Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[slapd] Add support for 'AutoGroup' overlay
- Loading branch information
Showing
9 changed files
with
278 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
The OpenLDAP Public License | ||
|
||
Version 2.8, 17 August 2003 | ||
|
||
Redistribution and use of this software and associated documentation ("Software"), | ||
with or without modification, are permitted provided that the following conditions | ||
are met: | ||
|
||
1. Redistributions in source form must retain copyright statements and notices, | ||
|
||
2. Redistributions in binary form must reproduce applicable copyright statements | ||
and notices, this list of conditions, and the following disclaimer in the | ||
documentation and/or other materials provided with the distribution, and | ||
|
||
3. Redistributions must contain a verbatim copy of this document. | ||
|
||
The OpenLDAP Foundation may revise this license from time to time. Each revision | ||
is distinguished by a version number. You may use this Software under terms | ||
of this license revision or under the terms of any subsequent revision of | ||
the license. | ||
|
||
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS | ||
``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | ||
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, | ||
OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, | ||
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE | ||
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF | ||
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
|
||
The names of the authors and copyright holders must not be used in advertising | ||
or otherwise to promote the sale, use or other dealing in this Software without | ||
specific, written prior permission. Title to copyright in this Software shall | ||
at all times remain with copyright holders. | ||
|
||
OpenLDAP is a registered trademark of the OpenLDAP Foundation. | ||
|
||
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. | ||
All Rights Reserved. Permission to copy and distribute verbatim copies of | ||
this document is granted. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
96 changes: 96 additions & 0 deletions
96
ansible/roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# dyngroup.schema -- Dynamic Group schema | ||
# $OpenLDAP$ | ||
## This work is part of OpenLDAP Software <http://www.openldap.org/>. | ||
## | ||
## Copyright (C) 1998-2018 The OpenLDAP Foundation. | ||
## Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com> | ||
## Copyright (C) 2020 DebOps <https://debops.org/> | ||
## SPDX-License-Identifier: OLDAP-2.8 | ||
## | ||
## All rights reserved. | ||
## | ||
## Redistribution and use in source and binary forms, with or without | ||
## modification, are permitted only as authorized by the OpenLDAP | ||
## Public License. | ||
## | ||
## A copy of this license is available in the file LICENSE in the | ||
## top-level directory of the distribution or, alternatively, at | ||
## <http://www.OpenLDAP.org/license.html>. | ||
# | ||
# Dynamic Group schema (experimental), as defined by Netscape. See | ||
# http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf | ||
# page 70 for details on how these groups were used. | ||
# | ||
# A description of the objectclass definition is available here: | ||
# http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745 | ||
# | ||
# depends upon: | ||
# core.schema | ||
# | ||
# These definitions are considered experimental due to the lack of | ||
# a formal specification (e.g., RFC). | ||
# | ||
# NOT RECOMMENDED FOR PRODUCTION USE! USE WITH CAUTION! | ||
# | ||
# The Netscape documentation describes this as an auxiliary objectclass | ||
# but their implementations have always defined it as a structural class. | ||
# The sloppiness here is because Netscape-derived servers don't actually | ||
# implement the X.500 data model, and they don't honor the distinction | ||
# between structural and auxiliary classes. This fact is noted here: | ||
# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636 | ||
# | ||
# In accordance with other existing implementations, we define it as a | ||
# structural class. | ||
# | ||
# Our definition of memberURL also does not match theirs but again | ||
# their published definition and what works in practice do not agree. | ||
# In other words, the Netscape definitions are broken and interoperability | ||
# is not guaranteed. | ||
# | ||
# Also see the new DynGroup proposed spec at | ||
# http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02 | ||
# | ||
# This schema is modified to support the 'autogroup' overlay by adding a MAY | ||
# 'member' attribute to the 'groupOfURLs' LDAP object. | ||
|
||
objectIdentifier NetscapeRoot 2.16.840.1.113730 | ||
|
||
objectIdentifier NetscapeLDAP NetscapeRoot:3 | ||
objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1 | ||
objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2 | ||
|
||
objectIdentifier OpenLDAPExp11 1.3.6.1.4.1.4203.666.11 | ||
objectIdentifier DynGroupBase OpenLDAPExp11:8 | ||
objectIdentifier DynGroupAttr DynGroupBase:1 | ||
objectIdentifier DynGroupOC DynGroupBase:2 | ||
|
||
attributetype ( NetscapeLDAPattributeType:198 | ||
NAME 'memberURL' | ||
DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.' | ||
SUP labeledURI ) | ||
|
||
attributetype ( DynGroupAttr:1 | ||
NAME 'dgIdentity' | ||
DESC 'Identity to use when processing the memberURL' | ||
SUP distinguishedName SINGLE-VALUE ) | ||
|
||
attributeType ( DynGroupAttr:2 | ||
NAME 'dgAuthz' | ||
DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity' | ||
EQUALITY authzMatch | ||
SYNTAX 1.3.6.1.4.1.4203.666.2.7 | ||
X-ORDERED 'VALUES' ) | ||
|
||
objectClass ( NetscapeLDAPobjectClass:33 | ||
NAME 'groupOfURLs' | ||
SUP top STRUCTURAL | ||
MUST cn | ||
MAY ( memberURL $ businessCategory $ description $ o $ ou $ | ||
member $ owner $ seeAlso ) ) | ||
|
||
# The Haripriya dyngroup schema still needs a lot of work. | ||
# We're just adding support for the dgIdentity attribute for now... | ||
objectClass ( DynGroupOC:1 | ||
NAME 'dgIdentityAux' | ||
SUP top AUXILIARY | ||
MAY ( dgIdentity $ dgAuthz ) ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.