diff options
| -rw-r--r-- | install/share/default-aci.ldif | 2 | ||||
| -rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
| -rw-r--r-- | ipaserver/install/plugins/update_anonymous_aci.py | 81 |
3 files changed, 83 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index f3ed39599..3e6c10077 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,7 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index d29103a90..a0c62ca70 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -9,6 +9,7 @@ app_PYTHON = \ dns.py \ updateclient.py \ update_services.py \ + update_anonymous_aci.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py new file mode 100644 index 000000000..2b7446ad0 --- /dev/null +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -0,0 +1,81 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from copy import deepcopy +from ipaserver.install.plugins import FIRST, LAST +from ipaserver.install.plugins.baseupdate import PostUpdate +#from ipalib.frontend import Updater +#from ipaserver.install.plugins import baseupdate +from ipalib import api +from ipalib.aci import ACI +from ipalib.plugins import aci +from ipapython.ipa_log_manager import * + +class update_anonymous_aci(PostUpdate): + """ + Update the Anonymous ACI to ensure that all secrets are protected. + """ + order = FIRST + + def execute(self, **options): + aciname = u'Enable Anonymous access' + aciprefix = u'none' + ldap = self.obj.backend + + (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci']) + + acistrs = entry_attrs.get('aci', []) + acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) + rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) + + attrs = rawaci.target['targetattr']['expression'] + + update_attrs = deepcopy(attrs) + + needed_attrs = [] + for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'): + if attr not in attrs: + needed_attrs.append(attr) + + update_attrs.extend(needed_attrs) + if len(attrs) == len(update_attrs): + root_logger.debug("Anonymous ACI already update-to-date") + return (False, False, []) + else: + root_logger.debug("New Anonymous ACI attributes needed: %s", + needed_attrs) + + for tmpaci in acistrs: + candidate = ACI(tmpaci) + if rawaci.isequal(candidate): + acistrs.remove(tmpaci) + break + + rawaci.target['targetattr']['expression'] = update_attrs + acistrs.append(unicode(rawaci)) + entry_attrs['aci'] = acistrs + + try: + ldap.update_entry(dn, entry_attrs) + except Exception, e: + root_logger.error("Failed to update Anonymous ACI: %s" % e) + + return (False, False, []) + +api.register(update_anonymous_aci) |