Finalize DIT, this is waht we are probably going to have in the end,

or something very close to this one Add default groups and admin user TODO: need to discuss more in deep uid/gid generation, this will probably change as soon as the DNA plugin is activated
author: Simo Sorce <ssorce@redhat.com> 2007-08-29 18:07:05 -0400
committer: Simo Sorce <ssorce@redhat.com> 2007-08-29 18:07:05 -0400
commit: bebc413366506f4d19d98c8bb33041094beff117 (patch)
tree: 009e7501675903886d6b24c903a4fb8799063aa9
parent: 46eeca740ee4d66bfd4f062896220dfb5527f5b6 (diff)
download: freeipa-bebc413366506f4d19d98c8bb33041094beff117.tar.gz
freeipa-bebc413366506f4d19d98c8bb33041094beff117.tar.xz
freeipa-bebc413366506f4d19d98c8bb33041094beff117.zip
5 files changed, 85 insertions, 64 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 2986f3ab0..e8e6b9b4a 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -4,55 +4,78 @@ add: objectClass
 objectClass: pilotObject
 info: IPA V1.0
 
-# default, $REALM
-dn: ou=default,$SUFFIX
+dn: cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: default
+objectClass: nsContainer
+cn: accounts
 
-# users, default, $REALM
-dn: ou=users,ou=default,$SUFFIX
+dn: cn=users,cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: users
+objectClass: nsContainer
+cn: users
 
-# groups, default, $REALM
-dn: ou=groups,ou=default,$SUFFIX
+dn: cn=groups,ou=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: groups
+objectClass: nsContainer
+cn: groups
 
-# computers, default, $REALM
-#dn: ou=computers,ou=default,$SUFFIX
-#objectClass: organizationalUnit
+#dn: cn=computers,cn=accounts,$SUFFIX
 #objectClass: top
-#ou: computers
+#objectClass: nsContainer
+#cn: computers
 
-dn: ou=special,$SUFFIX
+dn: cn=etc,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
+objectClass: nsContainer
 objectClass: top
-ou: special
+cn: etc
 
-dn: uid=webservice,ou=special,$SUFFIX
+dn: cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
-uid: webservice
+objectClass: nsContainer
+objectClass: top
+cn: sysaccounts
+
+dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
 objectClass: account
+uid: webservice
+
+dn: uid=admin,cn=users,cn=accounts,$SUFFIX
+changetype: add
 objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
 objectClass: person
-cn: Web Service
-sn: Service
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: KrbPrincipalAux
+uid: admin
+krbPrincipalName: admin@$REALM
+cn: Administrator
+sn: Administrator
+uidNumber: 1000
+gidNumber: 1001
+homeDirectory: /home/admin
+loginShell: /bin/bash
+gecos: Administrator
+
+dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofuniquenames
+objectClass: posixGroup
+cn: admins
+gidNumber: 1001
+uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
 
-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
-description: ou=users administrators
 objectClass: top
 objectClass: groupofuniquenames
 objectClass: posixGroup
-gidNumber: 500
-cn: admin
+gidNumber: 1002
+cn: ipausers
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 2b05e102a..a942b683e 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -3,12 +3,9 @@ dn: $SUFFIX
 changetype: modify
 replace: aci
 aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
-aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
-aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
-aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) 
+aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif
index ae4564f6f..0ffc2bba0 100644
--- a/ipa-server/ipa-install/share/kerberos.ldif
+++ b/ipa-server/ipa-install/share/kerberos.ldif
@@ -1,26 +1,35 @@
-#kerberos base object
-dn: cn=kerberos,$SUFFIX
-changetype: add
-objectClass: krbContainer
-objectClass: top
-cn: kerberos
-aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-
 #kerberos user
-dn: uid=kdc,cn=kerberos,$SUFFIX
+dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: kdc
 userPassword: $PASSWORD
 
+#kerberos base object
+dn: cn=kerberos,$SUFFIX
+changetype: add
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+
 #sasl mapping
-dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
+dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config
 changetype: add
 objectclass: top
 objectclass: nsSaslMapping
-cn: kerberos
+cn: fullprinc
 nsSaslMapRegexString: \(.*\)@\(.*\)
 nsSaslMapBaseDNTemplate: $SUFFIX
 nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
 
+dn: cn=justname,cn=mapping,cn=sasl,cn=config
+changetype: add
+objectclass: top
+objectclass: nsSaslMapping
+cn: justname
+nsSaslMapRegexString: \(.*\)
+nsSaslMapBaseDNTemplate: $SUFFIX
+nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
+
diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif
index 0057d9766..f5573d839 100644
--- a/ipa-server/ipa-install/test/test-users-template.ldif
+++ b/ipa-server/ipa-install/test/test-users-template.ldif
@@ -1,30 +1,22 @@
 # test, users, default, $REALM
-dn: uid=test,ou=users,ou=default,$SUFFIX
+dn: uid=test,cn=users,cn=accounts,$SUFFIX
 changetype: add
-uidNumber: 1001
+uidNumber: 1003
 uid: test
 gecos: test
 homeDirectory: /home/test
 loginShell: /bin/bash
-shadowMin: 0
-shadowWarning: 7
-shadowMax: 99999
-shadowExpire: -1
-shadowInactive: -1
-shadowLastChange: 13655
-shadowFlag: -1
-gidNumber: 100
+gidNumber: 1002
 objectclass: krbPrincipalAux
 objectclass: inetOrgPerson
 objectClass: posixAccount
-objectClass: shadowAccount
 objectClass: account
 objectClass: top
 cn: Test User
 sn: User
 krbPrincipalName: test@$REALM
 
-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: modify
 add: uniqueMember
-uniqueMember: uid=test,ou=users,ou=default,$SUFFIX
+uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index fe48a1ffa..23576b358 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -37,8 +37,8 @@ import re
 # Need a global to store this between requests
 _LDAPPool = None
 
-DefaultUserContainer = "ou=users,ou=default"
-DefaultGroupContainer = "ou=groups,ou=default"
+DefaultUserContainer = "cn=users,cn=accounts"
+DefaultGroupContainer = "cn=groups,cn=accounts"
 
 #
 # Apache runs in multi-process mode so each process will have its own
author	Simo Sorce <ssorce@redhat.com>	2007-08-29 18:07:05 -0400
committer	Simo Sorce <ssorce@redhat.com>	2007-08-29 18:07:05 -0400
commit	bebc413366506f4d19d98c8bb33041094beff117 (patch)
tree	009e7501675903886d6b24c903a4fb8799063aa9
parent	46eeca740ee4d66bfd4f062896220dfb5527f5b6 (diff)
download	freeipa-bebc413366506f4d19d98c8bb33041094beff117.tar.gz freeipa-bebc413366506f4d19d98c8bb33041094beff117.tar.xz freeipa-bebc413366506f4d19d98c8bb33041094beff117.zip