From 2945bc1f725648e5dc76effb50903ef9beb168db Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Jun 27 2013 15:09:02 +0000 Subject: Enable SASL mapping fallback. Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330 --- diff --git a/freeipa.spec.in b/freeipa.spec.in index d564f2a..1f9242e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -17,7 +17,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.0 +BuildRequires: 389-ds-base-devel >= 1.3.1.1 BuildRequires: svrcore-devel BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} @@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-server-selinux = %{version}-%{release} -Requires: 389-ds-base >= 1.3.0.5 +Requires: 389-ds-base >= 1.3.1.1 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -844,6 +844,10 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Wed Jun 26 2013 Jan Cholasta - 3.2.1-1 +- Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority + support. + * Fri May 10 2013 Martin Kosek - 3.1.99-13 - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 8823723..1e56d2c 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -63,6 +63,7 @@ app_DATA = \ replica-s4u2proxy.ldif \ copy-schema-to-ca.py \ upload-cacert.ldif \ + sasl-mapping-fallback.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/sasl-mapping-fallback.ldif b/install/share/sasl-mapping-fallback.ldif new file mode 100644 index 0000000..ef7f1cc --- /dev/null +++ b/install/share/sasl-mapping-fallback.ldif @@ -0,0 +1,4 @@ +dn: cn=config +changetype: modify +replace: nsslapd-sasl-mapping-fallback +nsslapd-sasl-mapping-fallback: on diff --git a/install/updates/10-config.update b/install/updates/10-config.update index e377689..c631b2c 100644 --- a/install/updates/10-config.update +++ b/install/updates/10-config.update @@ -47,3 +47,13 @@ only:nsslapd-minssf-exclude-rootdse:on # POSIX winsync plugin dn: cn=ipa-winsync,cn=plugins,cn=config only: nsslapd-pluginPrecedence: 60 + +# Enable SASL mapping fallback +dn: cn=config +only:nsslapd-sasl-mapping-fallback: on + +dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config +addifnew:nsSaslMapPriority: 10 + +dn: cn=Name Only,cn=mapping,cn=sasl,cn=config +addifnew:nsSaslMapPriority: 10 diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index d6c1c6a..18d7507 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -215,6 +215,7 @@ class DsInstance(service.Service): self.step("configure autobind for root", self.__root_autobind) self.step("configure new location for managed entries", self.__repoint_managed_entries) self.step("configure dirsrv ccache", self.configure_dirsrv_ccache) + self.step("enable SASL mapping fallback", self.__enable_sasl_mapping_fallback) self.step("restarting directory server", self.__restart_instance) def __common_post_setup(self): @@ -657,6 +658,9 @@ class DsInstance(service.Service): def __enable_ldapi(self): self._ldap_mod("ldapi.ldif", self.sub_dict) + def __enable_sasl_mapping_fallback(self): + self._ldap_mod("sasl-mapping-fallback.ldif", self.sub_dict) + def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 33cd348..a16e4d5 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -277,6 +277,7 @@ class KrbInstance(service.Service): nsSaslMapRegexString=['\(.*\)@\(.*\)'], nsSaslMapBaseDNTemplate=[self.suffix], nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'], + nsSaslMapPriority=['10'], ) self.admin_conn.add_entry(entry) @@ -288,8 +289,8 @@ class KrbInstance(service.Service): cn=["Name Only"], nsSaslMapRegexString=['^[^:@]+$'], nsSaslMapBaseDNTemplate=[self.suffix], - nsSaslMapFilterTemplate=[ - '(krbPrincipalName=&@%s)' % self.realm], + nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm], + nsSaslMapPriority=['10'], ) self.admin_conn.add_entry(entry)