diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-07-19 20:04:46 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-08-26 08:24:50 -0400 |
commit | 8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a (patch) | |
tree | 752225c103fa54f4bbc48190e875f54094a2bcbf | |
parent | 195a65d5c2b2f2a318225a94e734ec41cdc34b1d (diff) | |
download | freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.gz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.xz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.zip |
install: Remove uid=kdc user
The ipadb DAL driver gets access to the ldap server as Directory Manager now so
this user is not needed anymore.
-rw-r--r-- | install/share/default-aci.ldif | 4 | ||||
-rw-r--r-- | install/share/kerberos.ldif | 11 | ||||
-rw-r--r-- | install/ui/test/data/aci_find.json | 3 | ||||
-rw-r--r-- | install/ui/test/data/krbtpolicy_show.json | 5 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 13 |
5 files changed, 1 insertions, 35 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 586ec61fc..e02b1c2c9 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -9,9 +9,6 @@ aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || samba aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) @@ -39,7 +36,6 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow dn: cn=services,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) # Define which hosts can edit services diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index a40b63aa0..4778a6b4d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -1,20 +1,9 @@ -#kerberos user -dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX -changetype: add -objectclass: account -objectclass: simplesecurityobject -uid: kdc -userPassword: $PASSWORD -passwordExpirationTime: 20380119031407Z -nsIdleTimeout: 0 - #kerberos base object dn: cn=kerberos,$SUFFIX changetype: add objectClass: krbContainer objectClass: top cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) #Realm base object dn: cn=$REALM,cn=kerberos,$SUFFIX diff --git a/install/ui/test/data/aci_find.json b/install/ui/test/data/aci_find.json index 00682ffd2..d1687c112 100644 --- a/install/ui/test/data/aci_find.json +++ b/install/ui/test/data/aci_find.json @@ -9,9 +9,6 @@ "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword\")(version 3.0;acl \"Self can write own password\";allow (write) userdn = \"ldap:///self\";)", "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Admins can write passwords\";allow (add,delete,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Password change service can read/write passwords\";allow (read,write) userdn = \"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"KDC System Account can access passwords\";allow (all) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"KDC System Account can update some fields\";allow (write) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"Only the KDC System Account has access to kerberos material\";allow (read,search,compare) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", "(targetattr = \"krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength\")(targetfilter = \"(objectClass=krbPwdPolicy)\")(version 3.0;acl \"Admins can write password policies\";allow (read,search,compare,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou\")(version 3.0;acl \"Self service\";allow (write) userdn = \"ldap:///self\";)", "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Get Certificates status from the CA\";allow (write) groupdn = \"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", diff --git a/install/ui/test/data/krbtpolicy_show.json b/install/ui/test/data/krbtpolicy_show.json index 39882e14a..6f9fe6d2e 100644 --- a/install/ui/test/data/krbtpolicy_show.json +++ b/install/ui/test/data/krbtpolicy_show.json @@ -3,9 +3,6 @@ "id": 6, "result": { "result": { - "aci": [ - "(targetattr = \"krbMKey\")(version 3.0; acl \"No external access\"; deny (read,write,search,compare) userdn != \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ipa14,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)" - ], "attributelevelrights": { "aci": "rscwo", "cn": "rscwo", @@ -75,4 +72,4 @@ "summary": null, "value": "" } -}
\ No newline at end of file +} diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 838811b33..7f77fc1eb 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -49,8 +49,6 @@ import struct import certs from distutils import version -KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)' - def update_key_val_in_file(filename, key, val): if os.path.exists(filename): pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val)) @@ -162,7 +160,6 @@ class KrbInstance(service.Service): self.__common_setup(realm_name, host_name, domain_name, admin_password) - self.step("setting KDC account password", self.__configure_kdc_account_password) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("adding kerberos container to the directory", self.__add_krb_container) self.step("configuring KDC", self.__configure_instance) @@ -226,16 +223,6 @@ class KrbInstance(service.Service): os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600) - def __configure_kdc_account_password(self): - hexpwd = '' - for x in self.kdc_password: - hexpwd += (hex(ord(x))[2:]) - self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd") - pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "w") - pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") - pwd_fd.close() - os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600) - def __enable(self): self.backup_state("enabled", self.is_enabled()) # We do not let the system start IPA components on its own, |