diff options
| -rwxr-xr-x | ipa-client/freeipa-client.spec | 4 | ||||
| -rw-r--r-- | ipa-client/freeipa-client.spec.in | 4 | ||||
| -rw-r--r-- | ipa-client/ipa-install/ipa-client-install | 113 | ||||
| -rw-r--r-- | ipa-client/ipaclient/__init__.py | 5 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipachangeconf.py | 248 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 15 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 80 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 15 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 31 | ||||
| -rw-r--r-- | ipa-server/ipa-install/test/test-users-template.ldif | 18 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 4 |
11 files changed, 443 insertions, 94 deletions
diff --git a/ipa-client/freeipa-client.spec b/ipa-client/freeipa-client.spec index f8db90dcf..f76725783 100755 --- a/ipa-client/freeipa-client.spec +++ b/ipa-client/freeipa-client.spec @@ -1,6 +1,6 @@ Name: freeipa-client Version: 0.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: FreeIPA client Group: System Environment/Base @@ -9,7 +9,7 @@ URL: http://www.freeipa.org Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: python python-ldap freeipa-python +Requires: python python-ldap python-krbV freeipa-python %description FreeIPA is a server for identity, policy, and audit. diff --git a/ipa-client/freeipa-client.spec.in b/ipa-client/freeipa-client.spec.in index 0f733bef2..ed7fb3a5d 100644 --- a/ipa-client/freeipa-client.spec.in +++ b/ipa-client/freeipa-client.spec.in @@ -1,6 +1,6 @@ Name: freeipa-client Version: VERSION -Release: 1%{?dist} +Release: 2%{?dist} Summary: FreeIPA client Group: System Environment/Base @@ -9,7 +9,7 @@ URL: http://www.freeipa.org Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: python python-ldap freeipa-python +Requires: python python-ldap python-krbV freeipa-python %description FreeIPA is a server for identity, policy, and audit. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 0f399c48f..70c0027d4 100644 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -24,10 +24,12 @@ VERSION = "%prog .1" import sys sys.path.append("/usr/share/ipa") +import krbV import socket import logging from optparse import OptionParser import ipaclient.ipadiscovery +import ipaclient.ipachangeconf from ipaserver.util import run def parse_options(): @@ -35,10 +37,12 @@ def parse_options(): parser.add_option("--domain", dest="domain", help="domain name") parser.add_option("--server", dest="server", help="IPA server") parser.add_option("--realm", dest="realm_name", help="realm name") + parser.add_option("-f", "--force", dest="force", action="store_true", + default=False, help="force setting of ldap/kerberos conf") parser.add_option("-d", "--debug", dest="debug", action="store_true", - dest="debug", default=False, help="print debugging information") + default=False, help="print debugging information") parser.add_option("-U", "--unattended", dest="unattended", - help="unattended installation never prompts the user") + help="unattended installation never prompts the user") options, args = parser.parse_args() @@ -66,6 +70,7 @@ def logging_setup(options): def main(): options = parse_options() logging_setup(options) + dnsok = True # Create the discovery instance ds = ipaclient.ipadiscovery.IPADiscovery() @@ -85,24 +90,98 @@ def main(): print "Failed to determine your DNS domain (DNS misconfigured?)" dom = raw_input("Please provide your domain name (ex: example.com): ") ret = ds.search(domain=dom) - if ret == -2: - logging.debug("IPA Server not found") - if options.server: - srv = options.server - elif options.unattended: - return ret - else: - print "Failed to find the IPA Server (DNS misconfigured?)" - srv = raw_input("Please provide your server name (ex: ipa.example.com): ") - ret = ds.search(domain=dom, server=srv) - if ret != 0: - print "Failed to verify that "+srv+" is an IPA Server, aborting!" - return ret - - print "Discovery was successful!" + if ret == -2: + dnsok = False + logging.debug("IPA Server not found") + if options.server: + srv = options.server + elif options.unattended: + return ret + else: + print "Failed to find the IPA Server (DNS misconfigured?)" + srv = raw_input("Please provide your server name (ex: ipa.example.com): ") + ret = ds.search(domain=dom, server=srv) + if ret != 0: + print "Failed to verify that "+srv+" is an IPA Server, aborting!" + return ret + + if dnsok: + print "Discovery was successful!" + elif not options.unattended: + print "\nThe failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured\n." + print "Autodiscovery of servers for failover cannot work with this configuration.\n" + print "If you proceed with the installation, services will be configured to always access the discovered server for all operation and will not fail over to other servers in case of failure\n" + yesno = raw_input("Do you want to proceed and configure the system with fixed values with no DNS discovery? [y/N] ") + if yesno.lower() != "y": + return ret + print "\n" + print "Realm: "+ds.getRealmName() print "DNS Domain: "+ds.getDomainName() print "IPA Server: "+ds.getServerName() + print "BaseDN: "+ds.getBaseDN() + + # Configure ldap.conf + ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + opts = [{'name':'host', 'action':'comment'}, + {'name':'port', 'action':'comment'}, + {'name':'binddn', 'action':'comment'}, + {'name':'bindpw', 'action':'comment'}, + {'name':'rootbinddn', 'action':'comment'}, + {'name':'nss_base_passwd', 'value':ds.getBaseDN()+'?sub', 'action':'set'}, + {'name':'nss_base_group', 'value':ds.getBaseDN()+'?sub', 'action':'set'}, + {'name':'base', 'value':ds.getBaseDN(), 'action':'set'}, + {'name':'ldap_version', 'value':'3', 'action':'set'}] + if dnsok and not options.force: + opts.insert(0, {'name':'uri', 'action':'comment'}) + else: + opts.append({'name':'uri', 'value':'ldap://'+ds.getServerName(), 'action':'set'}) + ldapconf.setOptionAssignment(" ") + ldapconf.changeConf("/etc/ldap.conf", opts) + + #Check if kerberos is already configured properly + krbctx = krbV.default_context() + # If we find our domain assume we are properly configured + #(ex. we are configuring the client side of a Master) + if not krbctx.default_realm == ds.getRealmName() or options.force: + + #Configure krb5.conf + krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + krbconf.setOptionAssignment(" = ") + krbconf.setSectionNameDelimiters(("[","]")) + + #[libdefaults] + opts = [{'name':'default_realm', 'value':ds.getRealmName(), 'action':'set'}, + {'name':'ticket_lifetime', 'value':'24h', 'action':'set'}, + {'name':'forwardable', 'value':'yes', 'action':'set'}] + if dnsok and not options.force: + opts.insert(1, {'name':'dns_lookup_realm', 'value':'true', 'action':'set'}) + opts.insert(2, {'name':'dns_lookup_kdc', 'value':'true', 'action':'set'}) + else: + opts.insert(1, {'name':'dns_lookup_realm', 'value':'false', 'action':'set'}) + opts.insert(2, {'name':'dns_lookup_kdc', 'value':'false', 'action':'set'}) + krbconf.changeConf("/etc/krb5.conf", opts, "libdefaults"); + + #the following are necessary only if DNS discovery does not work + if not dnsok or options.force: + #[realms] + opts = [{'name':ds.getRealmName(), 'value':'{', 'action':'set'}, + {'name':'kdc', 'value':ds.getServerName()+':88', 'action':'set'}, + {'name':'admin_server', 'value':ds.getServerName()+':749', 'action':'set'}, + # adding '\n}' is a dirty hack because we still don't have subsections support + {'name':'default_domain', 'value':ds.getDomainName()+'\n}', 'action':'set'}] + krbconf.changeConf("/etc/krb5.conf", opts, "realms"); + + #[domain_realm] + opts = [{'name':'.'+ds.getDomainName(), 'value':ds.getRealmName(), 'action':'set'}, + {'name':ds.getDomainName(), 'value':ds.getRealmName(), 'action':'set'}] + krbconf.changeConf("/etc/krb5.conf", opts, "domain_realm"); + + #Modify nsswitch to add nss_ldap + run(["/usr/sbin/authconfig", "--enableldap", "--update"]) + + #Modify pam to add pam_krb5 + run(["/usr/sbin/authconfig", "--enablekrb5", "--update"]) return 0 diff --git a/ipa-client/ipaclient/__init__.py b/ipa-client/ipaclient/__init__.py index 66a4eb14b..c07a549a5 100644 --- a/ipa-client/ipaclient/__init__.py +++ b/ipa-client/ipaclient/__init__.py @@ -1,6 +1,5 @@ #! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# see inline +# Authors: Simo Sorce <ssorce@redhat.com> # # Copyright (C) 2007 Red Hat # see file 'COPYING' for use and warranty information @@ -19,5 +18,5 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -__all__ = ["ipadiscovery"] +__all__ = ["ipadiscovery", "ipachangeconf", "dnsclient"] diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py new file mode 100644 index 000000000..646e0424e --- /dev/null +++ b/ipa-client/ipaclient/ipachangeconf.py @@ -0,0 +1,248 @@ +# +# ipachangeconf - configuration filke manipulation classes and functions +# partially based on authconfig code +# Copyright (c) 1999-2007 Red Hat, Inc. +# Author: Simo Sorce <ssorce@redhat.com> +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +import fcntl +import os +import string +import time + +def openLocked(filename, perms): + fd = -1 + try: + fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) + + fcntl.lockf(fd, fcntl.LOCK_EX) + except OSError, (errno, strerr): + if fd != -1: + try: + os.close(fd) + except OSError: + pass + raise IOError(errno, strerr) + return os.fdopen(fd, "r+") + + + #TODO: add subsection as a concept + # (ex. REALM.NAME = { foo = x bar = y } ) + #TODO: put section delimiters as separating element of the list + # so that we can process multiple sections in one go + #TODO: add a comment all but provided options as a section option +class IPAChangeConf: + + def __init__(self, name): + self.progname = name + self.optpre = ("",) + self.doptpre = self.optpre[0] + self.assign = (" = ",) + self.dassign = self.assign[0] + self.comment = ("#",) + self.dcomment = self.comment[0] + self.eol = ("\n",) + self.deol = self.eol[0] + #self.sectnamdel = ("[","]") + self.sectnamdel = () + self.newsection = False + + def setProgName(self, name): + self.progname = name + + def setOptionPrefix(self, prefix): + if type(prefix) is list: + self.optpre = prefix + else: + self.optpre = (prefix, ) + self.doptpre = self.optpre[0] + + def setOptionAssignment(self, assign): + if type(assign) is list: + self.assign = assign + else: + self.assign = (assign, ) + self.dassign = self.assign[0] + + def setCommentPrefix(self, comment): + if type(comment) is list: + self.comment = comment + else: + self.comment = (comment, ) + self.dcomment = self.comment[0] + + def setEndLine(self, eol): + if type(eol) is list: + self.eol = eol + else: + self.eol = (eol, ) + self.deol = self.eol[0] + + def setSectionNameDelimiters(self, delims): + self.sectnamdel = delims + + def confDump(self, options): + output = "" + + #pre conf options delimiter + output += self.deol + output += self.dcomment+"["+self.progname+"]--start-line--"+self.deol + output += self.dcomment+" Generated by authconfig on " + time.strftime("%Y/%m/%d %H:%M:%S") + self.deol + output += self.dcomment+" DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)"+self.deol + output += self.dcomment+" Any modification may be deleted or altered by authconfig in future"+self.deol + output += self.deol + + if self.newsection: + output += getSectionLine(section) + + #set options + for opt in options: + if opt['action'] == "set": + output += self.doptpre+opt['name']+self.dassign+opt['value']+self.deol + + #post conf options delimiter + output += self.deol + output += self.dcomment+"["+self.progname+"]--end-line--"+self.deol + output += self.deol + + return output + + def matchAutoEnd(self, line): + if line.endswith("]--end-line--"): + return True + return False + + def matchAutoStart(self, line): + if line.endswith("]--start-line--"): + return True + return False + + def matchComment(self, line): + for v in self.comment: + if line.strip().startswith(v): + return True + return False + + def matchLineOption(self, line, opt): + parts = line.split(self.dassign, 1) + if len(parts) < 2: + return False + elif parts[0].split() == opt['name'].split(): + return True + else: + return False + + def matchSection(self, line): + cl = "".join(line.strip().split()).lower() + if len(self.sectnamdel) != 2: + return False + if not cl.startswith(self.sectnamdel[0]): + return False + if not cl.endswith(self.sectnamdel[1]): + return False + return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])] + + def getSectionLine(self, section): + if len(self.sectnamdel) != 2: + return section + return self.sectnamdel[0]+section+self.sectnamdel[1]+self.deol + + def checkLineOption(self, line, options): + output = "" + + # Check if this is a setting we care about. + for opt in options: + if self.matchLineOption(line.strip(), opt): + output = self.dcomment + break + + output += line + return output; + + # Write settings to configuration file + # file is a path + # options is a set of dictionaries in the form: + # [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}] + # section is a section name like 'global' + def changeConf(self, file, options, section=None): + autosection = False + savedsection = None + done = False + output = "" + f = None + try: + f = openLocked(file, 0644) + + # Read in the old file. + for line in f: + + if autosection: + if self.matchAutoEnd(line): + autosection = False + #skip all previous auto-generated lines + continue + + if self.matchAutoStart(line): + autosection = True + continue + + # If it's a comment, just pass it through. + if self.matchComment(line): + output += line + continue + + # If it's a section start, note the section name. + value = self.matchSection(line) + if value: + + # Here we are at start if a new section, if the previous one matches + # the specified section, dump here before starting the new one + # the comparison with section == None is intentional and matches the + # request to dump the options at the end of an implicit initial + # unmarked section before any section is started + if savedsection == section: + output += self.confDump(options) + done = True + + savedsection = value + output += line + continue + + # Comment out options we care about. + if savedsection == section: + output += self.checkLineOption(line, options) + continue + + # Copy anything else as is. + output += line + + if not done: + if section: + self.newsection = True + output += self.confDump(options) + + # Write it out and close it. + f.seek(0) + f.truncate(0) + f.write(output) + finally: + try: + if f: + f.close() + except IOError: + pass + return True diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 312c8ba4b..6f44ffd1b 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -30,6 +30,7 @@ class IPADiscovery: self.realm = None self.domain = None self.server = None + self.basedn = None def getServerName(self): return str(self.server) @@ -40,6 +41,9 @@ class IPADiscovery: def getRealmName(self): return str(self.realm) + def getBaseDN(self): + return str(self.basedn) + def search(self, domain = "", server = ""): hostname = "" qname = "" @@ -127,10 +131,10 @@ class IPADiscovery: lret = lh.search_s("", ldap.SCOPE_BASE, "(objectClass=*)") for lattr in lret[0][1]: if lattr.lower() == "namingcontexts": - lbase = lret[0][1][lattr][0] + self.basedn = lret[0][1][lattr][0] - logging.debug("Search for (info=*) in "+lbase+"(base)") - lret = lh.search_s(lbase, ldap.SCOPE_BASE, "(info=IPA*)") + logging.debug("Search for (info=*) in "+self.basedn+"(base)") + lret = lh.search_s(self.basedn, ldap.SCOPE_BASE, "(info=IPA*)") if not lret: return [] logging.debug("Found: "+str(lret)) @@ -144,8 +148,8 @@ class IPADiscovery: return [] #search and return known realms - logging.debug("Search for (objectClass=krbRealmContainer) in "+lbase+"(sub)") - lret = lh.search_s("cn=kerberos,"+lbase, ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") + logging.debug("Search for (objectClass=krbRealmContainer) in "+self.basedn+"(sub)") + lret = lh.search_s("cn=kerberos,"+self.basedn, ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") if not lret: #something very wrong return [] @@ -235,5 +239,4 @@ class IPADiscovery: else: kdc = qname - print "["+realm+", "+kdc+"]" return [realm, kdc] diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 2986f3ab0..7416aaece 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -4,55 +4,77 @@ add: objectClass objectClass: pilotObject info: IPA V1.0 -# default, $REALM -dn: ou=default,$SUFFIX +dn: cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: default +objectClass: nsContainer +cn: accounts -# users, default, $REALM -dn: ou=users,ou=default,$SUFFIX +dn: cn=users,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: users +objectClass: nsContainer +cn: users -# groups, default, $REALM -dn: ou=groups,ou=default,$SUFFIX +dn: cn=groups,ou=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: groups +objectClass: nsContainer +cn: groups -# computers, default, $REALM -#dn: ou=computers,ou=default,$SUFFIX -#objectClass: organizationalUnit +#dn: cn=computers,cn=accounts,$SUFFIX #objectClass: top -#ou: computers +#objectClass: nsContainer +#cn: computers -dn: ou=special,$SUFFIX +dn: cn=etc,$SUFFIX changetype: add -objectClass: organizationalUnit +objectClass: nsContainer objectClass: top -ou: special +cn: etc -dn: uid=webservice,ou=special,$SUFFIX +dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: add -uid: webservice +objectClass: nsContainer +objectClass: top +cn: sysaccounts + +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add +objectClass: top objectClass: account +uid: webservice + +dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add objectClass: top -objectClass: inetOrgPerson -objectClass: organizationalPerson objectClass: person -cn: Web Service -sn: Service +objectClass: posixAccount +objectClass: KrbPrincipalAux +uid: admin +krbPrincipalName: admin@$REALM +cn: Administrator +sn: Administrator +uidNumber: 1000 +gidNumber: 1001 +homeDirectory: /home/admin +loginShell: /bin/bash +gecos: Administrator + +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofuniquenames +objectClass: posixGroup +cn: Account Admins +description: Account administrators group +gidNumber: 1001 +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: add -description: ou=users administrators objectClass: top objectClass: groupofuniquenames objectClass: posixGroup -gidNumber: 500 -cn: admin +gidNumber: 1002 +cn: ipausers diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 2b05e102a..9ed65a43c 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,12 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";) -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";) -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index ae4564f6f..d55f39ce4 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -1,26 +1,35 @@ -#kerberos base object -dn: cn=kerberos,$SUFFIX -changetype: add -objectClass: krbContainer -objectClass: top -cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";) - #kerberos user -dn: uid=kdc,cn=kerberos,$SUFFIX +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: kdc userPassword: $PASSWORD +#kerberos base object +dn: cn=kerberos,$SUFFIX +changetype: add +objectClass: krbContainer +objectClass: top +cn: kerberos +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) + #sasl mapping -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config +dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: kerberos +cn: Full Principal nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) +dn: cn=Name Only,cn=mapping,cn=sasl,cn=config +changetype: add +objectclass: top +objectclass: nsSaslMapping +cn: Name Only +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: $SUFFIX +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) + diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif index 0057d9766..f5573d839 100644 --- a/ipa-server/ipa-install/test/test-users-template.ldif +++ b/ipa-server/ipa-install/test/test-users-template.ldif @@ -1,30 +1,22 @@ # test, users, default, $REALM -dn: uid=test,ou=users,ou=default,$SUFFIX +dn: uid=test,cn=users,cn=accounts,$SUFFIX changetype: add -uidNumber: 1001 +uidNumber: 1003 uid: test gecos: test homeDirectory: /home/test loginShell: /bin/bash -shadowMin: 0 -shadowWarning: 7 -shadowMax: 99999 -shadowExpire: -1 -shadowInactive: -1 -shadowLastChange: 13655 -shadowFlag: -1 -gidNumber: 100 +gidNumber: 1002 objectclass: krbPrincipalAux objectclass: inetOrgPerson objectClass: posixAccount -objectClass: shadowAccount objectClass: account objectClass: top cn: Test User sn: User krbPrincipalName: test@$REALM -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: modify add: uniqueMember -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index fd95470b0..8601bbf8a 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -37,8 +37,8 @@ import re # Need a global to store this between requests _LDAPPool = None -DefaultUserContainer = "ou=users,ou=default" -DefaultGroupContainer = "ou=groups,ou=default" +DefaultUserContainer = "cn=users,cn=accounts" +DefaultGroupContainer = "cn=groups,cn=accounts" # # Apache runs in multi-process mode so each process will have its own |