From 92e350ca0a1fda0dc9fe6e073dd7afe19a62d9ec Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 May 2010 15:24:54 -0400
Subject: Create default HBAC rule allowing any user to access any host from
 any host

This is to make initial installation and testing easier.

Use the --no_hbac_allow option on the command-line to disable this when
doing an install.

To remove it from a running server do: ipa hbac-del allow_all
---
 ipaserver/install/dsinstance.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'ipaserver/install/dsinstance.py')

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3987f08ee..d6dbb80bc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -38,7 +38,7 @@ from ldap.dn import escape_dn_chars
 from ipaserver import ipaldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import httpinstance
-from ipalib import util
+from ipalib import util, uuid
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -157,7 +157,7 @@ class DsInstance(service.Service):
         else:
             self.suffix = None
 
-    def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None):
+    def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None, hbac_allow=True):
         self.ds_user = ds_user
         self.realm_name = realm_name.upper()
         self.serverid = realm_to_serverid(self.realm_name)
@@ -194,6 +194,8 @@ class DsInstance(service.Service):
                   self.__add_master_entry_first_master)
         self.step("initializing group membership",
                   self.init_memberof)
+        if hbac_allow:
+            self.step("creating default HBAC rule allow_all", self.add_hbac)
 
         self.step("configuring directory to start on boot", self.__enable)
 
@@ -411,6 +413,11 @@ class DsInstance(service.Service):
     def __enable_ldapi(self):
         self._ldap_mod("ldapi.ldif", self.sub_dict)
 
+    def add_hbac(self):
+        self.sub_dict['UUID'] = str(uuid.uuid1())
+        self._ldap_mod("default-hbac.ldif", self.sub_dict)
+        del self.sub_dict['UUID']
+
     def change_admin_password(self, password):
         logging.debug("Changing admin password")
         dirname = config_dirname(self.serverid)
-- 
cgit