[Freeipa-devel] [PATCH] ldif and acis for config
Simo Sorce
ssorce at redhat.com
Mon Oct 22 22:13:28 UTC 2007
On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
> This is a proposal for config entries. I've created a global and
> local
> entry. The idea (which will be coded next) is to read the global
> entry
> first, then overwrite with values in local (if any). So each ipa
> "node"
> could tweek independently.
but cn=etc is replicated globally in all its contents now ...
maybe you can have a container with the server own name to do non-global
conf, but just using "local" on all nodes is not going to help you :)
> Also, I've currently created anonymous access to the config entries.
> I'd ideally like to cache the config at startup, or maybe first hit.
Is there a reason why? Who is going to be the consumer ?
> Feedback welcome (and expected) as I haven't touched our schema
> before.
Se below
>
>
>
>
>
> plain text
> document
> attachment
> (freeipa-372-ldap_config_ldif.patch)
>
> # HG changeset patch
> # User Kevin McCarthy <kmccarth at redhat.com>
> # Date 1193088002 25200
> # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
> # Parent 934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
> Add entries to store the config in LDAP.
> Add anonymous ACI's so we can cache on startup.
>
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/bootstrap-template.ldif
> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif Mon
> Oct 22 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif Mon
> Oct 22 14:20:02 2007 -0700
> @@ -32,6 +32,30 @@ objectClass: nsContainer
> objectClass: nsContainer
> objectClass: top
> cn: etc
> +
> +dn: cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: nsContainer
> +objectClass: top
> +cn: config
> +
> +dn: cn=global,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
----------------^^^^^^^^^^^^^^^
/me raise eyebrow, are you *sure* ? :)
> +cn: global
> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> +searchTimeLimit: 2
> +maxUidLength: 8
> +passwordExpireNotifyDays: 7
should we keep security policies and GUI configuration in different
entries ?
> +dn: cn=local,cn=config,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: nsContainer
> +objectClass: extensibleObject
> +cn: local
As stated above "local" is not going to be unique per server :)
> dn: cn=sysaccounts,cn=etc,$SUFFIX
> changetype: add
> diff -r 934aee640cf9 -r 6b6364a5a292
> ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif Mon Oct 22
> 08:57:29 2007 -0700
> +++ b/ipa-server/ipa-install/share/default-aci.ldif Mon Oct 22
> 14:20:02 2007 -0700
> @@ -8,3 +8,4 @@ aci: (targetattr="krbLastSuccessfulAuth
> aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth ||
> krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow
> (read, search, compare, write)
> userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
> aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword
> || sambaNTPassword || krbPasswordExpiration || krbPwdHistory ||
> krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes
> for passowrd changes"; allow (read, write)
> userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=
> $REALM,cn=kerberos,$SUFFIX";)
> aci:
> (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> acl "Enable anonymous access to config"; allow (read, search, compare)
> userdn="ldap:///anyone";)
Is this not readable right now already?
/me can't remember if we are denying anonymous access right now.
Simo.
More information about the Freeipa-devel
mailing list