From d0587cbdd5bc5e07a6e8519deb07adaace643740 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 14 Sep 2009 17:04:08 -0400
Subject: Enrollment for a host in an IPA domain

This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
---
 install/updates/40-delegation.update | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

(limited to 'install/updates')

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 220c489d9..ee7f4db92 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -222,8 +222,9 @@ add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
 add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
   3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
  taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description || locality || location || platform
- || os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
+add:aci: '(targetattr = "cn || description || l || location ||
+ nshardwareplatform || nsosversion")
+ (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
  acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
  cn=taskgroups,cn=accounts,$SUFFIX";)'
 
@@ -449,16 +450,36 @@ add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
 
 # Add the ACI needed to do host keytab admin
 dn: $SUFFIX
-add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
-  cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
+add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
+  (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
+  (version 3.0;acl "Manage host keytab";
   allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
   cn=accounts,$SUFFIX";)'
 
+# Taskgroup for enrolling hosts. Note that this also requires
+# manage_host_keytab access
+dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: enroll_host
+add:description: Enroll a host
+add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+# Add the ACI needed to do host enrollment. When this occurs we
+# set the krbPrincipalName, add krbPrincipalAux to objectClass and
+# set enrolledBy to whoever ran join.
+dn: $SUFFIX
+add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass")
+  (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
+  (version 3.0;acl "Enroll a host";
+  allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
+  cn=accounts,$SUFFIX";)'
+
 # Taskgroup for updating the DNS entries
 dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
 add:objectClass: top
 add:objectClass: groupofnames
-add:cn: manage_host_keytab
+add:cn: update_sn
 add:description: Updates DNS
 add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
 add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
-- 
cgit