On 06/07/2013 03:41 PM, Alexander Bokovoy wrote:
Hi,
in patch 0061:
On Fri, 07 Jun 2013, Tomas Babej wrote:
+ range_types = {
+ u'ipa-local': unicode(_(u'local domain range')),
+ u'ipa-ad-winsync': unicode(_('Active Directory winsync
range')),
+ u'ipa-ad-trust': unicode(_('Active Directory domain range')),
+ u'ipa-ad-trust-posix': unicode(_('Active Directory trust
range with '
+ 'POSIX attributes')),
+ u'ipa-ipa-trust': unicode(_('IPA trust range')),
+ }
Why there is _(u'local domain range') and then others without Unicode
strings? Either way is fine but there should be consistency.
Sure, fixed.
The rest of this patch would be much shorter if there wouldn't
additional whitespace. Could you please git rid of that?
Whitespaces are intentional, these are fixes for PEP8 E302 errors.
Sending the whole patchset updated.
Tomas
From 5502e0817aace0b1aa7ae4bd5cd62a3463164ff5 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:12:52 +0200
Subject: [PATCH] Extend idrange commands to support new range origin types
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
---
API.txt | 7 ++---
ipalib/plugins/idrange.py | 75 +++++++++++++++++++++++++++++++++++++----------
2 files changed, 63 insertions(+), 19 deletions(-)
diff --git a/API.txt b/API.txt
index 0a4b356e6f8a66d785e222f5941ff65a3cb484b7..1313460de66d8e12fc7a068cda0cf30658bcdd1b 100644
--- a/API.txt
+++ b/API.txt
@@ -1969,7 +1969,7 @@ option: Int('ipabaserid', attribute=True, cli_name='rid_base', multivalue=False,
option: Int('ipaidrangesize', attribute=True, cli_name='range_size', multivalue=False, required=True)
option: Str('ipanttrusteddomainname', attribute=False, cli_name='dom_name', multivalue=False, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, cli_name='dom_sid', multivalue=False, required=False)
-option: Str('iparangetype', attribute=True, cli_name='iparangetype', multivalue=False, required=False)
+option: StrEnum('iparangetype', attribute=True, cli_name='type', multivalue=False, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -1994,7 +1994,7 @@ option: Int('ipabaseid', attribute=True, autofill=False, cli_name='base_id', mul
option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', multivalue=False, query=True, required=False)
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, query=True, required=False)
option: Str('ipanttrusteddomainsid', attribute=True, autofill=False, cli_name='dom_sid', multivalue=False, query=True, required=False)
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, query=True, required=False)
+option: StrEnum('iparangetype', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local', u'ipa-ad-winsync', u'ipa-ipa-trust'))
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2006,7 +2006,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: idrange_mod
-args: 1,14,3
+args: 1,13,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -2016,7 +2016,6 @@ option: Int('ipabaserid', attribute=True, autofill=False, cli_name='rid_base', m
option: Int('ipaidrangesize', attribute=True, autofill=False, cli_name='range_size', multivalue=False, required=False)
option: DeprecatedParam('ipanttrusteddomainname?')
option: DeprecatedParam('ipanttrusteddomainsid?')
-option: Str('iparangetype', attribute=True, autofill=False, cli_name='iparangetype', multivalue=False, required=False)
option: Int('ipasecondarybaserid', attribute=True, autofill=False, cli_name='secondary_rid_base', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 73628795aaa069b436371be3d9c989e97916f1f6..1e7b17fb8f733699269878767f1bd6901c439142 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -19,7 +19,7 @@
from ipalib.plugins.baseldap import (LDAPObject, LDAPCreate, LDAPDelete,
LDAPRetrieve, LDAPSearch, LDAPUpdate)
-from ipalib import api, Int, Str, DeprecatedParam, _, ngettext
+from ipalib import api, Int, Str, DeprecatedParam, StrEnum, _, ngettext
from ipalib import errors
from ipapython.dn import DN
@@ -168,6 +168,15 @@ class idrange(LDAPObject):
label = _('ID Ranges')
label_singular = _('ID Range')
+ range_types = {
+ u'ipa-local': unicode(_('local domain range')),
+ u'ipa-ad-winsync': unicode(_('Active Directory winsync range')),
+ u'ipa-ad-trust': unicode(_('Active Directory domain range')),
+ u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
+ 'POSIX attributes')),
+ u'ipa-ipa-trust': unicode(_('IPA trust range')),
+ }
+
takes_params = (
Str('cn',
cli_name='name',
@@ -200,18 +209,23 @@ class idrange(LDAPObject):
flags=('no_search', 'virtual_attribute', 'no_update'),
label=_('Name of the trusted domain'),
),
- Str('iparangetype?',
+ StrEnum('iparangetype?',
label=_('Range type'),
- flags=['no_option'],
+ cli_name='type',
+ doc=(_('ID range type, one of {vals}'
+ .format(vals=', '.join(range_types.keys())))),
+ values=tuple(range_types.keys()),
+ flags=['no_update'],
)
)
def handle_iparangetype(self, entry_attrs, options, keep_objectclass=False):
- if not options.get('pkey_only', False):
- if 'ipatrustedaddomainrange' in entry_attrs.get('objectclass', []):
- entry_attrs['iparangetype'] = [unicode(_('Active Directory domain range'))]
- else:
- entry_attrs['iparangetype'] = [unicode(_(u'local domain range'))]
+ if not any((options.get('pkey_only', False),
+ options.get('raw', False))):
+ range_type = entry_attrs['iparangetype'][0]
+ entry_attrs['iparangetype'] = self.range_types.get(range_type, None)
+
+ # Remove the objectclass
if not keep_objectclass:
if not options.get('all', False) or options.get('pkey_only', False):
entry_attrs.pop('objectclass', None)
@@ -418,7 +432,21 @@ class idrange_add(LDAPCreate):
'not be found. Please specify the SID directly '
'using dom-sid option.'))
+ # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range
if is_set('ipanttrusteddomainsid'):
+ entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+
+ # Default to ipa-ad-trust if no type set
+ if 'iparangetype' not in entry_attrs:
+ entry_attrs['iparangetype'] = u'ipa-ad-trust'
+
+ if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
+ u'ipa-ad-trust-posix'):
+ raise errors.ValidationError('ID Range setup',
+ error=_('IPA Range type must be one of ipa-ad-trust '
+ 'or ipa-ad-trust-posix when SID of the trusted '
+ 'domain is specified.'))
+
if is_set('ipasecondarybaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid/dom-name and secondary-rid-base '
@@ -431,11 +459,24 @@ class idrange_add(LDAPCreate):
# Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
- # Finally, add trusted AD domain range object class
- entry_attrs['objectclass'].append('ipatrustedaddomainrange')
+ # ipaNTTrustedDomainSID attribute not set, this is local domain range
else:
- # secondary base rid must be set if and only if base rid is set
+ entry_attrs['objectclass'].append('ipadomainidrange')
+
+ # Default to ipa-local if no type set
+ if 'iparangetype' not in entry_attrs:
+ entry_attrs['iparangetype'] = 'ipa-local'
+
+ # TODO: can also be ipa-ad-winsync here?
+ if entry_attrs['iparangetype'] in (u'ipa-ad-trust',
+ u'ipa-ad-trust-posix'):
+ raise errors.ValidationError('ID Range setup',
+ error=_('IPA Range type must not be one of ipa-ad-trust '
+ 'or ipa-ad-trust-posix when SID of the trusted '
+ 'domain is not specified.'))
+
+ # secondary base rid must be set if and only if base rid is set
if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must '
@@ -451,15 +492,15 @@ class idrange_add(LDAPCreate):
error=_("Primary RID range and secondary RID range"
" cannot overlap"))
- entry_attrs['objectclass'].append('ipadomainidrange')
-
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
- self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True)
+ self.obj.handle_iparangetype(entry_attrs, options,
+ keep_objectclass=True)
return dn
+
class idrange_del(LDAPDelete):
__doc__ = _('Delete an ID range.')
@@ -494,6 +535,7 @@ class idrange_del(LDAPDelete):
return dn
+
class idrange_find(LDAPSearch):
__doc__ = _('Search for ranges.')
@@ -513,6 +555,7 @@ class idrange_find(LDAPSearch):
self.obj.handle_iparangetype(entry, options)
return truncated
+
class idrange_show(LDAPRetrieve):
__doc__ = _('Display information about a range.')
@@ -526,6 +569,7 @@ class idrange_show(LDAPRetrieve):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
class idrange_mod(LDAPUpdate):
__doc__ = _('Modify ID range.')
@@ -589,7 +633,7 @@ class idrange_mod(LDAPUpdate):
self.obj.validate_trusted_domain_sid(
entry_attrs['ipanttrusteddomainsid'])
- # Add trusted AD domain range object class, if it wasn't there
+ # Add trusted AD domain range object class, if it wasn't there
if not 'ipatrustedaddomainrange' in old_attrs['objectclass']:
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
@@ -647,6 +691,7 @@ class idrange_mod(LDAPUpdate):
self.obj.handle_iparangetype(entry_attrs, options)
return dn
+
api.register(idrange)
api.register(idrange_add)
api.register(idrange_mod)
--
1.8.1.4
From e3b073011518f37497f08b0b4f4e34881b671a0a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:07:09 +0200
Subject: [PATCH 62/63] Add update plugin to fill in ipaRangeType attribute
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
ipaserver/install/plugins/adtrust.py | 1 +
ipaserver/install/plugins/update_idranges.py | 116 +++++++++++++++++++++++++++
2 files changed, 117 insertions(+)
create mode 100644 ipaserver/install/plugins/update_idranges.py
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 555a28b8f5333cae08e5f53d23b01f1093046eff..28358588b5693a8bb451f52a52bb8ef73747353b 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -62,6 +62,7 @@ class update_default_range(PostUpdate):
'cn:%s' % id_range_name,
'ipabaseid:%s' % id_range_base_id,
'ipaidrangesize:%s' % id_range_size,
+ 'iparangetype:ipa-local',
]
updates = {}
diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
new file mode 100644
index 0000000000000000000000000000000000000000..c3df98af9f0f2c5ceae3360858f8c6de069646ce
--- /dev/null
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -0,0 +1,116 @@
+# Authors:
+# Tomas Babej <tba...@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import *
+
+
+class update_idrange_type(PostUpdate):
+ """
+ Update all ID ranges that do not have ipaRangeType attribute filled.
+ This applies to all ID ranges prior to IPA 3.3.
+ """
+
+ order = MIDDLE
+
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ base_dn = DN(api.env.container_ranges, api.env.basedn)
+ search_filter = ("(&(objectClass=ipaIDrange)(!(ipaRangeType=*)))")
+ root_logger.debug("update_idrange_type: search for ID ranges with no "
+ "type set")
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(search_filter,
+ ['objectclass'], base_dn, time_limit=0, size_limit=0)
+
+ except errors.NotFound:
+ root_logger.debug("update_idrange_type: no ID range without "
+ "type set found")
+ return (False, False, [])
+
+ except errors.ExecutionError, e:
+ root_logger.error("update_idrange_type: cannot retrieve list "
+ "of ranges with no type set: %s", e)
+ return (False, False, [])
+
+ if not entries:
+ # No entry was returned, rather break than continue cycling
+ root_logger.debug("update_idrange_type: no ID range was "
+ "returned")
+ return (False, False, [])
+
+ root_logger.debug("update_idrange_type: found %d "
+ "idranges to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ # Set the range type
+ for dn, entry in entries:
+ update = {}
+
+ objectclasses = [o.lower() for o
+ in entry.get('objectclass', [])]
+
+ if 'ipatrustedaddomainrange' in objectclasses:
+ # NOTICE: assumes every AD range does not use POSIX
+ # attributes
+ update['ipaRangeType'] = 'ipa-ad-trust'
+ elif 'ipadomainidrange' in objectclasses:
+ update['ipaRangeType'] = 'ipa-local'
+ else:
+ update['ipaRangeType'] = 'unknown'
+ root_logger.error("update_idrange_type: could not detect "
+ "range type for entry: %s" % str(dn))
+ root_logger.error("update_idrange_type: ID range type set "
+ "to 'unknown' for entry: %s" % str(dn))
+
+ try:
+ ldap.update_entry(dn, update)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError, e:
+ root_logger.debug("update_idrange_type: cannot "
+ "update idrange type: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ root_logger.error("update_idrange_type: error(s) "
+ "detected during idrange type update")
+ return (False, False, [])
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ root_logger.debug("update_idrange_type: all affected idranges "
+ "were assigned types")
+ return (False, False, [])
+
+ return (False, False, [])
+
+api.register(update_idrange_type)
--
1.8.1.4
From 85ec5eca8a4dac379902b535b17995c0bfacb428 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 30 May 2013 14:02:44 +0200
Subject: [PATCH 61/63] Add ipaRangeType attribute to LDAP Schema
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
---
install/share/60basev3.ldif | 3 ++-
install/share/bootstrap-template.ldif | 1 +
install/updates/62-ranges.update | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 435948faefb66870aba20248ef88fae90505609c..b84789e25d75033f18fa5b70f69d852ddf35b7ca 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -37,6 +37,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@@ -49,7 +50,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTRACT
objectClasses: (2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroupOfPubKeys AUXILIARY X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index bf7de348933433c82617f4acf33b7093e76ac959..014f7a55b2f55014b8e76ba6b9c1f74715b78841 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -428,3 +428,4 @@ objectClass: ipaDomainIDRange
cn: ${REALM}_id_range
ipaBaseID: $IDSTART
ipaIDRangeSize: $IDRANGE_SIZE
+ipaRangeType: ipa-local
diff --git a/install/updates/62-ranges.update b/install/updates/62-ranges.update
index 79d5326d6000d038923b2a92dcdec98370fa90f4..c2eb6dca7077aebf56b06b39710b3c46db799aed 100644
--- a/install/updates/62-ranges.update
+++ b/install/updates/62-ranges.update
@@ -3,10 +3,12 @@ add:attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First va
add:attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+add:attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY MAY ( uidNumber $$ gidNumber $$ ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $$ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $$ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
+replace:objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )::(2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $$ ipaBaseID $$ ipaIDRangeSize $$ ipaRangeType ) X-ORIGIN 'IPA v3' )
dn: cn=ranges,cn=etc,$SUFFIX
default: objectClass: top
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
