install/updates/30-ipservices.update from 39eaf2fa as it is not part of the
release tarball of 4.8.0 but needed for 27586cb7:
commit 39eaf2fab5e27bd12edfb2a24c439a8ea5fb26f0
Author: Christian Heimes <cheimes@redhat.com>
Date: Fri Dec 7 13:08:49 2018 +0100
Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/install/updates/30-ipservices.update b/install/updates/30-ipservices.update
new file mode 100644
index 000000000..01a6d52f8
--- /dev/null
+++ b/install/updates/30-ipservices.update
@@ -0,0 +1,6 @@
+# container for RFC 2307 IP services
+
+dn: cn=ipservices,cn=accounts,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: ipservices
install/updates/75-user-trust-attributes.update from c18ee9b6 as it is not
part of the release tarball of 4.8.0 but needed for 27586cb7:
commit c18ee9b641ddc1e6b52d0413caa1fb98ac13785d
Author: Tibor Dudlák <tdudlak@redhat.com>
Date: Tue Apr 2 16:23:09 2019 +0200
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
diff --git a/install/updates/75-user-trust-attributes.update b/install/updates/75-user-trust-attributes.update
new file mode 100644
index 000000000..43bb40c7d
--- /dev/null
+++ b/install/updates/75-user-trust-attributes.update
@@ -0,0 +1,5 @@
+# Add an explicit self-service ACI to allow writing to manage trust attributes
+# for the owner of the object
+dn: cn=users,cn=accounts,$SUFFIX
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
commit 27586cb7ae32af191cb8a3c36fc8856957300f08
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Aug 9 23:03:25 2019 +0300
install: Add missing scripts to app_DATA.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index bce8a56b1..68facbaf2 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -30,6 +30,7 @@ app_DATA = \
21-ca_renewal_container.update \
21-certstore_container.update \
25-referint.update \
+ 30-ipservices.update \
30-provisioning.update \
30-s4u2proxy.update \
37-locations.update \
@@ -63,6 +64,7 @@ app_DATA = \
73-custodia.update \
73-winsync.update \
73-certmap.update \
+ 75-user-trust-attributes.update \
80-schema_compat.update \
90-post_upgrade_plugins.update \
$(NULL)