diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-09-14 17:04:08 -0400 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-09-24 17:45:49 -0600 |
| commit | d0587cbdd5bc5e07a6e8519deb07adaace643740 (patch) | |
| tree | aa6b96e33337a809687ab025ec4d2a392ca757f0 /install | |
| parent | 4f4d57cd30ac7169e18a8e2e22e62d8bdda083c4 (diff) | |
| download | freeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.tar.gz freeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.tar.xz freeipa-d0587cbdd5bc5e07a6e8519deb07adaace643740.zip | |
Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
Diffstat (limited to 'install')
| -rw-r--r-- | install/updates/40-delegation.update | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 220c489d9..ee7f4db92 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -222,8 +222,9 @@ add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description || locality || location || platform - || os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; +add:aci: '(targetattr = "cn || description || l || location || + nshardwareplatform || nsosversion") + (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, cn=taskgroups,cn=accounts,$SUFFIX";)' @@ -449,16 +450,36 @@ add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACI needed to do host keytab admin dn: $SUFFIX -add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*, - cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab"; +add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange") + (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") + (version 3.0;acl "Manage host keytab"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,$SUFFIX";)' +# Taskgroup for enrolling hosts. Note that this also requires +# manage_host_keytab access +dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: enroll_host +add:description: Enroll a host +add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' + +# Add the ACI needed to do host enrollment. When this occurs we +# set the krbPrincipalName, add krbPrincipalAux to objectClass and +# set enrolledBy to whoever ran join. +dn: $SUFFIX +add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass") + (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") + (version 3.0;acl "Enroll a host"; + allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, + cn=accounts,$SUFFIX";)' + # Taskgroup for updating the DNS entries dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: groupofnames -add:cn: manage_host_keytab +add:cn: update_sn add:description: Updates DNS add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX' add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX' |