From 370500ab1a1a3c3fe2d3a09f61186d9787c406f2 Mon Sep 17 00:00:00 2001 From: "rcritten@redhat.com" Date: Thu, 20 Sep 2007 09:01:23 -0400 Subject: Remove support for LDAP proxy connections --- ipa-server/ipa-install/ipa-server-setupssl | 12 ------------ ipa-server/ipa-install/share/bootstrap-template.ldif | 6 ------ ipa-server/ipa-install/share/default-aci.ldif | 1 - 3 files changed, 19 deletions(-) diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl index 5bcce52c1..37e10583e 100644 --- a/ipa-server/ipa-install/ipa-server-setupssl +++ b/ipa-server/ipa-install/ipa-server-setupssl @@ -112,18 +112,6 @@ if test -n "$needServerCert" ; then certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt fi -# 8. Generate the web service client certificate: - echo -e "0\n2\n9\nn\n0\n9\nn\n" | certutil -S $prefixarg -n webservice -s "uid=webservice, CN=Web Service, OU=Fedora Directory Server" -c "CA certificate" -t u,pu,u -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -1 -5 - - pk12util -d $secdir $prefixarg -o $secdir/webservice.p12 -n "webservice" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt - - openssl pkcs12 -in $secdir/webservice.p12 -clcerts -nokeys -out /usr/share/ipa/cert.pem -passin file:$secdir/pwdfile.txt - openssl pkcs12 -in $secdir/webservice.p12 -nocerts -nodes -out /usr/share/ipa/key.pem -passin file:$secdir/pwdfile.txt - - cp -p $secdir/cacert.asc /usr/share/ipa - chown apache:apache /usr/share/ipa/cert.pem /usr/share/ipa/key.pem /usr/share/ipa/cacert.asc - chmod 600 /usr/share/ipa/cert.pem /usr/share/ipa/key.pem - # create the pin file if [ ! -f $secdir/pin.txt ] ; then pinfile=$secdir/pin.txt diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 0284caa8c..b697c579e 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -39,12 +39,6 @@ objectClass: nsContainer objectClass: top cn: sysaccounts -dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX -changetype: add -objectClass: top -objectClass: account -uid: webservice - dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 9ed65a43c..edb5b87f6 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -7,5 +7,4 @@ aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) u aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -- cgit