summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-08-22 16:24:07 -0400
committerMartin Kosek <mkosek@redhat.com>2011-08-24 14:12:10 +0200
commitbe7de56e5d403fb97bcb583f6b7b5dd7e3fb914c (patch)
tree722fdd0af9246c027dedf0db3fa4caaa132688c7 /install
parentae06f7b68e04000b748f702d553a5b691eb6cb3c (diff)
downloadfreeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.zip
freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.gz
freeipa-be7de56e5d403fb97bcb583f6b7b5dd7e3fb914c.tar.xz
Change the way has_keytab is determined, also check for password.
We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
Diffstat (limited to 'install')
-rw-r--r--install/share/default-aci.ldif8
-rw-r--r--install/updates/20-aci.update4
2 files changed, 12 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 88269d2..586ec61 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
+
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 42f1e9f..41d35da 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -2,3 +2,7 @@
dn: cn=ng,cn=alt,$SUFFIX
add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)