Merge.

author: Karl MacMillan <kmacmill@redhat.com> 2007-12-12 16:33:24 -0500
committer: Karl MacMillan <kmacmill@redhat.com> 2007-12-12 16:33:24 -0500
commit: 18992de6577e614f59e43fec77d437fe80a63c4b (patch)
tree: e0c16386b4404ecb3fdbc9204cfb54249a789a71
parent: 5cdff99bdfef7f43fb48814720d4e942f197d9c1 (diff)
parent: 88c0c7f321fc1861f8c0cfb54a15eb6c51445a25 (diff)
download: freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.tar.gz
freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.tar.xz
freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.zip
3 files changed, 36 insertions, 29 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 9642070c7..d29b5d1b3 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -80,6 +80,7 @@ gidNumber: 1001
 homeDirectory: /home/admin
 loginShell: /bin/bash
 gecos: Administrator
+nsAccountLock: False
 
 dn: cn=radius,$SUFFIX
 changetype: add
@@ -114,6 +115,7 @@ cn: admins
 description: Account administrators group
 gidNumber: 1001
 member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+nsAccountLock: False
 
 dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 95743eebb..422fe16e9 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -1,18 +1,18 @@
 # $SUFFIX (base entry)
-# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authewnticated users
+# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
 dn: $SUFFIX
 changetype: modify
 replace: aci
-aci: (targetattr != "userPassword || krbPrincipalKey || krbMKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || krbMKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Admin can manage any entry except for passwords"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Admin can write passwords"; allow (write) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn = "ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMkey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
-aci: (target="ldap:///cn=radius,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 changetype: modify
@@ -25,6 +25,11 @@ add: aci
 aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
+dn: cn=radius,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 76818af7d..c5ecbb892 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -33,6 +33,7 @@ import time
 import shutil
 
 import service
+from ipa import ipautil
 from ipa import ipaerror
 
 import ipaldap
@@ -46,7 +47,6 @@ import pyasn1.codec.ber.encoder
 import pyasn1.codec.ber.decoder
 import struct
 import base64
-from ipa.ipautil import *
 
 def host_to_domain(fqdn):
     s = fqdn.split(".")
@@ -54,7 +54,7 @@ def host_to_domain(fqdn):
 
 def ldap_mod(fd, dn, pwd):
     args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
-    run(args)
+    ipautil.run(args)
 
 def update_key_val_in_file(filename, key, val):
     if os.path.exists(filename):
@@ -89,8 +89,8 @@ class KrbInstance(service.Service):
         self.host = host_name.split(".")[0]
         self.ip = socket.gethostbyname(host_name)
         self.domain = host_to_domain(host_name)        
-        self.suffix = realm_to_suffix(self.realm)
-        self.kdc_password = ipa_generate_password()
+        self.suffix = ipautil.realm_to_suffix(self.realm)
+        self.kdc_password = ipautil.ipa_generate_password()
         self.admin_password = admin_password
 
         self.__setup_sub_dict()
@@ -241,8 +241,8 @@ class KrbInstance(service.Service):
         self.step("adding kerberos entries to the DS")
 
         #TODO: test that the ldif is ok with any random charcter we may use in the password
-        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
-        kerberos_fd = write_tmp_file(kerberos_txt)
+        kerberos_txt = ipautil.template_file(ipautil.SHARE_DIR + "kerberos.ldif", self.sub_dict)
+        kerberos_fd = ipautil.write_tmp_file(kerberos_txt)
         try:
             ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
         except ipautil.CalledProcessError, e:
@@ -250,8 +250,8 @@ class KrbInstance(service.Service):
         kerberos_fd.close()
 
 	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
-        aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
-        aci_fd = write_tmp_file(aci_txt) 
+        aci_txt = ipautil.template_file(ipautil.SHARE_DIR + "default-aci.ldif", self.sub_dict)
+        aci_fd = ipautil.write_tmp_file(aci_txt) 
         try:
             ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
         except ipautil.CalledProcessError, e:
@@ -260,28 +260,28 @@ class KrbInstance(service.Service):
 
     def __create_instance(self, replica=False):
         self.step("configuring KDC")
-        kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
+        kdc_conf = ipautil.template_file(ipautil.SHARE_DIR+"kdc.conf.template", self.sub_dict)
         kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
         kdc_fd.write(kdc_conf)
         kdc_fd.close()
 
-        krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
+        krb5_conf = ipautil.template_file(ipautil.SHARE_DIR+"krb5.conf.template", self.sub_dict)
         krb5_fd = open("/etc/krb5.conf", "w+")
         krb5_fd.write(krb5_conf)
         krb5_fd.close()
 
         # Windows configuration files
-        krb5_ini = template_file(SHARE_DIR+"krb5.ini.template", self.sub_dict)
+        krb5_ini = ipautil.template_file(ipautil.SHARE_DIR+"krb5.ini.template", self.sub_dict)
         krb5_fd = open("/usr/share/ipa/html/krb5.ini", "w+")
         krb5_fd.write(krb5_ini)
         krb5_fd.close()
 
-        krb_con = template_file(SHARE_DIR+"krb.con.template", self.sub_dict)
+        krb_con = ipautil.template_file(ipautil.SHARE_DIR+"krb.con.template", self.sub_dict)
         krb_fd = open("/usr/share/ipa/html/krb.con", "w+")
         krb_fd.write(krb_con)
         krb_fd.close()
 
-        krb_realm = template_file(SHARE_DIR+"krbrealm.con.template", self.sub_dict)
+        krb_realm = ipautil.template_file(ipautil.SHARE_DIR+"krbrealm.con.template", self.sub_dict)
         krb_fd = open("/usr/share/ipa/html/krbrealm.con", "w+")
         krb_fd.write(krb_realm)
         krb_fd.close()
@@ -290,7 +290,7 @@ class KrbInstance(service.Service):
             #populate the directory with the realm structure
             args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
             try:
-                run(args)
+                ipautil.run(args)
             except ipautil.CalledProcessError, e:
                 print "Failed to populate the realm structure in kerberos", e
 
@@ -318,8 +318,8 @@ class KrbInstance(service.Service):
     #add the password extop module
     def __add_pwd_extop_module(self):
         self.step("adding the password extenstion to the directory")
-        extop_txt = template_file(SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
-        extop_fd = write_tmp_file(extop_txt)
+        extop_txt = ipautil.template_file(ipautil.SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
+        extop_fd = ipautil.write_tmp_file(extop_txt)
         try:
             ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
         except ipautil.CalledProcessError, e:
@@ -355,7 +355,7 @@ class KrbInstance(service.Service):
     def __create_ds_keytab(self):
         self.step("creating a keytab for the directory")
         try:
-            if file_exists("/etc/dirsrv/ds.keytab"):
+            if ipautil.file_exists("/etc/dirsrv/ds.keytab"):
                 os.remove("/etc/dirsrv/ds.keytab")
         except os.error:
             logging.critical("Failed to remove /etc/dirsrv/ds.keytab.")
@@ -370,7 +370,7 @@ class KrbInstance(service.Service):
 
         # give kadmin time to actually write the file before we go on
 	retry = 0
-        while not file_exists("/etc/dirsrv/ds.keytab"):
+        while not ipautil.file_exists("/etc/dirsrv/ds.keytab"):
             time.sleep(1)
             retry += 1
             if retry > 15:
@@ -384,7 +384,7 @@ class KrbInstance(service.Service):
     def __export_kadmin_changepw_keytab(self):
         self.step("exporting the kadmin keytab")
         try:
-            if file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
+            if ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
                 os.remove("/var/kerberos/krb5kdc/kpasswd.keytab")
         except os.error:
             logging.critical("Failed to remove /var/kerberos/krb5kdc/kpasswd.keytab.")
@@ -404,7 +404,7 @@ class KrbInstance(service.Service):
 
         # give kadmin time to actually write the file before we go on
 	retry = 0
-        while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
+        while not ipautil.file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
             time.sleep(1)
             retry += 1
             if retry > 15:
author	Karl MacMillan <kmacmill@redhat.com>	2007-12-12 16:33:24 -0500
committer	Karl MacMillan <kmacmill@redhat.com>	2007-12-12 16:33:24 -0500
commit	18992de6577e614f59e43fec77d437fe80a63c4b (patch)
tree	e0c16386b4404ecb3fdbc9204cfb54249a789a71
parent	5cdff99bdfef7f43fb48814720d4e942f197d9c1 (diff)
parent	88c0c7f321fc1861f8c0cfb54a15eb6c51445a25 (diff)
download	freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.tar.gz freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.tar.xz freeipa-18992de6577e614f59e43fec77d437fe80a63c4b.zip