install/updates/30-ipservices.update from 39eaf2fa as it is not part of the release tarball of 4.8.0 but needed for 27586cb7: commit 39eaf2fab5e27bd12edfb2a24c439a8ea5fb26f0 Author: Christian Heimes Date: Fri Dec 7 13:08:49 2018 +0100 Add index and container for RFC 2307 IP services IPA doesn't officially support RFC 2307 IP services. However SSSD has a nsswitch plugin to provide service lookups. The subtree search for (&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in cn=accounts,$SUFFIX has caused performance issues on large installations. This patch introduced a dedicated container cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd party extensions. SSSD will be change its search base in an upcoming release, too. A new ipServicePort index is added to optimize searches for an IP service by port. There is no index on ipServiceProtocol because the index would have poor selectivity. An ipService entry has either 'tcp' or 'udp' as protocol. Fixes: https://pagure.io/freeipa/issue/7797 See: https://pagure.io/freeipa/issue/7786 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy diff --git a/install/updates/30-ipservices.update b/install/updates/30-ipservices.update new file mode 100644 index 000000000..01a6d52f8 --- /dev/null +++ b/install/updates/30-ipservices.update @@ -0,0 +1,6 @@ +# container for RFC 2307 IP services + +dn: cn=ipservices,cn=accounts,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: ipservices install/updates/75-user-trust-attributes.update from c18ee9b6 as it is not part of the release tarball of 4.8.0 but needed for 27586cb7: commit c18ee9b641ddc1e6b52d0413caa1fb98ac13785d Author: Tibor Dudlák Date: Tue Apr 2 16:23:09 2019 +0200 Add SMB attributes for users SMB attributes are used by Samba domain controller when reporting details about IPA users via LSA DCE RPC calls. Based on the initial work from the external plugin: https://github.com/abbra/freeipa-user-trust-attributes Related: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy Signed-off-by: Tibor Dudlák Reviewed-By: Alexander Bokovoy Reviewed-By: Tibor Dudlak diff --git a/install/updates/75-user-trust-attributes.update b/install/updates/75-user-trust-attributes.update new file mode 100644 index 000000000..43bb40c7d --- /dev/null +++ b/install/updates/75-user-trust-attributes.update @@ -0,0 +1,5 @@ +# Add an explicit self-service ACI to allow writing to manage trust attributes +# for the owner of the object +dn: cn=users,cn=accounts,$SUFFIX +add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";) +add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";) commit 27586cb7ae32af191cb8a3c36fc8856957300f08 Author: Timo Aaltonen Date: Fri Aug 9 23:03:25 2019 +0300 install: Add missing scripts to app_DATA. Signed-off-by: Timo Aaltonen Reviewed-By: Alexander Bokovoy diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index bce8a56b1..68facbaf2 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -30,6 +30,7 @@ app_DATA = \ 21-ca_renewal_container.update \ 21-certstore_container.update \ 25-referint.update \ + 30-ipservices.update \ 30-provisioning.update \ 30-s4u2proxy.update \ 37-locations.update \ @@ -63,6 +64,7 @@ app_DATA = \ 73-custodia.update \ 73-winsync.update \ 73-certmap.update \ + 75-user-trust-attributes.update \ 80-schema_compat.update \ 90-post_upgrade_plugins.update \ $(NULL)