s4: Use SASL authentication against Fedora DS.

1. During instance creation the provisioning script will import the SASL
   mapping for samba-admin. It's done here due to missing config schema
   preventing adding the mapping via ldapi.

2. After that it will use ldif2db to import the cn=samba-admin user as
   the target of SASL mapping.

3. Then it will start FDS and continue to do provisioning using the
   Directory Manager with simple bind.

4. The SASL credentials will be stored in secrets.ldb, so when Samba
   server runs later it will use the SASL credentials.

5. After the provisioning is done (just before stopping the slapd)
   it will use the DM over direct ldapi to delete the default SASL
   mappings included automatically by FDS, leaving just the new
   samba-admin mapping.

6. Also before stopping slapd it will use the DM over direct ldapi to
   set the ACL on the root entries of the user, configuration, and
   schema partitions. The ACL will give samba-admin the full access
   to these partitions.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

5 files changed, 35 insertions, 18 deletions

diff --git a/source4/setup/fedorads-partitions.ldif b/source4/setup/fedorads-partitions.ldif
index 571fb599b9..04528cb07e 100644
--- a/source4/setup/fedorads-partitions.ldif
+++ b/source4/setup/fedorads-partitions.ldif
@@ -28,3 +28,18 @@ objectclass: nsBackendInstance
 nsslapd-suffix: ${SCHEMADN}
 cn: schemaData
 
+dn: cn="${SAMBADN}",cn=mapping tree,cn=config
+objectclass: top
+objectclass: extensibleObject
+objectclass: nsMappingTree
+nsslapd-state: backend
+nsslapd-backend: sambaData
+cn: ${SAMBADN}
+
+dn: cn=sambaData,cn=ldbm database,cn=plugins,cn=config
+objectclass: top
+objectclass: extensibleObject
+objectclass: nsBackendInstance
+nsslapd-suffix: ${SAMBADN}
+cn: sambaData
+
diff --git a/source4/setup/fedorads-samba.ldif b/source4/setup/fedorads-samba.ldif
new file mode 100644
index 0000000000..2d77adac09
--- /dev/null
+++ b/source4/setup/fedorads-samba.ldif
@@ -0,0 +1,10 @@
+dn: ${SAMBADN}
+objectClass: top
+objectClass: container
+cn: Samba
+
+dn: CN=samba-admin,${SAMBADN}
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword: {CLEAR}${LDAPADMINPASS}
diff --git a/source4/setup/fedorads-sasl.ldif b/source4/setup/fedorads-sasl.ldif
new file mode 100644
index 0000000000..99bb6a72cd
--- /dev/null
+++ b/source4/setup/fedorads-sasl.ldif
@@ -0,0 +1,9 @@
+# Map samba-admin to CN=samba-admin,${SAMBADN}
+dn: cn=samba-admin mapping,cn=mapping,cn=sasl,cn=config
+objectClass: top
+objectClass: nsSaslMapping
+cn: samba-admin mapping
+nsSaslMapRegexString: ^samba-admin$
+nsSaslMapBaseDNTemplate: CN=samba-admin,${SAMBADN}
+nsSaslMapFilterTemplate: (objectclass=*)
+
diff --git a/source4/setup/fedorads.inf b/source4/setup/fedorads.inf
index fe51d01db1..90ebe6a9a5 100644
--- a/source4/setup/fedorads.inf
+++ b/source4/setup/fedorads.inf
@@ -27,3 +27,4 @@ start_server= 0
 install_full_schema= 0
 SchemaFile=${LDAPDIR}/99_ad.ldif
 ConfigFile = ${LDAPDIR}/fedorads-partitions.ldif
+ConfigFile = ${LDAPDIR}/fedorads-sasl.ldif
diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
index d5d35af7d5..f447bf5617 100644
--- a/source4/setup/schema_samba4.ldif
+++ b/source4/setup/schema_samba4.ldif
@@ -194,24 +194,6 @@ oMSyntax: 20
 #Allocated: (entryTTL) samba4EntryTTL: 1.3.6.1.4.1.7165.4.255.9
 
 #
-# Fedora DS uses this attribute, and we need to set it via our module stack
-#
-#dn: CN=aci,${SCHEMADN}
-#cn: aci
-#name: aci
-#objectClass: top
-#objectClass: attributeSchema
-#lDAPDisplayName: aci
-#isSingleValued: TRUE
-#systemFlags: 16
-#systemOnly: FALSE
-#schemaIDGUID: d8e6c1fa-db08-4f26-a53b-23c414aac92d
-#adminDisplayName: aci
-#attributeID: 1.3.6.1.4.1.7165.4.1.11
-#attributeSyntax: 2.5.5.4
-#oMSyntax: 20
-
-#
 # Based on domainDNS, but without the DNS bits.
 #