ipatests: collect log file for GC sync daemon #62
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
The schema for Active Directory is imported from [MSFT-ADSCHEMA] https://www.microsoft.com/en-us/download/details.aspx?id=23782 in LDIF format, as referenced in [MS-ADSC] specification. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
convert-schema is a tool to convert Microsoft Active Directory schema format to the format understood by 389-ds. The converter is based on a similar tool from Samba AD. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Add Active Directory schema translated to 389-ds format Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
In Active Directory schema, attributes marked with isMemberOfPartialAttributeSet: TRUE attribute are replicated to Global Catalog. Other attributes aren't visible in Global Catalog. Remove non-replicated attributes from the classes. This dramatically reduces schema and possible conflicts with 389-ds core schema.
…ificates Certmonger allows to specify multiple Kerberos principals when requesting certificates. However, ipalib/install/certmonger.py:request_cert() assumes we pass only a single principal and implicitly converts inserts it into a list. Support passing list or tuple of principals. This is needed for Global Catalog support where a three-component Kerberos principal (ldap/host/domain@REALM) is used and certificate has to have both. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Add installer/uninstaller for Global Catalog In order to install: /usr/libexec/ipa/gc/ipa-gc-install --gc-password 'pwd' -U - installs the global catalog as a dirsrv instance in /etc/dirsrv/slapd-GLOBAL-CATALOG - the instance has a cn=Directory Manager user with 'pwd' - the instance is listening on ports 3268 and 3269 - for CA-less installs, specify --gc-cert-file 'pkcs12' --gc-pin 'pin' In order to uninstall: /usr/libexec/ipa/ipa-gc-install --uninstall -U - removes the instance The installation creates an entry cn=GLOBAL-CATALOG,cn=$hostname,cn=masters,cn=ipa,cn=etc,$BASEDN which means that ipactl start/ipactl stop also starts/stops the GC. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Prepare ipaserver.install.upgradeinstance code to operate on different directory server instance.
Active Directory LDAP schema includes objectGUID attribute which is encoded as an octet string. For containers in Global Catalog we need to specify objectGUID value in each object. For those objects that describe a structure of Global Catalog, it is easier to autogenerate them directly. Add support to produce base64-encoded autogenerated uuid to ipa-uuid plugin. If configuration has 'ipaUuidEncode: TRUE' attribute value, it will be created as base64-encoded one. This is incompatible with prefixed UUIDs and should be only used for octet strings.
Global Catalog is read-only. As result, we map any successfully authenticated SASL user to a DN of an object assigned read-only rights. Both full-qualified and name-only SASL mappings are required.
Global Catalog is read-only. We grant read-only access to a majority of objects in the GC tree to ldap:///all but the only object that will be allowed to access it is controlled by the SASL mapping to uid=read-only-principal,cn=configuration,$SUFFIX.
Remove (objectclass=*) target filter.
Two SASL mappings for fully qualified and non-fully qualified names can be combined into the one that works for both IPA and trusted AD users.
- make ipa-server-install work even if samba-client is not installed currently ipa-server-install calls gc code to check if it needs to be uninstalled, and it creates a dependency on samba. Move the import so that there is no dependency on installation. - make ipa-gc-install check that ad trust is installed
At the end of the global catalog install, update the DNS records with SRV records for the global catalog: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs _ldap._tcp.gc._msdcs _gc._tcp.Default-First-Site-Name._sites _gc._tcp
At the end of the global catalog install, the --populate option allows to copy the users and groups from IdM to the GC.
AD is performing a search using showInAdvancedViewOnly attribute when looking for users/groups over the trust. This attribute is needed in the schema in order to add an ACI allowing its use.
The foreign security principals will be stored in this container in the GC.
When a group is copied from 389-ds instance to the global catalog, its groupType attribute depends on its type: - posix groups are mapped to a security group/global - external groups are mapped to a security group/domain-local - non posix groups are mapped to a distribution group/global
The transformation library builds a SID for each user/group from the value of ipantsecurityidentifier, but some entries don't contain this attribute (for instance the non-posix groups). For these entries, the SID is created from the ipauniqueid and a special SID prefix S-1-738065- (ASCII codes of IPA concatenated) .
In order to avoid later circular dependency.
abbra
force-pushed
the
gc-wip
branch
2 times, most recently
from
323c543 to
1356a35
Compare
abbra
force-pushed
the
gc-wip
branch
3 times, most recently
from
63f5a3d to
41fd8be
Compare
abbra
force-pushed
the
gc-wip
branch
2 times, most recently
from
19e6d79 to
fa98d10
Compare
abbra
force-pushed
the
gc-wip
branch
2 times, most recently
from
643a935 to
3ed8f83
Compare
abbra
force-pushed
the
gc-wip
branch
2 times, most recently
from
c20bb04 to
50c9fb9
Compare
abbra
force-pushed
the
gc-wip
branch
3 times, most recently
from
31314a9 to
97e859e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.