diff options
Diffstat (limited to 'ipa-server/ipa-install')
| -rw-r--r-- | ipa-server/ipa-install/Makefile.am | 2 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-replica-install | 142 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-replica-prepare | 114 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 172 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/60ipaconfig.ldif | 37 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/Makefile.am | 2 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 84 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 19 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/indeces.ldif | 8 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 18 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/memberof-task.ldif | 7 |
11 files changed, 425 insertions, 180 deletions
diff --git a/ipa-server/ipa-install/Makefile.am b/ipa-server/ipa-install/Makefile.am index 9ecf7e20d..4765cfb54 100644 --- a/ipa-server/ipa-install/Makefile.am +++ b/ipa-server/ipa-install/Makefile.am @@ -6,6 +6,8 @@ SUBDIRS = \ sbin_SCRIPTS = \ ipa-server-install \ + ipa-replica-install \ + ipa-replica-prepare \ $(NULL) appdir = $(IPA_DATA_DIR) diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install new file mode 100644 index 000000000..706dc323d --- /dev/null +++ b/ipa-server/ipa-install/ipa-replica-install @@ -0,0 +1,142 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +sys.path.append("/usr/share/ipa") + +import tempfile +from ConfigParser import SafeConfigParser + +from ipa import ipautil + +from ipaserver import dsinstance, replication, installutils, krbinstance, service +from ipaserver import httpinstance, webguiinstance, radiusinstance, ntpinstance + +class ReplicaConfig: + def __init__(self): + self.realm_name = "" + self.master_host_name = "" + self.dirman_password = "" + self.ds_user = "" + self.host_name = "" + self.repl_password = "" + self.dir = "" + +def parse_options(): + from optparse import OptionParser + parser = OptionParser() + parser.add_option("-r", "--read-only", dest="master", action="store_false", + default=True, help="create read-only replica - default is master") + + options, args = parser.parse_args() + + if len(args) != 1: + parser.error("you must provide a file generated by ipa-replica-prepare") + + return options, args[0] + +def get_dirman_password(): + return installutils.read_password("Directory Manager (existing master)") + +def expand_info(filename): + top_dir = tempfile.mkdtemp("ipa") + dir = top_dir + "/realm_info" + ipautil.run(["tar", "xfz", filename, "-C", top_dir]) + + return top_dir, dir + +def read_info(dir, rconfig): + filename = dir + "/realm_info" + fd = open(filename) + config = SafeConfigParser() + config.readfp(fd) + + rconfig.realm_name = config.get("realm", "realm_name") + rconfig.master_host_name = config.get("realm", "master_host_name") + rconfig.ds_user = config.get("realm", "ds_user") + +def get_host_name(): + hostname = installutils.get_fqdn() + try: + installutils.verify_fqdn(hostname) + except RuntimeError, e: + logging.error(str(e)) + sys.exit(1) + + return hostname + +def install_ds(config): + dsinstance.check_existing_installation() + dsinstance.check_ports() + + ds = dsinstance.DsInstance() + ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.dirman_password) + +def install_krb(config): + krb = krbinstance.KrbInstance() + ldappwd_filename = config.dir + "/ldappwd" + krb.create_replica(config.ds_user, config.realm_name, config.host_name, + config.dirman_password, ldappwd_filename) + +def install_http(config): + http = httpinstance.HTTPInstance() + http.create_instance(config.realm_name, config.host_name) + +def main(): + options, filename = parse_options() + top_dir, dir = expand_info(filename) + + config = ReplicaConfig() + read_info(dir, config) + config.host_name = get_host_name() + config.repl_password = "box" + config.dir = dir + + # get the directory manager password + config.dirman_password = get_dirman_password() + + install_ds(config) + + repl = replication.ReplicationManager(config.host_name, config.dirman_password) + repl.setup_replication(config.master_host_name, config.realm_name, options.master) + + install_krb(config) + install_http(config) + + # Create a Web Gui instance + webgui = webguiinstance.WebGuiInstance() + webgui.create_instance() + + # Create a radius instance + radius = radiusinstance.RadiusInstance() + # FIXME: ldap_server should be derived, not hardcoded to localhost, also should it be a URL? + radius.create_instance(config.realm_name, config.host_name, 'localhost') + + # Configure ntpd + ntp = ntpinstance.NTPInstance() + ntp.create_instance() + + + service.restart("dirsrv") + service.restart("krb5kdc") + +main() + + diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare new file mode 100644 index 000000000..705c731d8 --- /dev/null +++ b/ipa-server/ipa-install/ipa-replica-prepare @@ -0,0 +1,114 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +sys.path.append("/usr/share/ipa") + +import logging, tempfile, shutil, os, pwd +from ConfigParser import SafeConfigParser +import krbV + +from ipa import ipautil +from ipaserver import dsinstance +from ipaserver import installutils + +certutil = "/usr/bin/certutil" + +def get_host_name(): + hostname = installutils.get_fqdn() + try: + installutils.verify_fqdn(hostname) + except RuntimeError, e: + logging.error(str(e)) + sys.exit(1) + + return hostname + +def get_realm_name(): + c = krbV.default_context() + return c.default_realm + +def check_ipa_configuration(realm_name): + config_dir = dsinstance.config_dirname(realm_name) + if not ipautil.dir_exists(config_dir): + logging.error("could not find directory instance: %s" % config_dir) + sys.exit(1) + +def create_certdb(ds_dir, dir): + # copy the passwd, noise, and pin files + shutil.copyfile(ds_dir + "/pwdfile.txt", dir + "/pwdfile.txt") + shutil.copyfile(ds_dir + "/noise.txt", dir + "/noise.txt") + shutil.copyfile(ds_dir + "/pin.txt", dir + "/pin.txt") + + # create a new cert db + ipautil.run([certutil, "-N", "-d", dir, "-f", dir + "/pwdfile.txt"]) + + # Add the CA cert + ipautil.run([certutil, "-A", "-d", dir, "-n", "CA certificate", "-t", "CT,CT", "-a", "-i", + ds_dir + "/cacert.asc"]) + +def get_ds_user(ds_dir): + uid = os.stat(ds_dir).st_uid + user = pwd.getpwuid(uid)[0] + + return user + +def copy_files(realm_name, dir): + shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") + + +def save_config(dir, realm_name, host_name, ds_user): + config = SafeConfigParser() + config.add_section("realm") + config.set("realm", "realm_name", realm_name) + config.set("realm", "master_host_name", host_name) + config.set("realm", "ds_user", ds_user) + fd = open(dir + "/realm_info", "w") + config.write(fd) + + +def main(): + realm_name = get_realm_name() + host_name = get_host_name() + ds_dir = dsinstance.config_dirname(realm_name) + ds_user = get_ds_user(ds_dir) + + check_ipa_configuration(realm_name) + + top_dir = tempfile.mkdtemp("ipa") + dir = top_dir + "/realm_info" + os.mkdir(dir, 0700) + + create_certdb(ds_dir, dir) + + copy_files(realm_name, dir) + + save_config(dir, realm_name, host_name, ds_user) + + ipautil.run(["/bin/tar", "cfz", "replica-info-" + realm_name, "-C", top_dir, "realm_info"]) + + shutil.rmtree(dir) + +main() + + + + + diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 2de687fd7..a33a3e892 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -34,7 +34,6 @@ import socket import errno import logging import pwd -import getpass import subprocess import signal import shutil @@ -51,8 +50,9 @@ import ipaserver.radiusinstance import ipaserver.webguiinstance from ipaserver import service +from ipaserver.installutils import * -from ipa.ipautil import run +from ipa.ipautil import * def parse_options(): parser = OptionParser(version=VERSION) @@ -86,39 +86,6 @@ def parse_options(): return options -def logging_setup(options): - # Always log everything (i.e., DEBUG) to the log - # file. - logging.basicConfig(level=logging.DEBUG, - format='%(asctime)s %(levelname)s %(message)s', - filename='ipaserver-install.log', - filemode='w') - - console = logging.StreamHandler() - # If the debug option is set, also log debug messages to the console - if options.debug: - console.setLevel(logging.DEBUG) - else: - # Otherwise, log critical and error messages - console.setLevel(logging.ERROR) - formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') - console.setFormatter(formatter) - logging.getLogger('').addHandler(console) - -def erase_ds_instance_data(serverid): - try: - shutil.rmtree("/etc/dirsrv/slapd-%s" % serverid) - except: - pass - try: - shutil.rmtree("/var/lib/dirsrv/slapd-%s" % serverid) - except: - pass - try: - shutil.rmtree("/var/lock/dirsrv/slapd-%s" % serverid) - except: - pass - def signal_handler(signum, frame): global ds print "\nCleaning up..." @@ -126,59 +93,9 @@ def signal_handler(signum, frame): print "Removing configuration for %s instance" % ds.serverid ds.stop() if ds.serverid: - erase_ds_instance_data (ds.serverid) + ipaserver.dsinstance.erase_ds_instance_data (ds.serverid) sys.exit(1) -def check_existing_installation(): - dirs = glob.glob("/etc/dirsrv/slapd-*") - if not dirs: - return - print "" - print "An existing Directory Server has been detected." - yesno = raw_input("Do you wish to remove it and create a new one? [no]: ") - if not yesno or yesno.lower()[0] != "y": - sys.exit(1) - - try: - run(["/sbin/service", "dirsrv", "stop"]) - except: - pass - for d in dirs: - serverid = os.path.basename(d).split("slapd-", 1)[1] - if serverid: - erase_ds_instance_data(serverid) - -def check_ports(): - ds_unsecure = port_available(389) - ds_secure = port_available(636) - if not ds_unsecure or not ds_secure: - print "IPA requires ports 389 and 636 for the Directory Server." - print "These are currently in use:" - if not ds_unsecure: - print "\t389" - if not ds_secure: - print "\t636" - sys.exit(1) - -def get_fqdn(): - fqdn = "" - try: - fqdn = socket.getfqdn() - except: - try: - fqdn = socket.gethostname() - except: - fqdn = "" - return fqdn - -def verify_fqdn(host_name): - is_ok = True - if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": - print "Invalid hostname: " + host_name - print "This host name can't be used as a hostname for an IPA Server" - is_ok = False - return is_ok - def read_host_name(host_default): host_ok = False host_name = "" @@ -198,7 +115,9 @@ def read_host_name(host_default): host_name = host_default else: host_name = host_input - if not verify_fqdn(host_name): + try: + verify_fqdn(host_name) + except: host_name = "" continue else: @@ -256,36 +175,6 @@ def read_ip_address(host_name): return ip -def port_available(port): - """Try to bind to a port on the wildcard host - Return 1 if the port is available - Return 0 if the port is in use - """ - rv = 1 - - try: - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - s.bind(('', port)) - s.shutdown(0) - s.close() - except socket.error, e: - if e[0] == errno.EADDRINUSE: - rv = 0 - - if rv: - try: - s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) - s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - s.bind(('', port)) - s.shutdown(0) - s.close() - except socket.error, e: - if e[0] == errno.EADDRINUSE: - rv = 0 - - return rv - def read_ds_user(): print "The server must run as a specific user in a specific group." print "It is strongly recommended that this user should have no privileges" @@ -333,23 +222,6 @@ def read_realm_name(domain_name): realm_name = upper_dom return realm_name -def read_password(user): - correct = False - pwd = "" - while not correct: - pwd = getpass.getpass(user + " password: ") - if not pwd: - continue - pwd_confirm = getpass.getpass("Password (confirm): ") - if pwd != pwd_confirm: - print "Password mismatch!" - print "" - else: - correct = True - #TODO: check validity/length - print "" - return pwd - def read_dm_password(): print "Certain directory server operations require an administrative user." print "This user is referred to as the Directory Manager and has full access" @@ -360,17 +232,6 @@ def read_dm_password(): dm_password = read_password("Directory Manager") return dm_password -def read_master_password(): - print "The Kerberos database is usually encrypted using a master password." - print "Please store this password offline in a secure place." - print "It may be necessary in a recovery situation or to install a replica." - print "Without the master password the encrypted material can't be used by the KDC." - print "If the master password is lost all kerberos related secrets will also be lost." - print "" - #TODO: provide the option of generating a random password - master_password = read_password("Kerberos master") - return master_password - def read_admin_password(): print "The IPA server requires an administrative user, named 'admin'." print "This user is a regular system account used for IPA server administration." @@ -392,6 +253,8 @@ def main(): global ds ds = None + options = parse_options() + if os.getegid() != 0: print "Must be root to setup server" return @@ -399,17 +262,17 @@ def main(): signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGINT, signal_handler) + standard_logging_setup("ipaserver-install.log", options.debug) + print "==============================================================================" print "This program will setup the FreeIPA Server." print "" print "To accept the default shown in brackets, press the Enter key." print "" - check_existing_installation() - check_ports() + ipaserver.dsinstance.check_existing_installation() + ipaserver.dsinstance.check_ports() - options = parse_options() - logging_setup(options) ds_user = "" realm_name = "" @@ -439,10 +302,13 @@ def main(): host_default = get_fqdn() if options.unattended: - if not verify_fqdn(host_default): + try: + verify_fqdn(host_default) + except RuntimeError, e: + logging.error(str(e) + "\n") return "-Fatal Error-" - else: - host_name = host_default + + host_name = host_default else: host_name = read_host_name(host_default) @@ -504,7 +370,7 @@ def main(): dm_password = options.dm_password if not options.master_password: - master_password = read_master_password() + master_password = ipa_generate_password() else: master_password = options.master_password diff --git a/ipa-server/ipa-install/share/60ipaconfig.ldif b/ipa-server/ipa-install/share/60ipaconfig.ldif new file mode 100644 index 000000000..e15d4a417 --- /dev/null +++ b/ipa-server/ipa-install/share/60ipaconfig.ldif @@ -0,0 +1,37 @@ +## schema file for ipa configuration +## +## IPA Base OID: 2.16.840.1.113730.3.8 +## +## Attributes: 2.16.840.1.113730.3.8.1 +## ObjectClasses: 2.16.840.1.113730.3.8.2 +dn: cn=schema +############################################### +## +## Attributes +## +## ipaUserSearchFields - attribute names to search against when looking for users +attributetypes: ( 2.16.840.1.113730.3.8.1.1 NAME 'ipaUserSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +## ipaGroupSearchFields - attribute names to search against when looking for groups +attributetypes: ( 2.16.840.1.113730.3.8.1.2 NAME 'ipaGroupSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +## ipaSearchTimeLimit - search time limit in seconds +attributetypes: ( 2.16.840.1.113730.3.8.1.3 NAME 'ipaSearchTimeLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +## ipaSearchRecordsLimit - maximum number of records to return +attributetypes: ( 2.16.840.1.113730.3.8.1.4 NAME 'ipaSearchRecordsLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +## ipaCustomFields - custom fields to show in the UI in addition to pre-defined ones +attributetypes: ( 2.16.840.1.113730.3.8.1.5 NAME 'ipaCustomFields' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) +## ipaHomesRootDir - default posix home directory root dir to use when creating new accounts +attributetypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) +## ipaDefaultLoginShell - default posix login shell to use when creating new accounts +attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) +## ipaDefaultPrimaryGroup - default posix primary group to assign when creating new accounts +attributetypes: ( 2.16.840.1.113730.3.8.1.8 NAME 'ipaDefaultPrimaryGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) +## ipaMaxUsernameLength - maximum username length to allow in the UI +attributetypes: ( 2.16.840.1.113730.3.8.1.9 NAME 'ipaMaxUsernameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +## ipaPwdExpAdvNotify - time in days to send out paswwrod expiration notification before passwpord actually expires +attributetypes: ( 2.16.840.1.113730.3.8.1.10 NAME 'ipaPwdExpAdvNotify' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) +############################################### +## +## ObjectClasses +## +## ipaGuiConfig - GUI config parameters objectclass +objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify ) ) diff --git a/ipa-server/ipa-install/share/Makefile.am b/ipa-server/ipa-install/share/Makefile.am index b103d5670..36bb54e83 100644 --- a/ipa-server/ipa-install/share/Makefile.am +++ b/ipa-server/ipa-install/share/Makefile.am @@ -5,6 +5,7 @@ app_DATA = \ 60kerberos.ldif \ 60samba.ldif \ 60radius.ldif \ + 60ipaconfig.ldif \ bootstrap-template.ldif \ default-aci.ldif \ kerberos.ldif \ @@ -22,6 +23,7 @@ app_DATA = \ referint-conf.ldif \ dna-posix.ldif \ master-entry.ldif \ + memberof-task.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index df59bc0ec..6232a3f69 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -8,7 +8,13 @@ dn: cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: nsContainer +objectClass: krbPwdPolicy cn: accounts +krbMinPwdLife: 3600 +krbPwdMinDiffChars: 0 +krbPwdMinLength: 8 +krbPwdHistoryLength: 0 +krbMaxPwdLife: 864000 dn: cn=users,cn=accounts,$SUFFIX changetype: add @@ -22,10 +28,11 @@ objectClass: top objectClass: nsContainer cn: groups -#dn: cn=computers,cn=accounts,$SUFFIX -#objectClass: top -#objectClass: nsContainer -#cn: computers +dn: cn=services,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: services dn: cn=etc,$SUFFIX changetype: add @@ -101,17 +108,80 @@ uid: ipa_default dn: cn=admins,cn=groups,cn=accounts,$SUFFIX changetype: add objectClass: top -objectClass: groupofuniquenames +objectClass: groupofnames objectClass: posixGroup cn: admins description: Account administrators group gidNumber: 1001 -uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +member: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: add objectClass: top -objectClass: groupofuniquenames +objectClass: groupofnames objectClass: posixGroup gidNumber: 1002 +description: Default group for all users cn: ipausers + +dn: cn=editors,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: posixGroup +gidNumber: 1003 +description: Limited admins who can edit other users +cn: editors + +dn: cn=ipaConfig,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +objectClass: ipaGuiConfig +ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title +ipaGroupSearchFields: cn,description +ipaSearchTimeLimit: 2 +ipaSearchRecordsLimit: 0 +ipaHomesRootDir: /home +ipaDefaultLoginShell: /bin/sh +ipaDefaultPrimaryGroup: ipausers +ipaMaxUsernameLength: 8 +ipaPwdExpAdvNotify: 4 + +dn: cn=account inactivation,cn=accounts,$SUFFIX +description: Lock accounts based on group membership +objectClass: top +objectClass: ldapsubentry +objectClass: cosSuperDefinition +objectClass: cosClassicDefinition +cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX +cosAttribute: nsAccountLock operational +cosSpecifier: memberOf +cn: Account Inactivation + +dn: cn=cosTemplates,cn=accounts,$SUFFIX +objectclass: top +objectclass: nsContainer +cn: cosTemplates + +dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +objectClass: top +objectClass: cosTemplate +objectClass: extensibleobject +nsAccountLock: true +cosPriority: 1 + +dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX +objectclass: top +objectclass: groupofnames + +dn: cn="cn=activated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +objectClass: top +objectClass: cosTemplate +objectClass: extensibleobject +nsAccountLock: false +cosPriority: 0 + +dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX +objectclass: top +objectclass: groupofnames diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 5d19329e8..aac7272c6 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -4,9 +4,24 @@ changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version 3.0;acl "Self service";allow (write) userdn="ldap:///self";) aci: (target="ldap:///cn=radius,cn=services,cn=etc,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) + +dn: cn=ipaConfig,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "ipaUserSearchFields || ipaGroupSearchFields || ipaSearchTimeLimit || ipaSearchRecordsLimit || ipaCustomFields || ipaHomesRootDir || ipaDefaultLoginShell || ipaDefaultPrimaryGroup || ipaMaxUsernameLength || ipaPwdExpAdvNotify")(version 3.0;acl "Admins can write IPA policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + +dn: cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + +dn: cn=services,cn=accounts,$SUFFIX +changetype: modify +add: aci +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/indeces.ldif b/ipa-server/ipa-install/share/indeces.ldif index 11dc3c0ec..31cbc30ab 100644 --- a/ipa-server/ipa-install/share/indeces.ldif +++ b/ipa-server/ipa-install/share/indeces.ldif @@ -42,6 +42,14 @@ cn:manager nsSystemIndex:false nsIndexType:eq +dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +objectClass:top +objectClass:nsIndex +cn:secretary +nsSystemIndex:false +nsIndexType:eq + dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: add objectClass:top diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index d55f39ce4..75057aa3a 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -14,22 +14,4 @@ objectClass: top cn: kerberos aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -#sasl mapping -dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config -changetype: add -objectclass: top -objectclass: nsSaslMapping -cn: Full Principal -nsSaslMapRegexString: \(.*\)@\(.*\) -nsSaslMapBaseDNTemplate: $SUFFIX -nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) - -dn: cn=Name Only,cn=mapping,cn=sasl,cn=config -changetype: add -objectclass: top -objectclass: nsSaslMapping -cn: Name Only -nsSaslMapRegexString: \(.*\) -nsSaslMapBaseDNTemplate: $SUFFIX -nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) diff --git a/ipa-server/ipa-install/share/memberof-task.ldif b/ipa-server/ipa-install/share/memberof-task.ldif new file mode 100644 index 000000000..fefabba88 --- /dev/null +++ b/ipa-server/ipa-install/share/memberof-task.ldif @@ -0,0 +1,7 @@ +dn: cn=IPA install, cn=memberof task, cn=tasks, cn=config +changetype: add +objectClass: top +objectClass: extensibleObject +cn: IPA install +basedn: $SUFFIX +filter: (objectclass=*) |