diff options
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/Makefile.am | 6 | ||||
-rw-r--r-- | ipa-server/ipa-install/ipa-server-setupssl | 216 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/60radius.ldif | 38 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 24 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 3 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/encrypted_attribute.ldif | 6 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/radius.radiusd.conf.template | 23 |
7 files changed, 83 insertions, 233 deletions
diff --git a/ipa-server/ipa-install/Makefile.am b/ipa-server/ipa-install/Makefile.am index 4765cfb54..1b46d354b 100644 --- a/ipa-server/ipa-install/Makefile.am +++ b/ipa-server/ipa-install/Makefile.am @@ -10,14 +10,8 @@ sbin_SCRIPTS = \ ipa-replica-prepare \ $(NULL) -appdir = $(IPA_DATA_DIR) -app_SCRIPTS = \ - ipa-server-setupssl \ - $(NULL) - EXTRA_DIST = \ README \ - $(app_SCRIPTS) \ $(sbin_SCRIPTS) \ $(NULL) diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl deleted file mode 100644 index 1774f214d..000000000 --- a/ipa-server/ipa-install/ipa-server-setupssl +++ /dev/null @@ -1,216 +0,0 @@ -#!/bin/bash - -if [ "$1" ] ; then - password=$1 -else - echo "password required" - exit 1 -fi - -if [ "$2" -a -d "$2" ] ; then - secdir="$2" -else - secdir=/etc/dirsrv/slapd-localhost -fi - -if [ "$3" ] ; then - myhost=$3 -else - myhost=`hostname --fqdn` -fi - - -if [ "$4" ] ; then - ldapport=$4 -else - ldapport=389 -fi - -me=`whoami` -if [ "$me" = "root" ] ; then - isroot=1 -fi - -# see if there are already certs and keys -if [ -f $secdir/cert8.db ] ; then - # look for CA cert - if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then - echo "Using existing CA certificate" - else - echo "No CA certificate found - will create new one" - needCA=1 - fi - - # look for server cert - if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then - echo "Using existing directory Server-Cert" - else - echo "No Server Cert found - will create new one" - needServerCert=1 - fi - - prefix="new-" - prefixarg="-P $prefix" -else - needCA=1 - needServerCert=1 -fi - -if test -z "$needCA" -a -z "$needServerCert" ; then - echo "No certs needed - exiting" - exit 0 -fi - -# get our user and group -if test -n "$isroot" ; then - uid=`/bin/ls -ald $secdir | awk '{print $3}'` - gid=`/bin/ls -ald $secdir | awk '{print $4}'` -fi - -# 2. Create a password file for your security token password: -if [ -f $secdir/pwdfile.txt ] ; then - echo "Using existing $secdir/pwdfile.txt" -else - (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/pwdfile.txt - fi - chmod 400 $secdir/pwdfile.txt -fi - -# 3. Create a "noise" file for your encryption mechanism: -if [ -f $secdir/noise.txt ] ; then - echo "Using existing $secdir/noise.txt file" -else - (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/noise.txt - fi - chmod 400 $secdir/noise.txt -fi - -# 4. Create the key3.db and cert8.db databases: -certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt -if test -n "$isroot" ; then - chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db -fi -chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db - - -if test -n "$needCA" ; then -# 5. Generate the encryption key: - certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# 6. Generate the self-signed certificate: - certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# export the CA cert for use with other apps - certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc - pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt -fi - -if test -n "$needServerCert" ; then -# 7. Generate the server certificate: - certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -fi - -# create the pin file -if [ ! -f $secdir/pin.txt ] ; then - pinfile=$secdir/pin.txt - echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile - if test -n "$isroot" ; then - chown $uid:$gid $pinfile - fi - chmod 400 $pinfile -else - echo Using existing $secdir/pin.txt -fi - -if [ -n "$prefix" ] ; then - # move the old files out of the way - mv $secdir/cert8.db $secdir/orig-cert8.db - mv $secdir/key3.db $secdir/orig-key3.db - # move in the new files - will be used after server restart - mv $secdir/${prefix}cert8.db $secdir/cert8.db - mv $secdir/${prefix}key3.db $secdir/key3.db -fi - -modnssdir=/etc/httpd/alias - -# Setup SSL in Apache -if [ -e $modnssdir ]; then - mkdir ${modnssdir}.ipa - mv $modnssdir/cert8.db ${modnssdir}.ipa - mv $modnssdir/key3.db ${modnssdir}.ipa -fi - -# Create a new database for mod_nss -echo -e "\n" > $modnssdir/pw.txt -certutil -N -d $modnssdir -f $modnssdir/pw.txt - -# Add the CA we created -certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc - -# Request a new server cert -certutil -R -d $modnssdir \ - -s "cn=$myhost,ou=Apache Web Server" \ - -o $modnssdir/tmpcertreq \ - -g 1024 \ - -z $secdir/noise.txt \ - -f $modnssdir/pw.txt - -# Have the FDS CA issue the cert -echo -e "2\n9\nn\n1\n9\nn\n" | \ -certutil -C -d $secdir \ - -c "CA certificate" \ - -i $modnssdir/tmpcertreq \ - -o $modnssdir/tmpcert.der \ - -m 1002 \ - -v 120 \ - -f $secdir/pwdfile.txt \ - -1 \ - -5 - -# Now add this cert to the Apache database -certutil -A -d $modnssdir -n "Server-Cert"\ - -t u,u,u \ - -i $modnssdir/tmpcert.der \ - -f $modnsdir/tmpcert.der - -rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der - -# enable SSL in the directory server - -ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF -dn: cn=encryption,cn=config -changetype: modify -replace: nsSSL3 -nsSSL3: on -- -replace: nsSSLClientAuth -nsSSLClientAuth: allowed -- -add: nsSSL3Ciphers -nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, - +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, - +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, - +tls_rsa_export1024_with_des_cbc_sha - -dn: cn=config -changetype: modify -add: nsslapd-security -nsslapd-security: on -- -replace: nsslapd-ssl-check-hostname -nsslapd-ssl-check-hostname: off - -dn: cn=RSA,cn=encryption,cn=config -changetype: add -objectclass: top -objectclass: nsEncryptionModule -cn: RSA -nsSSLPersonalitySSL: Server-Cert -nsSSLToken: internal (software) -nsSSLActivation: on - -EOF - - diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif index 1802029ea..93a5ba319 100644 --- a/ipa-server/ipa-install/share/60radius.ldif +++ b/ipa-server/ipa-install/share/60radius.ldif @@ -4,6 +4,11 @@ # LDAP v3 version by Jochen Friedrich <jochen@scram.de> # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua> # Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA +# +# Note: These OID's do not seem to be registered, the closest I could find +# was 1.3.6.1.4.1.3317 +# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)} +# ############## dn: cn=schema attributeTypes: @@ -487,7 +492,7 @@ objectClasses: NAME 'radiusprofile' SUP top AUXILIARY DESC '' - MUST cn + MUST uid MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ @@ -521,3 +526,34 @@ objectClasses: MUST cn MAY ( uid $ userPassword $ description ) ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.64 + NAME 'radiusClientSecret' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.65 + NAME 'radiusClientNASType' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.66 + NAME 'radiusClientShortName' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +objectClasses: + ( 1.3.6.1.4.1.3317.4.3.2.3 + NAME 'radiusClientProfile' + SUP top STRUCTURAL + DESC 'A Container Objectclass to be used for describing radius clients' + MUST (radiusClientIPAddress $ radiusClientSecret) + MAY ( radiusClientNASType $ radiusClientShortName $ description ) + ) diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 3f0558d11..9642070c7 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -81,6 +81,30 @@ homeDirectory: /home/admin loginShell: /bin/bash gecos: Administrator +dn: cn=radius,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: radius + +dn: cn=clients,cn=radius,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: clients + +dn: cn=profiles,cn=radius,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: profiles + +dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX +changetype: add +objectClass: top +objectClass: radiusprofile +uid: ipa_default + dn: cn=admins,cn=groups,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 6b8afd28b..95743eebb 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -9,9 +9,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaN aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn = "ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) +aci: (target="ldap:///cn=radius,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) dn: cn=ipaConfig,cn=etc,$SUFFIX changetype: modify diff --git a/ipa-server/ipa-install/share/encrypted_attribute.ldif b/ipa-server/ipa-install/share/encrypted_attribute.ldif new file mode 100644 index 000000000..3f5e1b43d --- /dev/null +++ b/ipa-server/ipa-install/share/encrypted_attribute.ldif @@ -0,0 +1,6 @@ +dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +changetype: add +objectClass: top +objectClass: nsAttributeEncryption +cn: $ENCRYPTED_ATTRIBUTE +nsEncryptionAlgorithm: AES diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template index d03105485..3bc4927dd 100644 --- a/ipa-server/ipa-install/share/radius.radiusd.conf.template +++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template @@ -57,9 +57,6 @@ thread pool { max_requests_per_server = 0 } modules { - pap { - auto_header = yes - } chap { authtype = CHAP } @@ -85,13 +82,19 @@ $$INCLUDE $${confdir}/eap.conf filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no - access_attr = "$ACCESS_ATTRIBUTE" + profile_attribute = "radiusProfileDn" + default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX + # FIXME: we'll want to toggle the access_attr feature on/off, + # but it needs a control, so disable it for now. + #access_attr = "$ACCESS_ATTRIBUTE" + #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT" dictionary_mapping = $${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 + clients_basedn = "$CLIENTS_BASEDN" } realm IPASS { format = prefix @@ -229,6 +232,10 @@ $$INCLUDE $${confdir}/eap.conf override = no maximum-timeout = 0 } + krb5 { + keytab = "$RADIUS_KEYTAB" + service_principal = "$RADIUS_PRINCIPAL" + } } instantiate { exec @@ -242,20 +249,18 @@ authorize { eap #files ldap - pap } authenticate { - Auth-Type PAP { - pap - } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } - unix eap + Auth-Type Kerberos { + krb5 + } } preacct { preprocess |