diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-02-19 13:29:14 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-03-19 17:17:14 -0400 |
| commit | c19911845d93e4cbbf296caf18568231549a3e60 (patch) | |
| tree | 7215db333db05cefbe712e63f7c99d651afff908 /install | |
| parent | 664ae51eb6e76ceb3630687d2ee423f69fb0ba19 (diff) | |
| download | freeipa-c19911845d93e4cbbf296caf18568231549a3e60.tar.gz freeipa-c19911845d93e4cbbf296caf18568231549a3e60.tar.xz freeipa-c19911845d93e4cbbf296caf18568231549a3e60.zip | |
Use GSSAPI auth for the ipa-replica-manage list and del commands.
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
Diffstat (limited to 'install')
| -rwxr-xr-x | install/tools/ipa-replica-manage | 22 | ||||
| -rw-r--r-- | install/updates/40-delegation.update | 37 |
2 files changed, 55 insertions, 4 deletions
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 20d261c8f..b85c491e5 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -27,6 +27,7 @@ from ipaserver.install import replication, dsinstance, installutils from ipaserver import ipaldap from ipapython import version from ipalib import util +from ipalib import errors def parse_options(): from optparse import OptionParser @@ -102,12 +103,15 @@ def del_master(replman, hostname, force=False): try: t = replman.get_agreement_type(hostname) except ldap.NO_SUCH_OBJECT: - print "No replication agreement found for %s" % hostname + print "No replication agreement found for '%s'" % hostname + return + except errors.NotFound: + print "No replication agreement found for '%s'" % hostname + return if t == replication.IPA_REPLICA: - dirman_passwd = getpass.getpass("Directory Manager password (%s): " % hostname) try: - other_replman = replication.ReplicationManager(hostname, dirman_passwd) + other_replman = replication.ReplicationManager(hostname, dirman_passwd=None) other_replman.suffix = get_suffix() other_replman.delete_agreement(replman.conn.host) except Exception, e: @@ -179,10 +183,13 @@ def synch_master(replman, hostname): def main(): options, args = parse_options() + dirman_passwd = None + if options.dirman_passwd: dirman_passwd = options.dirman_passwd else: - dirman_passwd = getpass.getpass("Directory Manager password: ") + if args[0] in ["add", "init"]: + dirman_passwd = getpass.getpass("Directory Manager password: ") if options.host: host = options.host @@ -227,5 +234,12 @@ except SystemExit, e: except ldap.INVALID_CREDENTIALS: print "Invalid password" sys.exit(1) +except ldap.INSUFFICIENT_ACCESS: + print "Insufficient access" + sys.exit(1) +except ldap.LOCAL_ERROR, e: + print e.args[0]['info'] + sys.exit(1) except Exception, e: print "unexpected error: %s" % str(e) + sys.exit(1) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 1be178933..77dca721d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -72,6 +72,13 @@ add:objectClass: nestedgroup add:cn: certadmin add:description: Certificate Administrators +dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: replicaadmin +add:description: Replication Administrators +add:member:'uid=admin,cn=users,cn=accounts,$SUFFIX' + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -648,3 +655,33 @@ add: aci: '(targetattr = "objectClass")(target = $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold" ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold, cn=taskgroups,cn=accounts,$SUFFIX";)' + +# Taskgroup for managing replicas +dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: managereplica +add:description: Manage Replication Agreements +add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +# Taskgroup for deleting replicas +dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: nestedgroup +add:cn: deletereplica +add:description: Delete Replication Agreements +add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +# Add acis allowing admins to read/write/delete replicas +dn: cn="$SUFFIX",cn=mapping tree,cn=config +add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica) + (objectclass=nsds5replicationagreement)(objectclass= + nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage + replication agreements"; allow (read, write, search) groupdn = + "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' + +dn: cn="$SUFFIX",cn=mapping tree,cn=config +add: aci: '(targetattr=*)(targetfilter="(|(objectclass= + nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement + ))")(version 3.0;acl "Delete replication agreements";allow (delete) + groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' |