diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-01-19 15:17:25 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-01-20 15:49:30 -0500 |
commit | 861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c (patch) | |
tree | 50e0025b2cdc32721bca357102daf4935e712c01 /install | |
parent | 5af80a7583edfd0061a70abde4868d4582247608 (diff) | |
download | freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.tar.gz freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.tar.xz freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.zip |
Allow SASL/EXTERNAL authentication for the root user
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
Diffstat (limited to 'install')
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/root-autobind.ldif | 24 | ||||
-rwxr-xr-x | install/tools/ipactl | 5 |
3 files changed, 29 insertions, 1 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 0fb5c896..4527a922 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -47,6 +47,7 @@ app_DATA = \ uuid-ipauniqueid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ + root-autobind.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif new file mode 100644 index 00000000..e7bbc8db --- /dev/null +++ b/install/share/root-autobind.ldif @@ -0,0 +1,24 @@ +# root-autobind, config +dn: cn=root-autobind,cn=config +changetype: add +objectClass: extensibleObject +objectClass: top +cn: root-autobind +uidNumber: 0 +gidNumber: 0 + +dn: cn=config +changetype: modify +replace: nsslapd-ldapiautobind +nsslapd-ldapiautobind: on + +dn: cn=config +changetype: modify +replace: nsslapd-ldapimaptoentries +nsslapd-ldapimaptoentries: on + +dn: cn=config +changetype: modify +replace: nsslapd-ldapientrysearchbase +nsslapd-ldapientrysearchbase: cn=config + diff --git a/install/tools/ipactl b/install/tools/ipactl index 0254a276..fc652c97 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -26,6 +26,7 @@ try: from ipalib import api, errors import logging import ldap + import ldap.sasl import socket except ImportError: print >> sys.stderr, """\ @@ -36,6 +37,8 @@ error was: """ % sys.exc_value sys.exit(1) +SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL') + def parse_options(): usage = "%prog start|stop|restart|status\n" parser = config.IPAOptionParser(usage=usage, @@ -60,7 +63,7 @@ def get_config(): try: con = ldap.initialize(api.env.ldap_uri) - con.simple_bind() + con.sasl_interactive_bind_s('', SASL_EXTERNAL) res = con.search_st(base, ldap.SCOPE_SUBTREE, filterstr=srcfilter, |