diff options
author | rcritten@redhat.com <rcritten@redhat.com> | 2007-08-06 10:05:53 -0400 |
---|---|---|
committer | rcritten@redhat.com <rcritten@redhat.com> | 2007-08-06 10:05:53 -0400 |
commit | 993f76fe6035cf59cceb88f3611fc53680738007 (patch) | |
tree | 17bb5afed002709bd322f5fe7e99e473adc1d018 /ipa-server/ipa-install | |
parent | 66ab69d0b23da46b21dbb4bf165011f318ec2da8 (diff) | |
download | freeipa-993f76fe6035cf59cceb88f3611fc53680738007.tar.gz freeipa-993f76fe6035cf59cceb88f3611fc53680738007.tar.xz freeipa-993f76fe6035cf59cceb88f3611fc53680738007.zip |
- Abstracted client class to work directly or over RPC
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication
- Update tools to use kerberos
- Add User class
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/Makefile | 3 | ||||
-rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 3 | ||||
-rw-r--r-- | ipa-server/ipa-install/ipa-server-setupssl | 68 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 23 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/certmap.conf.template | 82 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 3 | ||||
-rw-r--r-- | ipa-server/ipa-install/test/Makefile | 8 | ||||
-rw-r--r-- | ipa-server/ipa-install/test/test-users-template.ldif (renamed from ipa-server/ipa-install/test/test-users.ldif) | 12 |
8 files changed, 144 insertions, 58 deletions
diff --git a/ipa-server/ipa-install/Makefile b/ipa-server/ipa-install/Makefile index 0d4953976..877ae09cc 100644 --- a/ipa-server/ipa-install/Makefile +++ b/ipa-server/ipa-install/Makefile @@ -6,7 +6,8 @@ install: install -m 755 ipa-server-install $(SBINDIR) install -m 755 ipa-server-setupssl $(SBINDIR) $(MAKE) -C share $@ + $(MAKE) -C test $@ clean: $(MAKE) -C share $@ - rm -f *~ *.pyc
\ No newline at end of file + rm -f *~ *.pyc diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index fbf3fd054..2fa9182bc 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -119,6 +119,9 @@ def main(): # Restart apache run(["/sbin/service", "httpd", "restart"]) + # Set apache to be on at boot + run(["/sbin/chkconfig", "httpd", "on"]) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl index f75327907..d7eb6f39f 100644 --- a/ipa-server/ipa-install/ipa-server-setupssl +++ b/ipa-server/ipa-install/ipa-server-setupssl @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash if [ "$1" ] ; then password=$1 @@ -49,22 +49,14 @@ if [ -f $secdir/cert8.db ] ; then needServerCert=1 fi - # look for admin server cert - if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then - echo "Using existing admin server-cert" - else - echo "No Admin Server Cert found - will create new one" - needASCert=1 - fi prefix="new-" prefixarg="-P $prefix" else needCA=1 needServerCert=1 - needASCert=1 fi -if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then +if test -z "$needCA" -a -z "$needServerCert" ; then echo "No certs needed - exiting" exit 0 fi @@ -120,17 +112,17 @@ if test -n "$needServerCert" ; then certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt fi -if test -n "$needASCert" ; then -# Generate the admin server certificate - certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +# 8. Generate the web service client certificate: + echo -e "0\n2\n9\nn\n0\n9\nn\n" | certutil -S $prefixarg -n webservice -s "uid=webservice, CN=Web Service, OU=Fedora Directory Server" -c "CA certificate" -t u,pu,u -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -1 -5 -# export the admin server certificate/private key for import into its key/cert db - pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/adminserver.p12 - fi - chmod 400 $secdir/adminserver.p12 -fi + pk12util -d $secdir $prefixarg -o $secdir/webservice.p12 -n "webservice" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt + + openssl pkcs12 -in $secdir/webservice.p12 -clcerts -nokeys -out /usr/share/ipa/cert.pem -passin file:$secdir/pwdfile.txt + openssl pkcs12 -in $secdir/webservice.p12 -nocerts -nodes -out /usr/share/ipa/key.pem -passin file:$secdir/pwdfile.txt + + cp -p $secdir/cacert.asc /usr/share/ipa + chown apache:apache /usr/share/ipa/cert.pem /usr/share/ipa/key.pem /usr/share/ipa/cacert.asc + chmod 600 /usr/share/ipa/cert.pem /usr/share/ipa/key.pem # create the pin file if [ ! -f $secdir/pin.txt ] ; then @@ -153,42 +145,6 @@ if [ -n "$prefix" ] ; then mv $secdir/${prefix}key3.db $secdir/key3.db fi -# create the admin server key/cert db -asprefix=admin-serv- -if [ ! -f ${asprefix}cert8.db ] ; then - certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/admin-serv-*.db - fi - chmod 600 $secdir/admin-serv-*.db -fi - -if test -n "$needASCert" ; then -# import the admin server key/cert - pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt - -# import the CA cert to the admin server cert db - certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc -fi - -if [ ! -f $secdir/password.conf ] ; then -# create the admin server password file - echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf - if test -n "$isroot" ; then - chown $uid:$gid $secdir/password.conf - fi - chmod 400 $secdir/password.conf -fi - -# tell admin server to use the password file -if [ -f ../admin-serv/config/nss.conf ] ; then - sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf - if test -n "$isroot" ; then - chown $uid:$gid ../admin-serv/config/nss.conf - fi - chmod 400 ../admin-serv/config/nss.conf -fi - # enable SSL in the directory server ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index d83f715bb..444a29d44 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -31,3 +31,26 @@ ou: groups #objectClass: top #ou: computers +dn: ou=special,$SUFFIX +changetype: add +objectClass: organizationalUnit +objectClass: top +ou: special + +dn: uid=webservice,ou=special,$SUFFIX +changetype: add +uid: webservice +objectClass: account +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: person +cn: Web Service +sn: Service + +dn: cn=admin,ou=groups,ou=default,$SUFFIX +changetype: add +description: ou=users administrators +objectClass: top +objectClass: groupofuniquenames +cn: admin diff --git a/ipa-server/ipa-install/share/certmap.conf.template b/ipa-server/ipa-install/share/certmap.conf.template new file mode 100644 index 000000000..676d3ef35 --- /dev/null +++ b/ipa-server/ipa-install/share/certmap.conf.template @@ -0,0 +1,82 @@ +# +# BEGIN COPYRIGHT BLOCK +# This Program is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free Software +# Foundation; version 2 of the License. +# +# This Program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple +# Place, Suite 330, Boston, MA 02111-1307 USA. +# +# In addition, as a special exception, Red Hat, Inc. gives You the additional +# right to link the code of this Program with code not covered under the GNU +# General Public License ("Non-GPL Code") and to distribute linked combinations +# including the two, subject to the limitations in this paragraph. Non-GPL Code +# permitted under this exception must only link to the code of this Program +# through those well defined interfaces identified in the file named EXCEPTION +# found in the source code files (the "Approved Interfaces"). The files of +# Non-GPL Code may instantiate templates or use macros or inline functions from +# the Approved Interfaces without causing the resulting work to be covered by +# the GNU General Public License. Only Red Hat, Inc. may make changes or +# additions to the list of Approved Interfaces. You must obey the GNU General +# Public License in all respects for all of the Program code and other code used +# in conjunction with the Program except the Non-GPL Code covered by this +# exception. If you modify this file, you may extend this exception to your +# version of the file, but you are not obligated to do so. If you do not wish to +# provide this exception without modification, you must delete this exception +# statement from your version and license this file solely under the GPL without +# exception. +# +# +# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. +# Copyright (C) 2005 Red Hat, Inc. +# All rights reserved. +# END COPYRIGHT BLOCK +# +# +# This file configures how a certificate is mapped to an LDAP entry. See the +# documentation for more information on this file. +# +# The format of this file is as follows: +# certmap <name> <issuerDN> +# <name>:<prop1> [<val1>] +# <name>:<prop2> [<val2>] +# +# Notes: +# +# 1. Mapping can be defined per issuer of a certificate. If mapping doesn't +# exists for a particular 'issuerDN' then the server uses the default +# mapping. +# +# 2. There must be an entry for <name>=default and issuerDN "default". +# This mapping is the default mapping. +# +# 3. '#' can be used to comment out a line. +# +# 4. DNComps & FilterComps are used to form the base DN and filter resp. for +# performing an LDAP search while mapping the cert to a user entry. +# +# 5. DNComps can be one of the following: +# commented out - take the user's DN from the cert as is +# empty - search the entire LDAP tree (DN == suffix) +# attr names - a comma separated list of attributes to form DN +# +# 6. FilterComps can be one of the following: +# commented out - set the filter to "objectclass=*" +# empty - set the filter to "objectclass=*" +# attr names - a comma separated list of attributes to form the filter +# + +certmap default default +#default:DNComps +#default:FilterComps e, uid +#default:verifycert on +#default:CmapLdapAttr certSubjectDN +#default:library <path_to_shared_lib_or_dll> +#default:InitFn <Init function's name> +default:DNComps +default:FilterComps uid diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index dc729ceb1..7870461b7 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -6,3 +6,6 @@ aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTP aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow(read, search,compare)userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";) aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";) +aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) +aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) +aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) diff --git a/ipa-server/ipa-install/test/Makefile b/ipa-server/ipa-install/test/Makefile new file mode 100644 index 000000000..696ae771e --- /dev/null +++ b/ipa-server/ipa-install/test/Makefile @@ -0,0 +1,8 @@ +SHAREDIR = $(DESTDIR)/usr/share/ipa + +install: + -mkdir -p $(SHAREDIR) + install -m 644 *.ldif $(SHAREDIR) + +clean: + rm -f *~ diff --git a/ipa-server/ipa-install/test/test-users.ldif b/ipa-server/ipa-install/test/test-users-template.ldif index 424eedb55..0057d9766 100644 --- a/ipa-server/ipa-install/test/test-users.ldif +++ b/ipa-server/ipa-install/test/test-users-template.ldif @@ -1,5 +1,6 @@ # test, users, default, $REALM dn: uid=test,ou=users,ou=default,$SUFFIX +changetype: add uidNumber: 1001 uid: test gecos: test @@ -13,8 +14,17 @@ shadowInactive: -1 shadowLastChange: 13655 shadowFlag: -1 gidNumber: 100 +objectclass: krbPrincipalAux +objectclass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top -cn: test +cn: Test User +sn: User +krbPrincipalName: test@$REALM + +dn: cn=admin,ou=groups,ou=default,$SUFFIX +changetype: modify +add: uniqueMember +uniqueMember: uid=test,ou=users,ou=default,$SUFFIX |