000..bd49223
--- /dev/null
+++ b/install/updates/71-idviews-sasl-mapping.update
@@ -0,0 +1,9 @@
+dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config
+default:cn: ID Overridden Principal
+default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX
+default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride))
+default:nsSaslMapPriority: 20
+default:nsSaslMapRegexString: \(.*\)@\(.*\)
+default:objectClass: top
+default:objectClass: nsSaslMapping
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 737a8bb..fde6917 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -21,6 +21,7 @@ app_DATA =				\
 	20-syncrepl.update		\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
+	20-idoverride_index.update	\
 	20-uuid.update  \
 	21-replicas_container.update	\
 	21-ca_renewal_container.update	\
@@ -53,6 +54,7 @@ app_DATA =				\
 	61-trusts-s4u2proxy.update	\
 	62-ranges.update		\
 	71-idviews.update		\
+	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
 	73-winsync.update		\
-- 
2.7.4