diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-08-22 16:24:07 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-08-24 14:12:10 +0200 |
| commit | be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c (patch) | |
| tree | 722fdd0af9246c027dedf0db3fa4caaa132688c7 /install | |
| parent | ae06f7b68e04000b748f702d553a5b691eb6cb3c (diff) | |
| download | freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.gz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.xz freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.zip | |
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/default-aci.ldif | 8 | ||||
| -rw-r--r-- | install/updates/20-aci.update | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 88269d282..586ec61fc 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX changetype: modify add: aci aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) + +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) + diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 42f1e9fe6..41d35da35 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -2,3 +2,7 @@ dn: cn=ng,cn=alt,$SUFFIX add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)' +# This is used for the host/service one-time passwordn and keytab indirectors. +# We can do a query on a DN to see if an attribute exists. +dn: cn=accounts,$SUFFIX +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) |