install: Remove uid=kdc user

The ipadb DAL driver gets access to the ldap server as Directory Manager now so this user is not needed anymore.
author: Simo Sorce <ssorce@redhat.com> 2011-07-19 20:04:46 -0400
committer: Simo Sorce <ssorce@redhat.com> 2011-08-26 08:24:50 -0400
commit: 8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a (patch)
tree: 752225c103fa54f4bbc48190e875f54094a2bcbf /install
parent: 195a65d5c2b2f2a318225a94e734ec41cdc34b1d (diff)
download: freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.gz
freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.xz
freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.zip
4 files changed, 1 insertions, 22 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 586ec61fc..e02b1c2c9 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -9,9 +9,6 @@ aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || samba
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
 
@@ -39,7 +36,6 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 
 # Define which hosts can edit services
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index a40b63aa0..4778a6b4d 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -1,20 +1,9 @@
-#kerberos user
-dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
-changetype: add
-objectclass: account
-objectclass: simplesecurityobject
-uid: kdc
-userPassword: $PASSWORD
-passwordExpirationTime: 20380119031407Z
-nsIdleTimeout: 0
-
 #kerberos base object
 dn: cn=kerberos,$SUFFIX
 changetype: add
 objectClass: krbContainer
 objectClass: top
 cn: kerberos
-aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 
 #Realm base object
 dn: cn=$REALM,cn=kerberos,$SUFFIX
diff --git a/install/ui/test/data/aci_find.json b/install/ui/test/data/aci_find.json
index 00682ffd2..d1687c112 100644
--- a/install/ui/test/data/aci_find.json
+++ b/install/ui/test/data/aci_find.json
@@ -9,9 +9,6 @@
             "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword\")(version 3.0;acl \"Self can write own password\";allow (write) userdn = \"ldap:///self\";)", 
             "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Admins can write passwords\";allow (add,delete,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
             "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Password change service can read/write passwords\";allow (read,write) userdn = \"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"KDC System Account can access passwords\";allow (all) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"KDC System Account can update some fields\";allow (write) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"Only the KDC System Account has access to kerberos material\";allow (read,search,compare) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
             "(targetattr = \"krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength\")(targetfilter = \"(objectClass=krbPwdPolicy)\")(version 3.0;acl \"Admins can write password policies\";allow (read,search,compare,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
             "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou\")(version 3.0;acl \"Self service\";allow (write) userdn = \"ldap:///self\";)", 
             "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Get Certificates status from the CA\";allow (write) groupdn = \"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
diff --git a/install/ui/test/data/krbtpolicy_show.json b/install/ui/test/data/krbtpolicy_show.json
index 39882e14a..6f9fe6d2e 100644
--- a/install/ui/test/data/krbtpolicy_show.json
+++ b/install/ui/test/data/krbtpolicy_show.json
@@ -3,9 +3,6 @@
     "id": 6,
     "result": {
         "result": {
-            "aci": [
-                "(targetattr = \"krbMKey\")(version 3.0; acl \"No external access\"; deny (read,write,search,compare) userdn != \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ipa14,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)"
-            ],
             "attributelevelrights": {
                 "aci": "rscwo",
                 "cn": "rscwo",
@@ -75,4 +72,4 @@
         "summary": null,
         "value": ""
     }
-}
-\ No newline at end of file
+}
author	Simo Sorce <ssorce@redhat.com>	2011-07-19 20:04:46 -0400
committer	Simo Sorce <ssorce@redhat.com>	2011-08-26 08:24:50 -0400
commit	8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a (patch)
tree	752225c103fa54f4bbc48190e875f54094a2bcbf /install
parent	195a65d5c2b2f2a318225a94e734ec41cdc34b1d (diff)
download	freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.gz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.tar.xz freeipa-8cb2aee626e7be3e9cde7195dabfebb3cc34cb6a.zip