diff options
| author | Simo Sorce <ssorce@redhat.com> | 2008-02-28 13:35:10 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2008-02-28 13:35:10 -0500 |
| commit | d7ad62cd7e1d861270e8fd0ff8a2dd7ddba90127 (patch) | |
| tree | 561f4707e7da63317879cbe2ccec74cce1db66b9 /ipa-server | |
| parent | 2c559fce85df777fbe26eca163cb4ae93e12c448 (diff) | |
| download | freeipa-d7ad62cd7e1d861270e8fd0ff8a2dd7ddba90127.tar.gz freeipa-d7ad62cd7e1d861270e8fd0ff8a2dd7ddba90127.tar.xz freeipa-d7ad62cd7e1d861270e8fd0ff8a2dd7ddba90127.zip | |
Make sure all entries are generated by us according to IPA
default tree. This patch make sure that the DS setup script
does not add unwanted entries.
Diffstat (limited to 'ipa-server')
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 8 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 2 | ||||
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 21 |
3 files changed, 22 insertions, 9 deletions
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 0a969de3..014f9d61 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -1,11 +1,3 @@ -dn: $SUFFIX -changetype: modify -add: objectClass -objectClass: pilotObject -- -add: info -info: IPA V1.0 - dn: cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index d7b5d300..a452b50d 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -2,7 +2,7 @@ # FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users dn: $SUFFIX changetype: modify -replace: aci +add: aci aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 99ebae50..4ed4ddf0 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -97,6 +97,16 @@ ServerIdentifier= $SERVERID Suffix= $SUFFIX RootDN= cn=Directory Manager RootDNPwd= $PASSWORD +InstallLdifFile= /var/lib/dirsrv/boot.ldif +""" + +BASE_TEMPLATE = """ +dn: $SUFFIX +objectClass: top +objectClass: domain +objectClass: pilotObject +dc: $BASEDC +info: IPA V1.0 """ class DsInstance(service.Service): @@ -177,6 +187,15 @@ class DsInstance(service.Service): def __create_instance(self): self.backup_state("running", self.is_running()) self.backup_state("serverid", self.serverid) + + self.sub_dict['BASEDC'] = self.domain[:self.domain.find('.')] + base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) + logging.debug(base_txt) + base_fd = file("/var/lib/dirsrv/boot.ldif", "w") + base_fd.write(base_txt) + base_fd.flush() + base_fd.close() + inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) logging.debug("writing inf template") inf_fd = ipautil.write_tmp_file(inf_txt) @@ -200,6 +219,8 @@ class DsInstance(service.Service): except ipautil.CalledProcessError, e: print "failed to restart ds instance", e logging.debug("failed to restart ds instance %s" % e) + inf_fd.close() + os.remove("/var/lib/dirsrv/boot.ldif") def __add_default_schemas(self): shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif", |