On 06/05/2013 02:53 PM, Tomas Babej wrote:
On 06/03/2013 05:00 PM, Tomas Babej wrote:
Hi,
Sending rebased versions on top of current master.
Tomas
Hi,
A rebase was needed again.
I also fixed a bug in the update plugin, since it used case-sensitive
comparison of objectclasses.
Updated patcheset attached.
Tomas
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Patcheset updated with the changes required for the patch 67.
Tomas
From de961306fc4582c0e63d28f42ad60df6e956443b Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:12:52 +0200
Subject: [PATCH] Extend idrange commands to support new range origin types
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
---
API.txt | 7 ++---
ipalib/plugins/idrange.py | 74 ++++++++++++++++++++++++++++++++++++++---------
2 files changed, 63 insertions(+), 18 deletions(-)
diff --git a/API.txt b/API.txt
index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..1313460de66d8e12fc7a068cda0cf30658bcdd1b 100644
--- a/API.txt
+++ b/API.txt
@@ -1969,7 +1969,7 @@ option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False,
option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True)
option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False)
-option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False)
+option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1994,7 +1994,7 @@ option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', mul
option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False)
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False)
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, query=True, required=False)
+option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2006,7 +2006,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: idrange_mod
-args: 1,14,3
+args: 1,13,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -2016,7 +2016,6 @@ option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', m
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False)
option: DeprecatedParam('ipanttrusteddomainname?')
option: DeprecatedParam('ipanttrusteddomainsid?')
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, required=False)
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 73628795aaa069b436371be3d9c989e97916f1f6..ad15ec73872ef2894b48d7f618c4ef7f3d5a840a 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -19,7 +19,7 @@
from ipalib.plugins.baseldap import (LDAPObject, LDAPCreate, LDAPDelete,
LDAPRetrieve, LDAPSearch, LDAPUpdate)
-from ipalib import api, Int, Str, DeprecatedParam, _, ngettext
+from ipalib import api, Int, Str, DeprecatedParam, StrEnum, _, ngettext
from ipalib import errors
from ipapython.dn import DN
@@ -168,6 +168,15 @@ class idrange(LDAPObject):
label = _('ID Ranges')
label_singular = _('ID Range')
+ range_types = {
+ u'ipa-local': unicode(_(u'local domain range')),
+ u'ipa-ad-winsync': unicode(_('Active Directory winsync range')),
+ u'ipa-ad-trust': unicode(_('Active Directory domain range')),
+ u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
+ 'POSIX attributes')),
+ u'ipa-ipa-trust': unicode(_('IPA trust range')),
+ }
+
takes_params = (
Str('cn',
cli_name='name',
@@ -200,18 +209,23 @@ class idrange(LDAPObject):
flags=('no_search', 'virtual_attribute', 'no_update'),
label=_('Name of the trusted domain'),
),
- Str('iparangetype?',
+ StrEnum('iparangetype?',
label=_('Range type'),
- flags=['no_option'],
+ cli_name='type',
+ doc=(_('ID range type, one of {vals}'
+ .format(vals=', '.join(range_types.keys())))),
+ values=tuple(range_types.keys()),
+ flags=['no_update'],
)
)
def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False):
- if not options.get('pkey_only', False):
- if 'ipatrustedaddomainrange' in entry_attrs.get('objectclass', []):
- entry_attrs['iparangetype'] = [unicode(_('Active Directory domain range'))]
- else:
- entry_attrs['iparangetype'] = [unicode(_(u'local domain range'))]
+ if not any((options.get('pkey_only', False),
+ options.get('raw', False))):
+ range_type = entry_attrs['iparangetype'][0]
+ entry_attrs['iparangetype'] = self.range_types.get(range_type, None)
+
+ # Remove the objectclass
if not keep_objectclass:
if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None)
@@ -418,7 +432,21 @@ class idrange_add(LDAPCreate):
'not be found. Please specify the SID directly '
'using dom-sid option.'))
+ # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range
if is_set('ipanttrusteddomainsid'):
+ entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+
+ # Default to ipa-ad-trust if no type set
+ if 'iparangetype' not in entry_attrs:
+ entry_attrs['iparangetype'] = 'ipa-ad-trust'
+
+ if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
+ u'ipa-ad-trust-posix'):
+ raise errors.ValidationError('ID Range setup',
+ error=_('IPA Range type must be one of ipa-ad-trust '
+ 'or ipa-ad-trust-posix when SID of the trusted '
+ 'domain is specified.'))
+
if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base '
@@ -431,11 +459,24 @@ class idrange_add(LDAPCreate):
# Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
- # Finally, add trusted AD domain range object class
- entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ # ipaNTTrustedDomainSID attribute not set, this is local domain range
else:
- # secondary base rid must be set if and only if base rid is set
+ entry_attrs['objectclass'].append('ipadomainidrange')
+
+ # Default to ipa-local if no type set
+ if 'iparangetype' not in entry_attrs:
+ entry_attrs['iparangetype'] = 'ipa-local'
+
+ # TODO: can also be ipa-ad-winsync here?
+ if entry_attrs['iparangetype'] in (u'ipa-ad-trust',
+ u'ipa-ad-trust-posix'):
+ raise errors.ValidationError('ID Range setup',
+ error=_('IPA Range type must not be one of ipa-ad-trust '
+ 'or ipa-ad-trust-posix when SID of the trusted '
+ 'domain is not specified.'))
+
+ # secondary base rid must be set if and only if base rid is set
if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must '
@@ -451,15 +492,15 @@ class idrange_add(LDAPCreate):
error=_("Primary RID range and secondary RID range"
" cannot overlap"))
- entry_attrs['objectclass'].append('ipadomainidrange')
-
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True)
+ self.obj.handle_iparangetype(entry_attrs, options,
+ keep_objectclass=True)
return dn
+
class idrange_del(LDAPDelete):
__doc__ = _('Delete an ID range.')
@@ -494,6 +535,7 @@ class idrange_del(LDAPDelete):
return dn
+
class idrange_find(LDAPSearch):
__doc__ = _('Search for ranges.')
@@ -513,6 +555,7 @@ class idrange_find(LDAPSearch):
self.obj.handle_iparangetype(entry, options)
return truncated
+
class idrange_show(LDAPRetrieve):
__doc__ = _('Display information about a range.')
@@ -526,6 +569,7 @@ class idrange_show(LDAPRetrieve):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
class idrange_mod(LDAPUpdate):
__doc__ = _('Modify ID range.')
@@ -592,6 +636,7 @@ class idrange_mod(LDAPUpdate):
# Add trusted AD domain range object class, if it wasn't there
if not 'ipatrustedaddomainrange' in old_attrs['objectclass']:
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ entry_attrs['iparangetype'] = 'ipa-ad-trust'
else:
# secondary base rid must be set if and only if base rid is set
@@ -647,6 +692,7 @@ class idrange_mod(LDAPUpdate):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
api.register(idrange)
api.register(idrange_add)
api.register(idrange_mod)
--
1.8.1.4
From 0580d3c03319c72d731d0598b19e633fc536b866 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:07:09 +0200
Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
ipaserver/install/plugins/adtrust.py | 1 +
ipaserver/install/plugins/update_idranges.py | 116 +++++++++++++++++++++++++++
2 files changed, 117 insertions(+)
create mode 100644 ipaserver/install/plugins/update_idranges.py
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 555a28b8f5333cae08e5f53d23b01f1093046eff..28358588b5693a8bb451f52a52bb8ef73747353b 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -62,6 +62,7 @@ class update_default_range(PostUpdate):
'cn:%s' % id_range_name,
'ipabaseid:%s' % id_range_base_id,
'ipaidrangesize:%s' % id_range_size,
+ 'iparangetype:ipa-local',
]
updates = {}
diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
new file mode 100644
index 0000000000000000000000000000000000000000..c3df98af9f0f2c5ceae3360858f8c6de069646ce
--- /dev/null
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -0,0 +1,116 @@
+# Authors:
+# Tomas Babej <tba...@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import *
+
+
+class update_idrange_type(PostUpdate):
+ """
+ Update all ID ranges that do not have ipaRangeType attribute filled.
+ This applies to all ID ranges prior to IPA 3.3.
+ """
+
+ order = MIDDLE
+
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ base_dn = DN(api.env.container_ranges, api.env.basedn)
+ search_filter = ("(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))")
+ root_logger.debug("update_idrange_type: search for ID ranges with no "
+ "type set")
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(search_filter,
+ ['objectclass'], base_dn, time_limit=0, size_limit=0)
+
+ except errors.NotFound:
+ root_logger.debug("update_idrange_type: no ID range without "
+ "type set found")
+ return (False, False, [])
+
+ except errors.ExecutionError, e:
+ root_logger.error("update_idrange_type: cannot retrieve list "
+ "of ranges with no type set: %s", e)
+ return (False, False, [])
+
+ if not entries:
+ # No entry was returned, rather break than continue cycling
+ root_logger.debug("update_idrange_type: no ID range was "
+ "returned")
+ return (False, False, [])
+
+ root_logger.debug("update_idrange_type: found %d "
+ "idranges to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ # Set the range type
+ for dn, entry in entries:
+ update = {}
+
+ objectclasses = [o.lower() for o
+ in entry.get('objectclass', [])]
+
+ if 'ipatrustedaddomainrange' in objectclasses:
+ # NOTICE: assumes every AD range does not use POSIX
+ # attributes
+ update['ipaRangeType'] = 'ipa-ad-trust'
+ elif 'ipadomainidrange' in objectclasses:
+ update['ipaRangeType'] = 'ipa-local'
+ else:
+ update['ipaRangeType'] = 'unknown'
+ root_logger.error("update_idrange_type: could not detect "
+ "range type for entry: %s" % str(dn))
+ root_logger.error("update_idrange_type: ID range type set "
+ "to 'unknown' for entry: %s" % str(dn))
+
+ try:
+ ldap.update_entry(dn, update)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError, e:
+ root_logger.debug("update_idrange_type: cannot "
+ "update idrange type: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ root_logger.error("update_idrange_type: error(s) "
+ "detected during idrange type update")
+ return (False, False, [])
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ root_logger.debug("update_idrange_type: all affected idranges "
+ "were assigned types")
+ return (False, False, [])
+
+ return (False, False, [])
+
+api.register(update_idrange_type)
--
1.8.1.4
From 0159e5d896e2ae0c3da348cbee1152f923074196 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:02:44 +0200
Subject: [PATCH 61/63] Add ipaRangeType attribute to LDAP Schema
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
install/share/60basev3.ldif | 3 ++-
install/updates/62-ranges.update | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 435948faefb66870aba20248ef88fae90505609c..b84789e25d75033f18fa5b70f69d852ddf35b7ca 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -37,6 +37,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -49,7 +50,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT
objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update
index 79d5326d6000d038923b2a92dcdec98370fa90f4..c2eb6dca7077aebf56b06b39710b3c46db799aed 100644
--- a/install/updates/62-ranges.update
+++ b/install/updates/62-ranges.update
@@ -3,10 +3,12 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va
add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )::(2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize $$ ipaRangeType ) X-ORIGIN 'IPA v3' )
dn: cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
