Hi, In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user.
This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or certificates. Admins can define what can be changed by the users via self-service permissions. Part of https://fedorahosted.org/freeipa/ticket/2149 -- / Alexander Bokovoy
From 96bd9f454f3080f71d96a01779882f0b1b19e67c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 6 Jun 2016 11:51:05 +0300 Subject: [PATCH 4/4] adtrust: support GSSAPI authentication to LDAP as Active Directory user In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user. This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or certificates. Admins can define what can be changed by the users via self-service permissions. Part of https://fedorahosted.org/freeipa/ticket/2149 --- install/updates/20-idoverride_index.update | 20 ++++++++++++++++++++ install/updates/71-idviews-sasl-mapping.update | 9 +++++++++ install/updates/Makefile.am | 2 ++ 3 files changed, 31 insertions(+) create mode 100644 install/updates/20-idoverride_index.update create mode 100644 install/updates/71-idviews-sasl-mapping.update diff --git a/install/updates/20-idoverride_index.update b/install/updates/20-idoverride_index.update new file mode 100644 index 0000000..a8b9681 --- /dev/null +++ b/install/updates/20-idoverride_index.update @@ -0,0 +1,20 @@ +# +# Make sure ID override attributes have the correct indexing +# + +dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres + +dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres + diff --git a/install/updates/71-idviews-sasl-mapping.update b/install/updates/71-idviews-sasl-mapping.update new file mode 100644 index 0000000..bd49223 --- /dev/null +++ b/install/updates/71-idviews-sasl-mapping.update @@ -0,0 +1,9 @@ +dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config +default:cn: ID Overridden Principal +default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX +default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride)) +default:nsSaslMapPriority: 20 +default:nsSaslMapRegexString: \(.*\)@\(.*\) +default:objectClass: top +default:objectClass: nsSaslMapping + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 737a8bb..fde6917 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -21,6 +21,7 @@ app_DATA = \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ + 20-idoverride_index.update \ 20-uuid.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ @@ -53,6 +54,7 @@ app_DATA = \ 61-trusts-s4u2proxy.update \ 62-ranges.update \ 71-idviews.update \ + 71-idviews-sasl-mapping.update \ 72-domainlevels.update \ 73-custodia.update \ 73-winsync.update \ -- 2.7.4
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code