summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--install/share/60basev2.ldif2
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/share/delegation.ldif348
-rw-r--r--install/share/dns.ldif1
-rw-r--r--install/updates/40-delegation.update20
-rw-r--r--ipaserver/install/bindinstance.py58
-rw-r--r--ipaserver/install/dsinstance.py4
7 files changed, 432 insertions, 2 deletions
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index b151bf3fa..03607308b 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -5,7 +5,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis
attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'enrollmentPwd' DESC 'Password used to bulk enroll machines' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.43 NAME 'fqdn' DESC 'FQDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 511f8f3ab..df329d00f 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -13,6 +13,7 @@ app_DATA = \
caJarSigningCert.cfg.template \
default-aci.ldif \
default-keytypes.ldif \
+ delegation.ldif \
dns.ldif \
kerberos.ldif \
indices.ldif \
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
new file mode 100644
index 000000000..1539ae1d5
--- /dev/null
+++ b/install/share/delegation.ldif
@@ -0,0 +1,348 @@
+dn: cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: rolegroups
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: taskgroups
+
+# Add the default roles
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: helpdesk
+description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: useradmin
+description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: groupadmin
+description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: hostadmin
+description: Host Administrators
+
+dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: hostgroupadmin
+description: Host Group Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: delegationadmin
+description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: serviceadmin
+description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: automountadmin
+description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: netgroupadmin
+description: Netgroups Administrators
+
+dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: dnsadmin
+description: DNS Administrators
+
+dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: dnsserver
+description: DNS Servers
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addusers
+description: Add Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: change_password
+description: Change a user password
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: add_user_to_default_group
+description: Add user to default group
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeusers
+description: Remove Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyusers
+description: Modify Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for group administration
+dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addgroups
+description: Add Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removegroups
+description: Remove Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifygroups
+description: Modify Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifygroupmembership
+description: Modify Group membership
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for host administration
+dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhosts
+description: Add Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removehosts
+description: Remove Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhosts
+description: Modify Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for hostgroup administration
+dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhostgroups
+description: Add Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removehostgroups
+description: Remove Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhostgroups
+description: Modify Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhostgroupmembership
+description: Modify Host Group membership
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for service administration
+dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addservices
+description: Add Services
+member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeservices
+description: Remove Services
+member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for delegation administration
+# This just lets one manage taskgroup membership and create and delete roles
+dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhrole
+description: Add Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeroles
+description: Remove Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyroles
+description: Modify Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyrolegroupmembership
+description: Modify Role Group membership
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifytaskgroupmembership
+description: Modify Task Group membership
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for automount administration
+dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addautomount
+description: Add Automount maps/keys
+member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeautomount
+description: Remove Automount maps/keys
+member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for netgroup administration
+dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addnetgroups
+description: Add netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removenetgroups
+description: Remove netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifynetgroups
+description: Modify netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifynetgroupmembership
+description: Modify netgroup membership
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Taskgroup for retrieving host keytabs
+dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: manage_host_keytab
+description: Manage host keytab
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Taskgroup for updating the DNS entries
+dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: manage_host_keytab
+description: Updates DNS
+member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 939f80dd2..85cf30853 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -3,6 +3,7 @@ changetype: add
objectClass: nsContainer
objectClass: top
cn: dns
+aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";)
dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
changetype: add
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 78de12f7b..8532e5000 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -54,6 +54,18 @@ add:objectClass: groupofnames
add:cn: netgroupadmin
add:description: Netgroups Administrators
+dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: dnsadmin
+add:description: DNS Administrators
+
+dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: dnsserver
+add:description: DNS Servers
+
# Add the taskgroups referenced by the ACIs for user administration
dn: cn=taskgroups,cn=accounts,$SUFFIX
@@ -436,3 +448,11 @@ add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,$SUFFIX";)'
+# Taskgroup for updating the DNS entries
+dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: manage_host_keytab
+add:description: Updates DNS
+add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 72d1102b6..d62fce12f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -21,10 +21,14 @@ import string
import tempfile
import shutil
import os
+import pwd
import socket
import logging
+import installutils
+import ldap
import service
+from ipaserver import ipaldap
from ipapython import sysrestore
from ipapython import ipautil
from ipalib import util
@@ -45,6 +49,7 @@ def check_inst():
class BindInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "named", dm_password=dm_password)
+ self.named_user = None
self.fqdn = None
self.domain = None
self.host = None
@@ -57,7 +62,8 @@ class BindInstance(service.Service):
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
- def setup(self, fqdn, ip_address, realm_name, domain_name):
+ def setup(self, fqdn, ip_address, realm_name, domain_name, named_user="named"):
+ self.named_user = named_user
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
@@ -81,7 +87,11 @@ class BindInstance(service.Service):
except:
pass
+ # FIXME: this need to be split off, as only the first server can do
+ # this operation
self.step("Setting up our zone", self.__setup_zone)
+
+ self.step("Setting up kerberos principal", self.__setup_principal)
self.step("Setting up named.conf", self.__setup_named_conf)
self.step("restarting named", self.__start)
@@ -113,6 +123,52 @@ class BindInstance(service.Service):
self.backup_state("domain", self.domain)
self._ldap_mod("dns.ldif", self.sub_dict)
+ def __setup_principal(self):
+ dns_principal = "DNS/" + self.fqdn + "@" + self.realm
+ installutils.kadmin_addprinc(dns_principal)
+
+ # Store the keytab on disk
+ self.fstore.backup_file("/etc/named.keytab")
+ installutils.create_keytab("/etc/named.keytab", dns_principal)
+
+ # Make sure access is strictly reserved to the named user
+ pent = pwd.getpwnam(self.named_user)
+ os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
+ os.chmod("/etc/named.keytab", 0400)
+
+ # modify the principal so that it is marked as an ipa service so that
+ # it can host the memberof attribute, then also add it to the
+ # dnsserver role group, this way the DNS is allowed to perform
+ # DNS Updates
+ conn = None
+
+ try:
+ conn = ipaldap.IPAdmin("127.0.0.1")
+ conn.simple_bind_s("cn=directory manager", self.dm_password)
+ except Exception, e:
+ logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
+ raise e
+
+ dns_princ_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (dns_principal, self.realm, self.suffix)
+ mod = [(ldap.MOD_ADD, 'objectClass', 'ipaService')]
+
+ try:
+ conn.modify_s(dns_princ_dn, mod)
+ except Exception, e:
+ logging.critical("Could not modify principal's %s entry" % dns_principal)
+ raise e
+
+ dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
+ mod = [(ldap.MOD_ADD, 'member', dns_princ_dn)]
+
+ try:
+ conn.modify_s(dns_group, mod)
+ except Exception, e:
+ logging.critical("Could not modify principal's %s entry" % dns_principal)
+ raise e
+
+ conn.unbind()
+
def __setup_named_conf(self):
self.fstore.backup_file('/etc/named.conf')
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index b9b74e685..e31cd081f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -176,6 +176,7 @@ class DsInstance(service.Service):
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("restarting directory server", self.__restart_instance)
self.step("adding default layout", self.__add_default_layout)
+ self.step("adding delegation layout", self.__add_delegation_layout)
self.step("configuring Posix uid/gid generation as first master",
self.__config_uidgid_gen_first_master)
self.step("adding master entry as first master",
@@ -364,6 +365,9 @@ class DsInstance(service.Service):
def __add_default_layout(self):
self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
+ def __add_delegation_layout(self):
+ self._ldap_mod("delegation.ldif", self.sub_dict)
+
def __create_indices(self):
self._ldap_mod("indices.ldif")
generated by cgit (git 2.34.1) at 2024-04-19 04:05:41 +0000