Merge branch 'release/v2.19.0'

Dockerfile

@@ -14,7 +14,7 @@ LABEL DAASI International GmbH
 EXPOSE 389
 
 RUN apk update --no-cache && \
-    apk add --no-cache gettext openldap openldap-clients openldap-dev openldap-back-mdb openldap-overlay-all python3 python3-dev cyrus-sasl libsasl libldap build-base && \
+    apk add --no-cache coreutils gettext openldap openldap-clients openldap-dev openldap-back-mdb openldap-overlay-all python3 python3-dev cyrus-sasl libsasl libldap build-base && \
     python3.8 -m ensurepip && \
     pip3 install --upgrade pip
 
@@ -26,11 +26,16 @@ RUN mkdir -p /var/lib/ldap/accesslog && \
     mkdir -p /migrations && \
     chown -R ldap:ldap /var/lib/ldap /etc/openldap/
 
+
+COPY examples /examples
 COPY entrypoint.sh /entrypoint.sh
 COPY createBackup.sh /createBackup.sh
 COPY migrations.sh /migrations.sh
 COPY migration.py /migration.py
 COPY default.ldif /default.ldif
+COPY eventlog.ldif /eventlog.ldif
+COPY didmos-config.ldif /didmos-config.ldif
+COPY conf/include_didmos-config.conf /include_didmos-config.conf
 COPY conf/slapd.conf /slapd.conf
 COPY conf/sasl2/slapd.conf /usr/lib64/sasl2/slapd.conf
 COPY conf/sasl2/slapd.conf /usr/lib/sasl2/slapd.conf
@@ -42,8 +47,8 @@ COPY migrations /migrations
 
 RUN ln -s /usr/lib/openldap/noopsrch.so.2.10.10 /usr/lib/openldap/noopsrch-2.4.so.2
 RUN ln -s /usr/lib/openldap/noopsrch.so.2.10.10 /usr/lib/openldap/noopsrch.so
-RUN mkdir -p /BACKUP/data && mkdir -p /BACKUP/accesslog
-RUN mkdir -p /RESTORE/data && mkdir -p /RESTORE/accesslog
+RUN mkdir -p /BACKUP/data && mkdir -p /BACKUP/accesslog && mkdir -p /BACKUP/eventlog
+RUN mkdir -p /RESTORE/data && mkdir -p /RESTORE/accesslog && mkdir -p /RESTORE/eventlog
 RUN mkdir -p /MIGRATIONS/files && mkdir -p /MIGRATIONS/log
 RUN touch /MIGRATIONS/log/executed.log && echo "INIT" >> /MIGRATIONS/log/executed.log
 RUN rm /etc/openldap/slapd.conf

conf/include_didmos-config.conf

+#######################################################################
+# MDB database definitions for etl
+#######################################################################
+database        mdb
+suffix          "cn=didmos-config"
+rootdn          "cn=manager,cn=didmos-config"
+rootpw          @DIDMOSCONFIG_PW@
+directory       /var/lib/ldap/etl
+maxsize         50000000
+
+
+checkpoint      4096    5
+envflags        nordahead nosync
+
+@REPL_CONFIGURE_OVERLAY_DIDMOSCONFIG@
+
+index entryUUID eq
+index objectClass eq
+
+@REPL_ACLS_DIDMOSCONFIG@
+
+access to dn.sub="cn=didmos-config"
+  by dn.exact="cn=manager,dc=didmos,dc=de" write

conf/slapd.conf

@@ -19,6 +19,7 @@ include         /etc/openldap/schema/didmos.schema
 include         /etc/openldap/schema/didmosconfig.schema
 include         /etc/openldap/schema_extensions.txt
 include	        /etc/openldap/schema/ppolicy.schema
+include		/etc/openldap/schema/didmosevent.schema
 
 # Default values for PID and ARGS files
 pidfile         /run/openldap/slapd.pid
@@ -181,3 +182,65 @@ access to dn.sub="dc=didmos,dc=de"
 
 @REPL_CONFIGURE_CONSUMER@
 
+
+#######################################################################
+# MDB database definitions for didmos logging
+#######################################################################
+database        mdb
+suffix          "cn=eventlog"
+rootdn          "cn=manager,cn=eventlog"
+rootpw          @EVENTLOG_PW@
+directory       /var/lib/ldap/eventlog
+maxsize         5000000000
+
+
+checkpoint      4096    15
+envflags        nordahead nosync
+
+limits		dn.exact="cn=manager,dc=didmos,dc=de"	size=unlimited
+limits		dn.exact="uid=eventloglogreader,ou=accounts,ou=DSA,dc=didmos,dc=de"	size=unlimited
+limits		dn.exact="uid=didmos-backend,ou=accounts,ou=DSA,dc=didmos,dc=de"	size=unlimited
+
+
+index entryUUID eq
+index objectClass eq
+index didmosEventStart eq
+index didmosEventEnd eq
+index didmosEventId eq
+index didmosEventResult eq,sub
+index didmosEventReferenceUuid eq
+index didmosEventReferenceDn eq
+index didmosEventReferenceGeneralId eq
+index didmosEventProcessId eq
+index didmosEventCategory eq
+
+
+authz-regexp "^cn=([^,]+).*,ou=accounts,ou=DSA,dc=didmos,dc=de" "ldap:///ou=accounts,ou=DSA,dc=didmos,dc=de??sub?(cn=$1)"
+authz-policy to
+
+
+overlay         sssvlv
+sssvlv-max      20
+
+@REPL_CONFIGURE_OVERLAY_EVENTLOG@
+
+## BEGIN ACL ###################################################################
+
+access to dn.base=""
+  by * read
+
+@REPL_ACLS_EVENTLOG@
+
+access to dn.sub="cn=eventlog"
+  by dn="cn=manager,dc=didmos,dc=de" manage
+  by dn="uid=eventloglogreader,ou=accounts,ou=DSA,dc=didmos,dc=de" read
+  by dn="uid=didmos-backend,ou=accounts,ou=DSA,dc=didmos,dc=de" write
+  by * None
+
+access to dn="cn=eventlog"
+  by users read
+
+## END ACL #####################################################################
+
+@REPL_CONFIGURE_CONSUMER_EVENTLOG@
+

createBackup.sh

@@ -16,10 +16,15 @@ if [ ! -d "/BACKUP/accesslog/" ]; then
   mkdir -p /BACKUP/accesslog
 fi
 
+if [ ! -d "/BACKUP/eventlog/" ]; then
+  mkdir -p /BACKUP/eventlog
+fi
+
 if [ ! -d "/BACKUP/config/" ]; then
   mkdir -p /BACKUP/config
 fi
 
 /usr/sbin/slapcat -F "/etc/openldap/slapd.d" -b "dc=didmos,dc=de" -l "/BACKUP/data/DATA-`date +%Y-%m-%d_%H%M%S`.ldif"
 /usr/sbin/slapcat -F "/etc/openldap/slapd.d" -b "cn=accesslog" -l "/BACKUP/accesslog/ACCESSLOG-`date +%Y-%m-%d_%H%M%S`.ldif"
+/usr/sbin/slapcat -F "/etc/openldap/slapd.d" -b "cn=eventlog" -l "/BACKUP/eventlog/EVENTLOG-`date +%Y-%m-%d_%H%M%S`.ldif"
 /usr/sbin/slapcat -F "/etc/openldap/slapd.d" -b "cn=config" -l "/BACKUP/config/CONFIG-`date +%Y-%m-%d_%H%M%S`.ldif"

didmos-config.ldif

+#######################################################################
+# Copyright: DAASI International GmbH 2017-2023. All rights reserved.
+#
+# This is Open Source Software
+# License: Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
+#
+# Author: Markus Widmer, DAASI International GmbH, www.daasi.de
+# For questions please mail to info@daasi.de
+#######################################################################
+dn: cn=didmos-config
+objectClass: top
+objectClass: person
+cn: didmos-config
+sn: didmos-config
+
+
+dn: ou=etl,cn=didmos-config
+objectClass: top
+objectClass: organizationalUnit
+ou: etl
+
+

entrypoint.sh

 #!/bin/sh
 #######################################################################
-# Copyright: DAASI International GmbH 2017-2020. All rights reserved.
+# Copyright: DAASI International GmbH 2017-2023. All rights reserved.
 #
 # This is Open Source Software
 # License: Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
 #
-# Author: <Vorname> <Nachname>, DAASI International GmbH, www.daasi.de
+# Author: Markus Widmer, DAASI International GmbH, www.daasi.de
 # For questions please mail to info@daasi.de
 #######################################################################
 
 #basic variables if not set via parameter
 ACCESSLOG_PW="${ACCESSLOG_PW}"
+EVENTLOG_PW="${EVENTLOG_PW}"
+DIDMOSCONFIG_PW="${DIDMOSCONFIG_PW}"
 MANAGER_PW="${MANAGER_PW}"
 LISTEN_HOSTNAME="${LISTEN_HOSTNAME}"
 REPLICA_1="${REPLICA_1}"
@@ -62,11 +64,17 @@ then
     docker_subst "@REPL_MODUL_LOAD@" "" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_OVERLAY@" "" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_OVERLAY_CONFIG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_OVERLAY_EVENTLOG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_OVERLAY_DIDMOSCONFIG@" "" include_didmos-config.conf
     docker_subst "@REPL_CONFIGURE_CONSUMER@" "" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_CONSUMER_CONFIG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_CONSUMER_EVENTLOG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_CONSUMER_DIDMOSCONFIG@" "" include_didmos-config.conf
     docker_subst "@REPL_ACLS@" "" /etc/openldap/slapd.conf
     docker_subst "@REPL_ACLS_ACCESSLOG@" "" /etc/openldap/slapd.conf
     docker_subst "@REPL_ACLS_CONFIG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_ACLS_EVENTLOG@" "" /etc/openldap/slapd.conf
+    docker_subst "@REPL_ACLS_DIDMOSCONFIG@" "" include_didmos-config.conf
 else
     echo "Setting up replication configuration..."
     echo "-> Replica 1 URL: ldap://${REPLICA_1}"
@@ -75,11 +83,17 @@ else
     docker_subst "@REPL_MODUL_LOAD@" "moduleload\tsyncprov.so\n" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_OVERLAY@" "overlay\tsyncprov\nsyncprov-checkpoint\t100 10\nsyncprov-sessionlog\t10000\nsyncprov-reloadhint\tTRUE\n" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_OVERLAY_CONFIG@" "overlay\tsyncprov\nsyncprov-checkpoint\t100 10\nsyncprov-sessionlog\t10000\nsyncprov-reloadhint\tTRUE\n" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_OVERLAY_EVENTLOG@" "overlay\tsyncprov\nsyncprov-checkpoint\t100 10\nsyncprov-sessionlog\t10000\nsyncprov-reloadhint\tTRUE\n" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_OVERLAY_DIDMOSCONFIG@" "overlay\tsyncprov\nsyncprov-checkpoint\t100 10\nsyncprov-sessionlog\t100\nsyncprov-reloadhint\tTRUE\n" include_didmos-config.conf
     docker_subst "@REPL_CONFIGURE_CONSUMER@" "# First provider server\nsyncrepl rid=101\n  provider=ldap://${REPLICA_1}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"dc=didmos,dc=de\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  syncdata=accesslog\n  logbase=\"cn=accesslog\"\n  logfilter=\"(\\\\&(objectClass=auditWriteObject)(reqResult=0))\"\n  keepalive=20:200:2\n\n# Second provider server\nsyncrepl rid=102\n  provider=ldap://${REPLICA_2}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"dc=didmos,dc=de\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n syncdata=accesslog\n logbase=\"cn=accesslog\"\n  logfilter=\"(\\\\&(objectClass=auditWriteObject)(reqResult=0))\"\n  keepalive=20:200:2\n\n# Enable the multi provider functionality\nmirrormode true" /etc/openldap/slapd.conf
     docker_subst "@REPL_CONFIGURE_CONSUMER_CONFIG@" "# First provider server\nsyncrepl rid=201\n  provider=ldap://${REPLICA_1}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=config\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Second provider server\nsyncrepl rid=202\n  provider=ldap://${REPLICA_2}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=config\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Enable the multi provider functionality\nmirrormode true" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_CONSUMER_EVENTLOG@" "# First provider server\nsyncrepl rid=301\n  provider=ldap://${REPLICA_1}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=eventlog\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Second provider server\nsyncrepl rid=302\n  provider=ldap://${REPLICA_2}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=eventlog\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Enable the multi provider functionality\nmirrormode true" /etc/openldap/slapd.conf
+    docker_subst "@REPL_CONFIGURE_CONSUMER_DIDMOSCONFIG@" "# First provider server\nsyncrepl rid=401\n  provider=ldap://${REPLICA_1}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=didmos-config\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Second provider server\nsyncrepl rid=402\n  provider=ldap://${REPLICA_2}\n  type=refreshAndPersist\n  interval=00:00:01:00\n  searchbase=\"cn=didmos-config\"\n  scope=sub\n  bindmethod=simple\n  binddn=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\"\n  credentials=${REPLICA_PW}\n  retry=\"5 +\"\n  schemachecking=off\n  keepalive=20:200:2\n\n# Enable the multi provider functionality\nmirrormode true" include_didmos-config.conf
     docker_subst "@REPL_ACLS@" "access to dn.sub=\"dc=didmos,dc=de\"\n  by dn.exact=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\" read\  by * break\n\n" /etc/openldap/slapd.conf
     docker_subst "@REPL_ACLS_ACCESSLOG@" "access to dn.sub=\"cn=accesslog\"\n  by dn.exact=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\" read\  by * break\n\n" /etc/openldap/slapd.conf
     docker_subst "@REPL_ACLS_CONFIG@" "access to dn.sub=\"cn=config\"\n  by dn.exact=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\" read\  by * break\n\n" /etc/openldap/slapd.conf
+    docker_subst "@REPL_ACLS_EVENTLOG@" "access to dn.sub=\"cn=eventlog\"\n  by dn.exact=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\" read\  by * break\n\n" /etc/openldap/slapd.conf
+    docker_subst "@REPL_ACLS_DIDMOSCONFIG@" "access to dn.sub=\"cn=didmos-config\"\n  by dn.exact=\"uid=replication,ou=accounts,ou=DSA,dc=didmos,dc=de\" read\  by * break\n\n" include_didmos-config.conf
 fi
 
 
@@ -89,18 +103,30 @@ then
     echo "ERROR: Environment variable ACCESSLOG_PW needs to be set! Aborting..."
     exit
 else
-    echo "Setting attribute resolver with ${ACCESSLOG_PW} as accesslog pw"
+    echo "Setting password for accesslog with value ${ACCESSLOG_PW}"
     docker_subst "@ACCESSLOG_PW@" "${ACCESSLOG_PW}" /etc/openldap/slapd.conf
 fi
 
-
+if [ -z "${EVENTLOG_PW}" ]
+then
+    echo "WARNING: Environment variable EVENTLOG_PW is not set!"
+    echo "A random password will be generated."
+    echo "You can still access cn=eventlog as user cn=manager,dc=didmos,dc=de"
+    RANDOM_PASSWD=`LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32`
+    RANDOM_PASSWD_HASH=`slappasswd -s ${RANDOM_PASSWD} -h {SSHA}`
+    echo "Setting password for eventlog with value ${RANDOM_PASSWD}"
+    docker_subst "@EVENTLOG_PW@" "${RANDOM_PASSWD_HASH}" /etc/openldap/slapd.conf
+else
+    echo "Setting password for eventlog with value ${RANDOM_PASSWD}"
+    docker_subst "@EVENTLOG_PW@" "${RANDOM_PASSWD_HASH}" /etc/openldap/slapd.conf
+fi
 
 if [ -z "${MANAGER_PW}" ]
 then
     echo "ERROR: Environment variable MANAGER_PW needs to be set! Aborting..."
     exit
 else
-    echo "Setting attribute resolver with ${MANAGER_PW} as manager pw"
+    echo "Setting password for manager account with value ${MANAGER_PW}"
     docker_subst "@MANAGER_PW@" "${MANAGER_PW}" /etc/openldap/slapd.conf
 fi
 
@@ -122,11 +148,32 @@ if [[ ! -f /extension/conf/custom_config_done ]]; then
 fi
 
 
-# Load ldif into ldap server
+# Create required directories if they do not exist.
 if [ ! -f /var/lib/ldap/data/data.mdb ]; then
+   echo "Creating directories for data MDB"
+   mkdir -p /var/lib/ldap/data
+fi
+
+if [ ! -f /var/lib/ldap/accesslog/data.mdb ]; then
+   echo "Creating directories for accesslog MDB"
+   mkdir -p /var/lib/ldap/accesslog
+fi
+
+if [ ! -f /var/lib/ldap/eventlog/data.mdb ]; then
+   echo "Creating directory for eventlog MDB"
+   mkdir -p /var/lib/ldap/eventlog
+fi
+
+if [ ! -f /var/lib/ldap/etl/data.mdb ]; then
+   echo "Creating directory for configuration MDB"
+   mkdir -p /var/lib/ldap/etl
+fi
+
+
 
-   mkdir -p /var/lib/ldap/accesslog && \
-   mkdir -p /var/lib/ldap/data && \
+# Load ldif into ldap server
+if [ ! -f /var/lib/ldap/data/data.mdb ]; then
+   echo "Load basic entries into the data backend..."
    envsubst < /default.ldif | slapadd -b dc=didmos,dc=de -f /etc/openldap/slapd.conf -S ${REPLICA_ID} -w
    # Add custom ldif to server if provided
    if [[ -f /extension/ldif/* ]]; then
@@ -136,8 +183,52 @@ if [ ! -f /var/lib/ldap/data/data.mdb ]; then
            slapadd -b dc=didmos,dc=de -f /etc/openldap/slapd.conf -l $file -S ${REPLICA_ID} -w
        done
    fi
+   echo "... Done"
 fi
 
+
+# Configure backend for eventlog
+if [ ! -f /var/lib/ldap/eventlog/data.mdb ]; then
+   echo "Load basic entries into the eventlog backend..."
+   sed -i "s/@EVENTLOG_START@/`date -u +"%Y%m%d%H%M%S.%6NZ"`/g" /eventlog.ldif
+   envsubst < eventlog.ldif | slapadd -b cn=eventlog -f /etc/openldap/slapd.conf -S ${REPLICA_ID} -w
+   echo "... Done"
+fi
+
+
+# Configure backend didmos-configuration if not already present. This
+# backend was added by customer extensions in the past so
+# this is usually already present in older installations.
+if [ ! -f /var/lib/ldap/etl/data.mdb ]; then
+
+   if [ -z "${DIDMOSCONFIG_PW}" ]
+   then
+      echo "WARNING: Environment variable DIDMOSCONFIG_PW is not set!"
+      echo "A random password will be generated."
+      echo "You can still access cn=didmos-config as user cn=manager,dc=didmos,dc=de"
+      RANDOM_PASSWD=`LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32`
+      RANDOM_PASSWD_HASH=`slappasswd -s ${RANDOM_PASSWD} -h {SSHA}`
+      echo "Setting password for didmos-config with value ${RANDOM_PASSWD}"
+      docker_subst "@DIDMOSCONFIG_PW@" "${RANDOM_PASSWD_HASH}" include_didmos-config.conf
+   else
+      echo "Setting password for eventlog with value ${RANDOM_PASSWD}"
+      docker_subst "@DIDMOSCONFIG_PW@" "${RANDOM_PASSWD_HASH}" include_didmos-config.conf
+   fi
+
+   echo "Load schema file..."
+   echo "include /etc/openldap/schema/daasiidm.schema" >> /etc/openldap/schema_extensions.txt
+   echo "DONE."
+
+   echo "Include configuration for didmos-config backend..."
+   cat include_didmos-config.conf >> /etc/openldap/slapd.conf
+   echo "DONE."
+
+   echo "Load basic entries into the configuration backend..."
+   envsubst < didmos-config.ldif | slapadd -b cn=didmos-config -f /etc/openldap/slapd.conf -S ${REPLICA_ID} -w
+   echo "... Done"
+fi
+
+
 # Ensure that the directories for a restore exist
 if [ ! -d "/RESTORE/config" ]; then
   mkdir -p /RESTORE/config
@@ -213,6 +304,29 @@ if [ "$(ls -A /RESTORE/accesslog)" ]; then
   done
 fi
 
+
+# Restore database from provided ldif file for eventlog-backend
+if [ "$(ls -A /RESTORE/eventlog)" ]; then
+  echo "/RESTORE/eventlog is not empty, starting recovery..."
+  for f in /RESTORE/eventlog/*.ldif; do
+    echo "Restoring database from file $f ..."
+    rm -f /var/lib/ldap/eventlog/*
+
+    if [ ${CONFIG_HAS_BEEN_RECOVERED} == 'yes' ];
+    then
+      echo "Using restored configuration for data recovery..."
+      /usr/sbin/slapadd -b cn=eventlog -F /etc/openldap/slapd.d -l "$f" -S ${REPLICA_ID} -w
+    else
+      /usr/sbin/slapadd -b cn=eventlog -f /etc/openldap/slapd.conf -l "$f" -S ${REPLICA_ID} -w
+    fi
+    echo "Done!"
+    echo "Removing recovery LDIF..."
+    rm -f "$f"
+    echo "Done!"
+    break
+  done
+fi
+
 # Generate cn=config files
 if [ ! -d "/etc/openldap/slapd.d/cn=config" ]; then
   echo "cn=config in volume does not exist, creating initial config..."

eventlog.ldif

+#######################################################################
+# Copyright: DAASI International GmbH 2017-2023. All rights reserved.
+#
+# This is Open Source Software
+# License: Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
+#
+# Author: Markus Widmer, DAASI International GmbH, www.daasi.de
+# For questions please mail to info@daasi.de
+#######################################################################
+dn: cn=eventlog
+objectClass: auditContainer
+cn: eventlog
+
+dn: didmosEventStart=@EVENTLOG_START@,cn=eventlog
+objectClass: top
+objectClass: didmosEvent
+didmosEventId: 1560997f-15bb-4bf2-9cdb-fb64d2ed694b
+didmosEventStart: @EVENTLOG_START@
+didmosEventSummary: Initialization of eventlog
+didmosEventCategory: initialization
+didmosEventDescription: Initializing of the evenlog backend by the entrypoin
+ t.sh of the container itself.
+didmosEventResult: SUCCESS
+didmosEventSource: entrypoint
+

migrations.sh

@@ -54,7 +54,7 @@ if [ -d "/migrations" ]; then
         echo "$i" >> /MIGRATIONS/log/executed.log
         cp "$i" /MIGRATIONS/files/
       fi
-      sleep 0.5s
+      sleep 0.2s
     done
   fi
 fi

migrations/20230113-2000-remove_configparam_ldap_TENANCY_ldif_path.ldif

+dn: didmosConfigParamName=ldif_path,ou=TENANCY,ou=ldap,ou=core,ou=configuration,dc=didmos,dc=de
+changetype: delete
+

migrations/20230217-1000-extend-didmosPerson-add-notification-timestamp.ldif

+dn: cn={8}didmos,cn=schema,cn=config
+changetype: modify
+delete: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation) )
+-
+add: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp) )
+

migrations/20230224-2000-extend-affiliation-objectclass-validationtimestamp.ldif

+dn: cn={8}didmos,cn=schema,cn=config
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( didmosAttributes:104 NAME 'didmosAffiliationLastUsed' DESC 'Timestamp, when entry was updated by external data' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+olcAttributeTypes: ( didmosAttributes:105 NAME 'didmosLastPairwiseIDUsedForLogin' DESC 'Last pairwiseID used for login' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( didmosAttributes:106 NAME 'didmosLastIdPUsedForLogin' DESC 'Last IDP used for login' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+delete: olcObjectClasses
+olcObjectClasses: (didmosClasses:15 NAME 'didmosAffiliation' AUXILIARY MAY ( didmosIdentityRef $ didmosAffiliationType $ didmosActivationStatus $ didmosAffiliationPairwiseID $ didmosIdPID $ didmosIdentityRef $ givenName $ sn $ cn $ mail $ o ) )
+-
+add: olcObjectClasses
+olcObjectClasses: (didmosClasses:15 NAME 'didmosAffiliation' AUXILIARY MAY ( didmosIdentityRef $ didmosAffiliationType $ didmosActivationStatus $ didmosAffiliationPairwiseID $ didmosIdPID $ didmosIdentityRef $ givenName $ sn $ cn $ mail $ o $ didmosAffiliationLastUsed ) )
+-
+delete: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp) )
+-
+add: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp $ didmosLastPairwiseIDUsedForLogin $ didmosLastIdPUsedForLogin ) )
+
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: didmosAffiliationLastUsed eq
+

migrations/20230301-3000-extend-didmosPerson-add-didmosStoredActivationStatus.ldif

+dn: cn={8}didmos,cn=schema,cn=config
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( didmosAttributes:107 NAME 'didmosStoredActivationStatus' DESC 'Stored value of activationStatus when soft deleted' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
+-
+delete: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp $ didmosLastPairwiseIDUsedForLogin $ didmosLastIdPUsedForLogin ) )
+-
+add: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp $ didmosLastPairwiseIDUsedForLogin $ didmosLastIdPUsedForLogin $ didmosStoredActivationStatus ) )
+

migrations/20230310-1000-extend-didmosProvisionable-add-didmosTargetFlag.ldif

+dn: cn={8}didmos,cn=schema,cn=config
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( didmosAttributes:108 NAME 'didmosTargetFlag' DESC 'This flag does define if an entry should be persent in the target.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+delete: olcObjectClasses
+olcObjectClasses: ( didmosClasses:5 NAME 'didmosProvisionable' SUP top AUXILIARY MAY didmosTargetId )
+-
+add: olcObjectClasses
+olcObjectClasses: ( didmosClasses:5 NAME 'didmosProvisionable' SUP top AUXILIARY MAY ( didmosTargetId $ didmosTargetFlag ) )
+
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: didmosTargetFlag eq,sub
+
+

migrations/20230310-2000-configuration-add-provisioning-configuration-and-task.ldif

+dn: ou=provisioning,ou=core,ou=configuration,dc=didmos,dc=de
+objectClass: organizationalUnit
+objectClass: top
+ou: provisioning
+
+
+dn: ou=User,ou=provisioning,ou=core,ou=configuration,dc=didmos,dc=de
+objectClass: organizationalUnit
+objectClass: top
+ou: User
+
+
+dn: didmosConfigParamName=trigger_value,ou=User,ou=provisioning,ou=core,ou=configuration,dc=didmos,dc=de
+objectClass: didmosConfig
+objectClass: top
+didmosConfigParamName: trigger_value
+didmosConfigParamType: string
+didmosConfigParamValue: ad
+
+
+dn: didmosConfigParamName=trigger_attribute,ou=User,ou=provisioning,ou=core,ou=configuration,dc=didmos,dc=de
+objectClass: didmosConfig
+objectClass: top
+didmosConfigParamName: trigger_attribute
+didmosConfigParamType: string
+didmosConfigParamValue: didmosTargetFlag
+
+
+dn: didmosUUID=00000000-0000-0000-0000-000000000005,ou=taskCollection,ou=tasks,ou=root-tenant,dc=didmos,dc=de
+objectClass: didmosTask
+objectClass: top
+didmosTaskStatus: normal
+didmosTaskType: provisioningManagementTask
+didmosSystemTask: TRUE
+didmosTaskCreator: dc=didmos,dc=de
+didmosTaskInterval: 10
+didmosTaskProcessStatus: closed
+

migrations/20230315-2000-configuration-update-mapping-user-incomming-outgoing.ldif

+dn: didmosConfigParamName=User,ou=INCOMMING,ou=mapping,ou=core,ou=configuration,dc=didmos,dc=de
+changetype: modify
+delete: didmosConfigParamValue
+didmosConfigParamValue: {      'cn': {'source': 'concat', 'return_type': 'string', 'expression': '$name/givenName$ $name/familyName$'},      'sn': {'source': 'mapping', 'return_type': 'string', 'expression': 'name/familyName'},      'givenName':{'source': 'mapping', 'return_type': 'string', 'expression': 'name/givenName'},      'initials': {'source': 'mapping', 'return_type': 'list', 'expression': 'name/initials'},      'mail': {'source': 'mapping', 'return_type': 'list', 'expression': 'emails'},      'telephoneNumber': {'source': 'mapping', 'return_type': 'list', 'expression': 'phoneNumbers'},      'mobile': {'source': 'mapping', 'return_type': 'list', 'expression': 'mobileNumbers'},      'street': {'source': 'mapping', 'return_type': 'list', 'expression': 'address/streetAddress'},                    'postalCode': {'source': 'mapping', 'return_type': 'list', 'expression': 'address/postalCode'},                    'l': {'source': 'mapping', 'return_type': 'list', 'expression': 'address/locality'},                   'c': {'source': 'mapping', 'return_type': 'list', 'expression': 'address/country'},         'didmosActivationStatus': {'source': 'mapping', 'return_type': 'string', 'expression': 'active'},      'userPassword':{'source': 'mapping', 'return_type': 'list', 'expression': 'password'},      'didmosAuthnSource':{'source': 'mapping', 'return_type': 'list', 'expression': 'userType'},      'uid':{'source': 'mapping', 'return_type': 'list', 'expression': 'userName'},      'didmosSoftDeleted': {'source': 'mapping', 'return_type': 'string', 'expression': 'isSoftDeleted'},      'didmosTargetId': {'source': 'mapping', 'return_type': 'list', 'expression': 'externalId'},      'o': {'source': 'mapping', 'return_type': 'string', 'expression': 'orgName'},      'didmosManagedBy': {'source': 'mapping', 'return_type': 'string', 'expression': 'didmosManagedBy'},      'didmosManagedByAttributes': {'source': 'mapping', 'return_type': 'list', 'expression': 'didmosManagedByAttributes'},      'token':{'source': 'mapping', 'return_type': 'string', 'expression': 'token'},      'recovery_type':{'source': 'mapping', 'return_type': 'string', 'expression': 'recovery_type'},      'didmosSourceId':{'source': 'mapping', 'return_type': 'list', 'expression': 'didmosSourceId'}      }
+-
+add: didmosConfigParamValue
+didmosConfigParamValue: { "cn": { "source": "concat", "return_type": "string", "expression": "$name/givenName$ $name/familyName$" }, "sn": { "source": "mapping", "return_type": "string", "expression": "name/familyName" }, "givenName": { "source": "mapping", "return_type": "string", "expression": "name/givenName" }, "initials": { "source": "mapping", "return_type": "list", "expression": "name/initials" }, "mail": { "source": "mapping", "return_type": "list", "expression": "emails" }, "telephoneNumber": { "source": "mapping", "return_type": "list", "expression": "phoneNumbers" }, "mobile": { "source": "mapping", "return_type": "list", "expression": "mobileNumbers" }, "street": { "source": "mapping", "return_type": "list", "expression": "address/streetAddress" }, "postalCode": { "source": "mapping", "return_type": "list", "expression": "address/postalCode" }, "l": { "source": "mapping", "return_type": "list", "expression": "address/locality" }, "c": { "source": "mapping", "return_type": "list", "expression": "address/country" }, "didmosActivationStatus": { "source": "mapping", "return_type": "string", "expression": "active" }, "userPassword": { "source": "mapping", "return_type": "list", "expression": "password" }, "didmosAuthnSource": { "source": "mapping", "return_type": "list", "expression": "userType" }, "uid": { "source": "mapping", "return_type": "list", "expression": "userName" }, "didmosSoftDeleted": { "source": "mapping", "return_type": "string", "expression": "isSoftDeleted" }, "didmosTargetId": { "source": "mapping", "return_type": "list", "expression": "externalId" }, "o": { "source": "mapping", "return_type": "string", "expression": "orgName" }, "didmosManagedBy": { "source": "mapping", "return_type": "string", "expression": "didmosManagedBy" }, "didmosManagedByAttributes": { "source": "mapping", "return_type": "list", "expression": "didmosManagedByAttributes" }, "token": { "source": "mapping", "return_type": "string", "expression": "token" }, "recovery_type": { "source": "mapping", "return_type": "string", "expression": "recovery_type" }, "didmosSourceId": { "source": "mapping", "return_type": "list", "expression": "didmosSourceId" }, "schacPersonalTitle": { "source": "mapping", "return_type": "string", "expression": "name/honorificPrefix" }, "schacGender": { "source": "mapping", "return_type": "string", "expression": "gender" }, "schacDateOfBirth": { "source": "function", "return_type": "string", "expression": "dateOfBirth", "function_name": "transform_scimtime_to_schacDateOfBirth" }, "schacPersonalUniqueCode": { "source": "mapping", "return_type": "string", "expression": "socialSecurityNumber" }, "employeeNumber": { "source": "mapping", "return_type": "string", "expression": "employeeNumber" }, "employeeType": { "source": "mapping", "return_type": "string", "expression": "employeeType" }, "ou": { "source": "mapping", "return_type": "string", "expression": "organizationalUnit" }, "didmosActivationEnd": { "source": "function", "return_type": "string", "expression": "activationEnd", "function_name": "transform_scimtime_to_ldaptime" }, }
+
+
+dn: didmosConfigParamName=User,ou=OUTGOING,ou=mapping,ou=core,ou=configuration,dc=didmos,dc=de
+changetype: modify
+delete: didmosConfigParamValue
+didmosConfigParamValue: {       'name': {           'formatted': {'source': 'concat', 'return_type': 'string', 'expression': '$givenName$ $sn$', 'default':True},           'familyName': {'source': 'mapping', 'return_type': 'string', 'expression': 'sn'},           'givenName': {'source': 'mapping', 'return_type': 'string', 'expression': 'givenName'}},       'location': {'source': 'function', 'return_type': 'list', 'expression': 'dn', 'function_name': 'generate_location'},       'id': {'source': 'mapping', 'return_type': 'string', 'expression': 'didmosUUID'},       'userName': {'source': 'mapping', 'return_type': 'string', 'expression': 'uid'},       'displayName': {'source': 'concat', 'return_type': 'string', 'expression': '$givenName$ $sn$'},       'active': {'source': 'mapping', 'return_type': 'boolean', 'expression': 'didmosActivationStatus'},       'userType': {'source': 'mapping', 'return_type': 'string', 'expression': 'didmosAuthnSource'},       'phoneNumbers': {'source': 'function', 'return_type': 'list', 'expression': 'telephoneNumber', 'function_name': 'build_values'},    'mobileNumbers': {'source': 'function', 'return_type': 'list', 'expression': 'mobile', 'function_name': 'build_values'},       'emails': {'source': 'mapping', 'return_type': 'string', 'expression': 'mail'},       'groups' : {'source': 'mapping', 'return_type': 'list', 'expression': 'groups'},       'adminAccess': {'source': 'mapping', 'return_type': 'boolean', 'expression': 'admin'},       'roles': {'source': 'mapping', 'return_type': 'list', 'expression': 'roles'},       'isSoftDeleted': {'source': 'mapping', 'return_type': 'boolean', 'expression': 'didmosSoftDeleted'},       'softDeleted': {'source': 'function', 'return_type': 'string', 'expression': 'didmosSoftDeleteTimestamp', 'function_name': 'transform_ldaptime_to_unixtime'},               'meta': {            'created': {'source': 'mapping', 'return_type': 'string', 'expression': 'createTimestamp'},            'modified': {'source': 'mapping', 'return_type': 'string', 'expression': 'modifyTimestamp'},            'operations': {                'entry': {'source': 'mapping', 'return_type': 'list', 'expression': 'permission/entry'},                'attributes': {'source': 'mapping', 'return_type': 'dict', 'expression': 'permission/attributes'},            },            'adminPermissions': {'source': 'mapping', 'return_type': 'list', 'expression': 'permission/adminPermissions'}, 'managedBy': {'source': 'mapping', 'return_type': 'string', 'expression': 'didmosManagedBy'},       } }
+-
+add: didmosConfigParamValue
+didmosConfigParamValue: { "name": { "formatted": { "source": "concat", "return_type": "string", "expression": "$givenName$ $sn$", "default":True }, "familyName": { "source": "mapping", "return_type": "string", "expression": "sn" }, "givenName": { "source": "mapping", "return_type": "string", "expression": "givenName" }, "name/honorificPrefix": { "source": "mapping", "return_type": "string", "expression": "schacPersonalTitle" }, }, "gender": { "source": "mapping", "return_type": "string", "expression": "schacGender" }, "dateOfBirth": { "source": "function", "return_type": "string", "expression": "schacDateOfBirth", "function_name": "transform_schacDateOfBirth_to_scimtime" }, "socialSecurityNumber": { "source": "mapping", "return_type": "string", "expression": "schacPersonalUniqueCode" }, "employeeNumber": { "source": "mapping", "return_type": "string", "expression": "employeeNumber" }, "employeeType": { "source": "mapping", "return_type": "string", "expression": "employeeType" }, "location": { "source": "function", "return_type": "list", "expression": "dn", "function_name": "generate_location" }, "id": { "source": "mapping", "return_type": "string", "expression": "didmosUUID" }, "userName": { "source": "mapping", "return_type": "string", "expression": "uid" }, "displayName": { "source": "concat", "return_type": "string", "expression": "$givenName$ $sn$" }, "active": { "source": "mapping", "return_type": "boolean", "expression": "didmosActivationStatus" }, "activationEnd": { "source": "function", "return_type": "string", "expression": "didmosActivationEnd", "function_name": "transform_ldaptime_to_scimtime" }, "organizationalUnit": { "source": "mapping", "return_type": "string", "expression": "ou" }, "userType": { "source": "mapping", "return_type": "string", "expression": "didmosAuthnSource" }, "phoneNumbers": { "source": "function", "return_type": "list", "expression": "telephoneNumber", "function_name": "build_values" }, "mobileNumbers": { "source": "function", "return_type": "list", "expression": "mobile", "function_name": "build_values" }, "emails": { "source": "mapping", "return_type": "string", "expression": "mail" }, "groups": { "source": "mapping", "return_type": "list", "expression": "groups" }, "adminAccess": { "source": "mapping", "return_type": "boolean", "expression": "admin" }, "roles": { "source": "mapping", "return_type": "list", "expression": "roles" }, "isSoftDeleted": { "source": "mapping", "return_type": "boolean", "expression": "didmosSoftDeleted" }, "softDeleted": { "source": "function", "return_type": "string", "expression": "didmosSoftDeleteTimestamp", "function_name": "transform_ldaptime_to_unixtime" }, "meta": { "created": { "source": "mapping", "return_type": "string", "expression": "createTimestamp" }, "modified": { "source": "mapping", "return_type": "string", "expression": "modifyTimestamp" }, "operations": { "entry": { "source": "mapping", "return_type": "list", "expression": "permission/entry" }, "attributes": { "source": "mapping", "return_type": "dict", "expression": "permission/attributes" }, }, "adminPermissions": { "source": "mapping", "return_type": "list", "expression": "permission/adminPermissions" }, "managedBy": { "source": "mapping", "return_type": "string", "expression": "didmosManagedBy" }, } }
+
+
+dn: didmosConfigParamName=User,ou=RESOURCE_OBJECT_CLASSES,ou=ldap,ou=core,ou=configuration,dc=didmos,dc=de
+changetype: modify
+delete: didmosConfigParamValue
+didmosConfigParamValue: ['inetOrgPerson', 'rbacResource', 'didmosPerson']
+-
+add: didmosConfigParamValue
+didmosConfigParamValue: ['inetOrgPerson', 'rbacResource', 'didmosPerson', 'schacPersonalCharacteristics']
+

migrations/20230323-2000-extend-didmosPerson-add-didmosMFAFavoritFactor.ldif

+dn: cn={8}didmos,cn=schema,cn=config
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( didmosAttributes:109 NAME 'didmosMFAFavoritFactor' DESC 'Marks favorite second factor where challenges should go to' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+delete: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp $ didmosLastPairwiseIDUsedForLogin $ didmosLastIdPUsedForLogin $ didmosStoredActivationStatus ) )
+-
+add: olcObjectClasses
+olcObjectClasses: ( didmosClasses:1 NAME 'didmosPerson' SUP top AUXILIARY MUST ( didmosUUID ) MAY ( didmosPwdToken $ didmosPwdTimestamp $ didmosAuthnSource $ didmosConsentAgreement $ didmosNotifications $ didmosActivationStatus $ didmosAccountStatus$ didmosAccountStatusTimestamp $ didmosEncryptedPassword $ didmosSoftDeleteTimestamp $ didmosSoftDeleted $ didmosStoredMemberships $ userPassword $ didmosActivationStatusComputed $ didmosActivationStatusComment $ didmosActivationStart $ didmosActivationEnd $ didmosManagedBy $ didmosManagedByAttributes $ didmosMfaMail $ didmosMfaMobile $ didmosMFAisMandatory $ didmosLastLogin $ didmosVerificationValue $ didmosVerificationTimestamp $ didmosVerificationToken $ didmosVerificationType $ c $ didmosSourceId $ didmosOrganizationRef $ schacDateOfBirth $ houseIdentifier $ c $ didmosVerifiedAttributes $ didmosAccountingNumber $ departmentNumber $ didmosDeleted $ didmosDeletedTimestamp $ didmosUserInfoMsgs $ didmosUserErrorMsgs $ didmosUserSuccessMsgs $ didmosUserWarnMsgs $ didmosVerificationPostOperation $ didmosNotificationTimestamp $ didmosLastPairwiseIDUsedForLogin $ didmosLastIdPUsedForLogin $ didmosStoredActivationStatus $ didmosMFAFavoritFactor ) )
+

schema/didmosevent.schema

+#######################################################################
+# Copyright: DAASI International GmbH 2017-2023. All rights reserved.
+#
+# This is Open Source Software
+# License: Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
+#
+# Author: Markus Widmer, DAASI International GmbH, www.daasi.de
+# For questions please mail to info@daasi.de
+#######################################################################
+objectIdentifier didmosEventRoot 1.3.6.1.4.1.10126.1.69
+objectIdentifier didmosEventAttributes didmosEventRoot:3
+objectIdentifier didmosEventClasses didmosEventRoot:4
+
+### Attributes
+
+attributetype ( didmosEventAttributes:1
+        NAME 'didmosEventStart'
+        DESC 'Timestamp when the event was started or did happen.'
+        EQUALITY generalizedTimeMatch
+        ORDERING generalizedTimeOrderingMatch
+        SINGLE-VALUE
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( didmosEventAttributes:2
+        NAME 'didmosEventEnd'
+        DESC 'Timestamp when the event was finished.'
+        EQUALITY generalizedTimeMatch
+        ORDERING generalizedTimeOrderingMatch
+        SINGLE-VALUE
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( didmosEventAttributes:3
+        NAME 'didmosEventId'
+        DESC 'The unique id (uuid) of the event.'
+        EQUALITY UUIDMatch
+        ORDERING UUIDOrderingMatch
+        SINGLE-VALUE
+        SYNTAX 1.3.6.1.1.16.1 )
+
+attributetype ( didmosEventAttributes:4
+        NAME 'didmosEventResult'
+        DESC 'Result of the event, e.g. ERROR or SUCCESS'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SINGLE-VALUE
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:5
+        NAME 'didmosEventSource'
+        DESC 'Which module did throw the event, e.g. core or etl.'
+        EQUALITY caseIgnoreMatch
+        SINGLE-VALUE
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:6
+        NAME 'didmosEventCategory'
+        DESC 'What category is the event of, e.g. login or import'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:7
+        NAME 'didmosEventProcessId'
+        DESC 'This holds an ID of e.g a task which has to update or change the event after is has finished and must be able to find the event entry.'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:8
+        NAME 'didmosEventReferenceUuid'
+        DESC 'The UUID of one or more objects this event is linked to'
+        EQUALITY UUIDMatch
+        ORDERING UUIDOrderingMatch
+        SYNTAX 1.3.6.1.1.16.1 )
+
+attributetype ( didmosEventAttributes:9
+        NAME 'didmosEventReferenceDn'
+        DESC 'The DN of one or more objects this event is linked to'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype ( didmosEventAttributes:10
+        NAME 'didmosEventReferenceGeneralId'
+        DESC 'Some ID of any kind of one or more objects or processes this event is linked to'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:11
+        NAME 'didmosEventSummary'
+        DESC 'A short summary of the event'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( didmosEventAttributes:12
+        NAME 'didmosEventDescription'
+        DESC 'A longer description, e.g. what exactly the result of ERROR does mean for the event.'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+
+### Classes
+
+objectclass ( didmosEventClasses:1
+        NAME 'didmosEvent'
+        SUP top
+        MUST( didmosEventStart $ didmosEventId $ didmosEventSummary )
+        MAY ( didmosEventEnd $ didmosEventResult $ didmosEventSource
+                $ didmosEventCategory $ didmosEventReferenceUuid
+                $ didmosEventReferenceDn $ didmosEventReferenceGeneralId
+                $ didmosEventDescription $ didmosEventProcessId )
+        STRUCTURAL )
+