|
 |
e8574e |
install/updates/30-ipservices.update from 39eaf2fa as it is not part of the
|
|
|
e8574e |
release tarball of 4.8.0 but needed for 27586cb7:
|
|
|
e8574e |
|
|
|
e8574e |
commit 39eaf2fab5e27bd12edfb2a24c439a8ea5fb26f0
|
|
|
e8574e |
Author: Christian Heimes <cheimes@redhat.com>
|
|
|
e8574e |
Date: Fri Dec 7 13:08:49 2018 +0100
|
|
|
e8574e |
|
|
|
e8574e |
Add index and container for RFC 2307 IP services
|
|
|
e8574e |
|
|
|
e8574e |
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
|
|
|
e8574e |
nsswitch plugin to provide service lookups. The subtree search for
|
|
|
e8574e |
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
|
|
|
e8574e |
cn=accounts,$SUFFIX has caused performance issues on large
|
|
|
e8574e |
installations.
|
|
|
e8574e |
|
|
|
e8574e |
This patch introduced a dedicated container
|
|
|
e8574e |
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
|
|
|
e8574e |
party extensions. SSSD will be change its search base in an upcoming
|
|
|
e8574e |
release, too.
|
|
|
e8574e |
|
|
|
e8574e |
A new ipServicePort index is added to optimize searches for an IP
|
|
|
e8574e |
service by port. There is no index on ipServiceProtocol because the index
|
|
|
e8574e |
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
|
|
|
e8574e |
as protocol.
|
|
|
e8574e |
|
|
|
e8574e |
Fixes: https://pagure.io/freeipa/issue/7797
|
|
|
e8574e |
See: https://pagure.io/freeipa/issue/7786
|
|
|
e8574e |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
e8574e |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e8574e |
|
|
|
e8574e |
diff --git a/install/updates/30-ipservices.update b/install/updates/30-ipservices.update
|
|
|
e8574e |
new file mode 100644
|
|
|
e8574e |
index 000000000..01a6d52f8
|
|
|
e8574e |
--- /dev/null
|
|
|
e8574e |
+++ b/install/updates/30-ipservices.update
|
|
|
e8574e |
@@ -0,0 +1,6 @@
|
|
|
e8574e |
+# container for RFC 2307 IP services
|
|
|
e8574e |
+
|
|
|
e8574e |
+dn: cn=ipservices,cn=accounts,$SUFFIX
|
|
|
e8574e |
+default: objectClass: top
|
|
|
e8574e |
+default: objectClass: nsContainer
|
|
|
e8574e |
+default: cn: ipservices
|
|
|
e8574e |
install/updates/75-user-trust-attributes.update from c18ee9b6 as it is not
|
|
|
e8574e |
part of the release tarball of 4.8.0 but needed for 27586cb7:
|
|
|
e8574e |
|
|
|
e8574e |
commit c18ee9b641ddc1e6b52d0413caa1fb98ac13785d
|
|
|
e8574e |
Author: Tibor Dudlák <tdudlak@redhat.com>
|
|
|
e8574e |
Date: Tue Apr 2 16:23:09 2019 +0200
|
|
|
e8574e |
|
|
|
e8574e |
Add SMB attributes for users
|
|
|
e8574e |
|
|
|
e8574e |
SMB attributes are used by Samba domain controller when reporting
|
|
|
e8574e |
details about IPA users via LSA DCE RPC calls.
|
|
|
e8574e |
|
|
|
e8574e |
Based on the initial work from the external plugin:
|
|
|
e8574e |
https://github.com/abbra/freeipa-user-trust-attributes
|
|
|
e8574e |
|
|
|
e8574e |
Related: https://pagure.io/freeipa/issue/3999
|
|
|
e8574e |
|
|
|
e8574e |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e8574e |
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
|
|
|
e8574e |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e8574e |
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
|
|
|
e8574e |
|
|
|
e8574e |
diff --git a/install/updates/75-user-trust-attributes.update b/install/updates/75-user-trust-attributes.update
|
|
|
e8574e |
new file mode 100644
|
|
|
e8574e |
index 000000000..43bb40c7d
|
|
|
e8574e |
--- /dev/null
|
|
|
e8574e |
+++ b/install/updates/75-user-trust-attributes.update
|
|
|
e8574e |
@@ -0,0 +1,5 @@
|
|
|
e8574e |
+# Add an explicit self-service ACI to allow writing to manage trust attributes
|
|
|
e8574e |
+# for the owner of the object
|
|
|
e8574e |
+dn: cn=users,cn=accounts,$SUFFIX
|
|
|
e8574e |
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
|
|
|
e8574e |
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
|
|
|
e8574e |
commit 27586cb7ae32af191cb8a3c36fc8856957300f08
|
|
|
e8574e |
Author: Timo Aaltonen <tjaalton@debian.org>
|
|
|
e8574e |
Date: Fri Aug 9 23:03:25 2019 +0300
|
|
|
e8574e |
|
|
|
e8574e |
install: Add missing scripts to app_DATA.
|
|
|
e8574e |
|
|
|
e8574e |
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
|
|
|
e8574e |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e8574e |
|
|
|
e8574e |
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
|
|
e8574e |
index bce8a56b1..68facbaf2 100644
|
|
|
e8574e |
--- a/install/updates/Makefile.am
|
|
|
e8574e |
+++ b/install/updates/Makefile.am
|
|
|
e8574e |
@@ -30,6 +30,7 @@ app_DATA = \
|
|
|
e8574e |
21-ca_renewal_container.update \
|
|
|
e8574e |
21-certstore_container.update \
|
|
|
e8574e |
25-referint.update \
|
|
|
e8574e |
+ 30-ipservices.update \
|
|
|
e8574e |
30-provisioning.update \
|
|
|
e8574e |
30-s4u2proxy.update \
|
|
|
e8574e |
37-locations.update \
|
|
|
e8574e |
@@ -63,6 +64,7 @@ app_DATA = \
|
|
|
e8574e |
73-custodia.update \
|
|
|
e8574e |
73-winsync.update \
|
|
|
e8574e |
73-certmap.update \
|
|
|
e8574e |
+ 75-user-trust-attributes.update \
|
|
|
e8574e |
80-schema_compat.update \
|
|
|
e8574e |
90-post_upgrade_plugins.update \
|
|
|
e8574e |
$(NULL)
|