diff options
| author | Dmitri Pal <dpal@redhat.com> | 2010-09-08 22:44:42 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-09-16 11:31:27 -0400 |
| commit | 52af18ec03b7a5dc00764d4f33fe8d62811b8ca6 (patch) | |
| tree | ec4f2d9c3f3b4d17789ca448ff9eb2461c32da4f /install | |
| parent | 5fd09b016b228c949963c77643f423360a4ada10 (diff) | |
| download | freeipa-52af18ec03b7a5dc00764d4f33fe8d62811b8ca6.tar.gz freeipa-52af18ec03b7a5dc00764d4f33fe8d62811b8ca6.tar.xz freeipa-52af18ec03b7a5dc00764d4f33fe8d62811b8ca6.zip | |
Enabling SUDO support
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/60sudo.ldif | 35 | ||||
| -rw-r--r-- | install/share/Makefile.am | 1 | ||||
| -rw-r--r-- | install/share/bootstrap-template.ldif | 7 | ||||
| -rw-r--r-- | install/updates/30-hbacsvc.update | 33 |
4 files changed, 68 insertions, 8 deletions
diff --git a/install/share/60sudo.ldif b/install/share/60sudo.ldif new file mode 100644 index 000000000..d8db306f2 --- /dev/null +++ b/install/share/60sudo.ldif @@ -0,0 +1,35 @@ +dn: cn=schema +## +## IPA SUDO schema (added in IPA v2) +## +## Attributes: 2.16.840.1.113730.3.8.7.x +## ObjectClasses: 2.16.840.1.113730.3.8.8.x +## +## Attribute to store DN of a SUDO command or a group of SUDO commands +attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberCmd' DESC 'Reference to a command or group of the commands.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +## Attribute to store command category +attributeTypes: (2.16.840.1.113730.3.8.7.2 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to store user not managed by the central server +attributetypes: (2.16.840.1.113730.3.8.7.3 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to store sudo options +attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' ) +## Attribute to store the reference identity under which the command should be run +attributeTypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity. +attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to express category of identities that the command can be run under +attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' ) +## Attribute to store a reference to the "run as group" identitity +attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +## Attribute to store a name of the "run as group" identitity if this group is not directly managed by IPA +attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to express category of group identities that the command can be run under +attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' ) +## Attribute to store host mask +attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Object class for SUDO rules +objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) +## Object class for SUDO commands +objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY ( description ) X-ORIGIN 'IPA v2' ) +## Object class for groups of the SUDO commands +objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfUniqueNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 5ff62baf6..9efb75a09 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -8,6 +8,7 @@ app_DATA = \ 60radius.ldif \ 60ipaconfig.ldif \ 60basev2.ldif \ + 60sudo.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f1f36a64d..e2864858b 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -52,6 +52,12 @@ objectClass: top objectClass: nsContainer cn: hbac +dn: cn=SUDOers,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: SUDOers + dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer @@ -245,4 +251,3 @@ objectClass: cosClassicDefinition cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX cosAttribute: krbPwdPolicyReference cosSpecifier: memberOf - diff --git a/install/updates/30-hbacsvc.update b/install/updates/30-hbacsvc.update index dc36950d5..229c0f143 100644 --- a/install/updates/30-hbacsvc.update +++ b/install/updates/30-hbacsvc.update @@ -12,13 +12,6 @@ default:cn: ftp default:description: ftp default:ipauniqueid:$UUID -dn: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX -default:objectclass: ipahbacservice -default:objectclass: ipaobject -default:cn: sudo -default:description: sudo -default:ipauniqueid:$UUID - dn: cn=su,cn=hbacservices,cn=accounts,$SUFFIX default:objectclass: ipahbacservice default:objectclass: ipaobject @@ -39,3 +32,29 @@ default:objectclass: ipaobject default:cn: su-l default:description: su with login shell default:ipauniqueid:$UUID + +dn: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX +default:objectclass: ipahbacservice +default:objectclass: ipaobject +default:cn: sudo +default:description: sudo +default:ipauniqueid:$UUID + +dn: cn=sudo-i,cn=hbacservices,cn=accounts,$SUFFIX +default:objectclass: ipahbacservice +default:objectclass: ipaobject +default:cn: sudo-i +default:description: sudo-i +default:ipauniqueid:$UUID + +dn: cn=SUDO,cn=hbacservicegroups,cn=accounts,$SUFFIX +default:objectClass: ipaobject +default:objectClass: ipahbacservicegroup +default:objectClass: nestedGroup +default:objectClass: groupOfNames +default:objectClass: top +default:cn: SUDO +default:ipauniqueid:$UUID +default:description: Default group of SUDO related services +default:member: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX +default:member: cn=sudo-i,cn=hbacservices,cn=accounts,$SUFFIX |