diff options
| -rwxr-xr-x | ipa-client/freeipa-client.spec | 4 | ||||
| -rw-r--r-- | ipa-client/freeipa-client.spec.in | 4 | ||||
| -rw-r--r-- | ipa-client/ipa-install/ipa-client-install | 113 | ||||
| -rw-r--r-- | ipa-client/ipaclient/__init__.py | 5 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipachangeconf.py | 248 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 15 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 61 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 80 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 15 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 31 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/krb5.conf.template | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-install/test/test-users-template.ldif | 18 | ||||
| -rw-r--r-- | ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 2 | ||||
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 27 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 29 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 4 |
16 files changed, 538 insertions, 122 deletions
diff --git a/ipa-client/freeipa-client.spec b/ipa-client/freeipa-client.spec index f8db90dc..f7672578 100755 --- a/ipa-client/freeipa-client.spec +++ b/ipa-client/freeipa-client.spec @@ -1,6 +1,6 @@ Name: freeipa-client Version: 0.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: FreeIPA client Group: System Environment/Base @@ -9,7 +9,7 @@ URL: http://www.freeipa.org Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: python python-ldap freeipa-python +Requires: python python-ldap python-krbV freeipa-python %description FreeIPA is a server for identity, policy, and audit. diff --git a/ipa-client/freeipa-client.spec.in b/ipa-client/freeipa-client.spec.in index 0f733bef..ed7fb3a5 100644 --- a/ipa-client/freeipa-client.spec.in +++ b/ipa-client/freeipa-client.spec.in @@ -1,6 +1,6 @@ Name: freeipa-client Version: VERSION -Release: 1%{?dist} +Release: 2%{?dist} Summary: FreeIPA client Group: System Environment/Base @@ -9,7 +9,7 @@ URL: http://www.freeipa.org Source0: %{name}-%{version}.tgz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: python python-ldap freeipa-python +Requires: python python-ldap python-krbV freeipa-python %description FreeIPA is a server for identity, policy, and audit. diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 0f399c48..70c0027d 100644 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -24,10 +24,12 @@ VERSION = "%prog .1" import sys sys.path.append("/usr/share/ipa") +import krbV import socket import logging from optparse import OptionParser import ipaclient.ipadiscovery +import ipaclient.ipachangeconf from ipaserver.util import run def parse_options(): @@ -35,10 +37,12 @@ def parse_options(): parser.add_option("--domain", dest="domain", help="domain name") parser.add_option("--server", dest="server", help="IPA server") parser.add_option("--realm", dest="realm_name", help="realm name") + parser.add_option("-f", "--force", dest="force", action="store_true", + default=False, help="force setting of ldap/kerberos conf") parser.add_option("-d", "--debug", dest="debug", action="store_true", - dest="debug", default=False, help="print debugging information") + default=False, help="print debugging information") parser.add_option("-U", "--unattended", dest="unattended", - help="unattended installation never prompts the user") + help="unattended installation never prompts the user") options, args = parser.parse_args() @@ -66,6 +70,7 @@ def logging_setup(options): def main(): options = parse_options() logging_setup(options) + dnsok = True # Create the discovery instance ds = ipaclient.ipadiscovery.IPADiscovery() @@ -85,24 +90,98 @@ def main(): print "Failed to determine your DNS domain (DNS misconfigured?)" dom = raw_input("Please provide your domain name (ex: example.com): ") ret = ds.search(domain=dom) - if ret == -2: - logging.debug("IPA Server not found") - if options.server: - srv = options.server - elif options.unattended: - return ret - else: - print "Failed to find the IPA Server (DNS misconfigured?)" - srv = raw_input("Please provide your server name (ex: ipa.example.com): ") - ret = ds.search(domain=dom, server=srv) - if ret != 0: - print "Failed to verify that "+srv+" is an IPA Server, aborting!" - return ret - - print "Discovery was successful!" + if ret == -2: + dnsok = False + logging.debug("IPA Server not found") + if options.server: + srv = options.server + elif options.unattended: + return ret + else: + print "Failed to find the IPA Server (DNS misconfigured?)" + srv = raw_input("Please provide your server name (ex: ipa.example.com): ") + ret = ds.search(domain=dom, server=srv) + if ret != 0: + print "Failed to verify that "+srv+" is an IPA Server, aborting!" + return ret + + if dnsok: + print "Discovery was successful!" + elif not options.unattended: + print "\nThe failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured\n." + print "Autodiscovery of servers for failover cannot work with this configuration.\n" + print "If you proceed with the installation, services will be configured to always access the discovered server for all operation and will not fail over to other servers in case of failure\n" + yesno = raw_input("Do you want to proceed and configure the system with fixed values with no DNS discovery? [y/N] ") + if yesno.lower() != "y": + return ret + print "\n" + print "Realm: "+ds.getRealmName() print "DNS Domain: "+ds.getDomainName() print "IPA Server: "+ds.getServerName() + print "BaseDN: "+ds.getBaseDN() + + # Configure ldap.conf + ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + opts = [{'name':'host', 'action':'comment'}, + {'name':'port', 'action':'comment'}, + {'name':'binddn', 'action':'comment'}, + {'name':'bindpw', 'action':'comment'}, + {'name':'rootbinddn', 'action':'comment'}, + {'name':'nss_base_passwd', 'value':ds.getBaseDN()+'?sub', 'action':'set'}, + {'name':'nss_base_group', 'value':ds.getBaseDN()+'?sub', 'action':'set'}, + {'name':'base', 'value':ds.getBaseDN(), 'action':'set'}, + {'name':'ldap_version', 'value':'3', 'action':'set'}] + if dnsok and not options.force: + opts.insert(0, {'name':'uri', 'action':'comment'}) + else: + opts.append({'name':'uri', 'value':'ldap://'+ds.getServerName(), 'action':'set'}) + ldapconf.setOptionAssignment(" ") + ldapconf.changeConf("/etc/ldap.conf", opts) + + #Check if kerberos is already configured properly + krbctx = krbV.default_context() + # If we find our domain assume we are properly configured + #(ex. we are configuring the client side of a Master) + if not krbctx.default_realm == ds.getRealmName() or options.force: + + #Configure krb5.conf + krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + krbconf.setOptionAssignment(" = ") + krbconf.setSectionNameDelimiters(("[","]")) + + #[libdefaults] + opts = [{'name':'default_realm', 'value':ds.getRealmName(), 'action':'set'}, + {'name':'ticket_lifetime', 'value':'24h', 'action':'set'}, + {'name':'forwardable', 'value':'yes', 'action':'set'}] + if dnsok and not options.force: + opts.insert(1, {'name':'dns_lookup_realm', 'value':'true', 'action':'set'}) + opts.insert(2, {'name':'dns_lookup_kdc', 'value':'true', 'action':'set'}) + else: + opts.insert(1, {'name':'dns_lookup_realm', 'value':'false', 'action':'set'}) + opts.insert(2, {'name':'dns_lookup_kdc', 'value':'false', 'action':'set'}) + krbconf.changeConf("/etc/krb5.conf", opts, "libdefaults"); + + #the following are necessary only if DNS discovery does not work + if not dnsok or options.force: + #[realms] + opts = [{'name':ds.getRealmName(), 'value':'{', 'action':'set'}, + {'name':'kdc', 'value':ds.getServerName()+':88', 'action':'set'}, + {'name':'admin_server', 'value':ds.getServerName()+':749', 'action':'set'}, + # adding '\n}' is a dirty hack because we still don't have subsections support + {'name':'default_domain', 'value':ds.getDomainName()+'\n}', 'action':'set'}] + krbconf.changeConf("/etc/krb5.conf", opts, "realms"); + + #[domain_realm] + opts = [{'name':'.'+ds.getDomainName(), 'value':ds.getRealmName(), 'action':'set'}, + {'name':ds.getDomainName(), 'value':ds.getRealmName(), 'action':'set'}] + krbconf.changeConf("/etc/krb5.conf", opts, "domain_realm"); + + #Modify nsswitch to add nss_ldap + run(["/usr/sbin/authconfig", "--enableldap", "--update"]) + + #Modify pam to add pam_krb5 + run(["/usr/sbin/authconfig", "--enablekrb5", "--update"]) return 0 diff --git a/ipa-client/ipaclient/__init__.py b/ipa-client/ipaclient/__init__.py index 66a4eb14..c07a549a 100644 --- a/ipa-client/ipaclient/__init__.py +++ b/ipa-client/ipaclient/__init__.py @@ -1,6 +1,5 @@ #! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# see inline +# Authors: Simo Sorce <ssorce@redhat.com> # # Copyright (C) 2007 Red Hat # see file 'COPYING' for use and warranty information @@ -19,5 +18,5 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -__all__ = ["ipadiscovery"] +__all__ = ["ipadiscovery", "ipachangeconf", "dnsclient"] diff --git a/ipa-client/ipaclient/ipachangeconf.py b/ipa-client/ipaclient/ipachangeconf.py new file mode 100644 index 00000000..646e0424 --- /dev/null +++ b/ipa-client/ipaclient/ipachangeconf.py @@ -0,0 +1,248 @@ +# +# ipachangeconf - configuration filke manipulation classes and functions +# partially based on authconfig code +# Copyright (c) 1999-2007 Red Hat, Inc. +# Author: Simo Sorce <ssorce@redhat.com> +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +import fcntl +import os +import string +import time + +def openLocked(filename, perms): + fd = -1 + try: + fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms) + + fcntl.lockf(fd, fcntl.LOCK_EX) + except OSError, (errno, strerr): + if fd != -1: + try: + os.close(fd) + except OSError: + pass + raise IOError(errno, strerr) + return os.fdopen(fd, "r+") + + + #TODO: add subsection as a concept + # (ex. REALM.NAME = { foo = x bar = y } ) + #TODO: put section delimiters as separating element of the list + # so that we can process multiple sections in one go + #TODO: add a comment all but provided options as a section option +class IPAChangeConf: + + def __init__(self, name): + self.progname = name + self.optpre = ("",) + self.doptpre = self.optpre[0] + self.assign = (" = ",) + self.dassign = self.assign[0] + self.comment = ("#",) + self.dcomment = self.comment[0] + self.eol = ("\n",) + self.deol = self.eol[0] + #self.sectnamdel = ("[","]") + self.sectnamdel = () + self.newsection = False + + def setProgName(self, name): + self.progname = name + + def setOptionPrefix(self, prefix): + if type(prefix) is list: + self.optpre = prefix + else: + self.optpre = (prefix, ) + self.doptpre = self.optpre[0] + + def setOptionAssignment(self, assign): + if type(assign) is list: + self.assign = assign + else: + self.assign = (assign, ) + self.dassign = self.assign[0] + + def setCommentPrefix(self, comment): + if type(comment) is list: + self.comment = comment + else: + self.comment = (comment, ) + self.dcomment = self.comment[0] + + def setEndLine(self, eol): + if type(eol) is list: + self.eol = eol + else: + self.eol = (eol, ) + self.deol = self.eol[0] + + def setSectionNameDelimiters(self, delims): + self.sectnamdel = delims + + def confDump(self, options): + output = "" + + #pre conf options delimiter + output += self.deol + output += self.dcomment+"["+self.progname+"]--start-line--"+self.deol + output += self.dcomment+" Generated by authconfig on " + time.strftime("%Y/%m/%d %H:%M:%S") + self.deol + output += self.dcomment+" DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)"+self.deol + output += self.dcomment+" Any modification may be deleted or altered by authconfig in future"+self.deol + output += self.deol + + if self.newsection: + output += getSectionLine(section) + + #set options + for opt in options: + if opt['action'] == "set": + output += self.doptpre+opt['name']+self.dassign+opt['value']+self.deol + + #post conf options delimiter + output += self.deol + output += self.dcomment+"["+self.progname+"]--end-line--"+self.deol + output += self.deol + + return output + + def matchAutoEnd(self, line): + if line.endswith("]--end-line--"): + return True + return False + + def matchAutoStart(self, line): + if line.endswith("]--start-line--"): + return True + return False + + def matchComment(self, line): + for v in self.comment: + if line.strip().startswith(v): + return True + return False + + def matchLineOption(self, line, opt): + parts = line.split(self.dassign, 1) + if len(parts) < 2: + return False + elif parts[0].split() == opt['name'].split(): + return True + else: + return False + + def matchSection(self, line): + cl = "".join(line.strip().split()).lower() + if len(self.sectnamdel) != 2: + return False + if not cl.startswith(self.sectnamdel[0]): + return False + if not cl.endswith(self.sectnamdel[1]): + return False + return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])] + + def getSectionLine(self, section): + if len(self.sectnamdel) != 2: + return section + return self.sectnamdel[0]+section+self.sectnamdel[1]+self.deol + + def checkLineOption(self, line, options): + output = "" + + # Check if this is a setting we care about. + for opt in options: + if self.matchLineOption(line.strip(), opt): + output = self.dcomment + break + + output += line + return output; + + # Write settings to configuration file + # file is a path + # options is a set of dictionaries in the form: + # [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}] + # section is a section name like 'global' + def changeConf(self, file, options, section=None): + autosection = False + savedsection = None + done = False + output = "" + f = None + try: + f = openLocked(file, 0644) + + # Read in the old file. + for line in f: + + if autosection: + if self.matchAutoEnd(line): + autosection = False + #skip all previous auto-generated lines + continue + + if self.matchAutoStart(line): + autosection = True + continue + + # If it's a comment, just pass it through. + if self.matchComment(line): + output += line + continue + + # If it's a section start, note the section name. + value = self.matchSection(line) + if value: + + # Here we are at start if a new section, if the previous one matches + # the specified section, dump here before starting the new one + # the comparison with section == None is intentional and matches the + # request to dump the options at the end of an implicit initial + # unmarked section before any section is started + if savedsection == section: + output += self.confDump(options) + done = True + + savedsection = value + output += line + continue + + # Comment out options we care about. + if savedsection == section: + output += self.checkLineOption(line, options) + continue + + # Copy anything else as is. + output += line + + if not done: + if section: + self.newsection = True + output += self.confDump(options) + + # Write it out and close it. + f.seek(0) + f.truncate(0) + f.write(output) + finally: + try: + if f: + f.close() + except IOError: + pass + return True diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 312c8ba4..6f44ffd1 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -30,6 +30,7 @@ class IPADiscovery: self.realm = None self.domain = None self.server = None + self.basedn = None def getServerName(self): return str(self.server) @@ -40,6 +41,9 @@ class IPADiscovery: def getRealmName(self): return str(self.realm) + def getBaseDN(self): + return str(self.basedn) + def search(self, domain = "", server = ""): hostname = "" qname = "" @@ -127,10 +131,10 @@ class IPADiscovery: lret = lh.search_s("", ldap.SCOPE_BASE, "(objectClass=*)") for lattr in lret[0][1]: if lattr.lower() == "namingcontexts": - lbase = lret[0][1][lattr][0] + self.basedn = lret[0][1][lattr][0] - logging.debug("Search for (info=*) in "+lbase+"(base)") - lret = lh.search_s(lbase, ldap.SCOPE_BASE, "(info=IPA*)") + logging.debug("Search for (info=*) in "+self.basedn+"(base)") + lret = lh.search_s(self.basedn, ldap.SCOPE_BASE, "(info=IPA*)") if not lret: return [] logging.debug("Found: "+str(lret)) @@ -144,8 +148,8 @@ class IPADiscovery: return [] #search and return known realms - logging.debug("Search for (objectClass=krbRealmContainer) in "+lbase+"(sub)") - lret = lh.search_s("cn=kerberos,"+lbase, ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") + logging.debug("Search for (objectClass=krbRealmContainer) in "+self.basedn+"(sub)") + lret = lh.search_s("cn=kerberos,"+self.basedn, ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") if not lret: #something very wrong return [] @@ -235,5 +239,4 @@ class IPADiscovery: else: kdc = qname - print "["+realm+", "+kdc+"]" return [realm, kdc] diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 91138c01..90296e5d 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa") import socket import logging +import pwd from optparse import OptionParser import ipaserver.dsinstance import ipaserver.krbinstance @@ -42,10 +43,12 @@ def parse_options(): help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") - parser.add_option("-p", "--ds-password", dest="ds_password", + parser.add_option("-p", "--ds-password", dest="dm_password", help="admin password") parser.add_option("-P", "--master-password", dest="master_password", help="kerberos master password") + parser.add_option("-a", "--admin-password", dest="admin_password", + help="admin user kerberos password") parser.add_option("-d", "--debug", dest="debug", action="store_true", dest="debug", default=False, help="print debugging information") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") @@ -56,7 +59,8 @@ def parse_options(): if options.unattended and (not options.ds_user or not options.realm_name or - not options.ds_password or + not options.dm_password or + not options.admin_password or not options.master_password): parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") @@ -95,7 +99,8 @@ def main(): realm_name = "" host_name = "" master_password = "" - ds_password = "" + dm_password = "" + admin_password = "" # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by gethostbyname to set @@ -137,13 +142,25 @@ def main(): print "" if not options.ds_user: - print "To securely run Directory Server we need a user account to be set up." - print "This will allow DS to run as a user and not as root." - print "The user account will have access to some security material so it should not be shared with any other application." - print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure." - print "" - ds_user = raw_input("Which account name do you want to use for the DS instance ? ") - print "" + + try: + pwd.getpwnam('dirsrv') + + print "To securely run Directory Server we need a user account to be set up." + print "This will allow DS to run as a user and not as root." + print "The user account will have access to some security material so it should not be shared with any other application." + print "A user account named 'dirsrv' already exist. You should not share the account with any other service." + print "" + yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)") + print "" + if yesno.lower() == "y": + ds_user = "dirsrv" + else: + ds_user = raw_input("Which account name do you want to use for the DS instance ? ") + print "" + except KeyError: + ds_user = "dirsrv" + if ds_user == "": return "-Aborted-" else: @@ -177,14 +194,15 @@ def main(): else: realm_name = options.realm_name - if not options.ds_password: + if not options.dm_password: print "The Directory Manager user is the equivalent of 'root' for Diretcory Server." + print "This account has full access to the Directory and is used for system management tasks." print "" #TODO: provide the option of generating a random password - ds_password = raw_input("Please provide a password for the Directory Manager: ") + dm_password = raw_input("Please provide a password for the Directory Manager: ") print "" else: - ds_password = options.ds_password + dm_password = options.dm_password if not options.master_password: print "The Kerberos database is usually encrypted using a master password." @@ -199,13 +217,23 @@ def main(): else: master_password = options.master_password + if not options.admin_password: + print "The 'admin' user is the administrative user used to administare an IPA server." + print "This account is the one that will be used for normal administration and is also a regular unix user" + print "" + #TODO: provide the option of generating a random password + admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ") + print "" + else: + admin_password = options.admin_password + # Create a directory server instance ds = ipaserver.dsinstance.DsInstance() - ds.create_instance(ds_user, realm_name, host_name, ds_password) + ds.create_instance(ds_user, realm_name, host_name, dm_password) # Create a kerberos instance krb = ipaserver.krbinstance.KrbInstance() - krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password) + krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) # Restart ds after the krb instance has changed ds configurations ds.restart() @@ -228,6 +256,9 @@ def main(): # Start Kpasswd run(["/sbin/service", "ipa-kpasswd", "start"]) + # Set the admin user kerberos password + ds.change_admin_password(admin_password) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 2986f3ab..0284caa8 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -4,55 +4,77 @@ add: objectClass objectClass: pilotObject info: IPA V1.0 -# default, $REALM -dn: ou=default,$SUFFIX +dn: cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: default +objectClass: nsContainer +cn: accounts -# users, default, $REALM -dn: ou=users,ou=default,$SUFFIX +dn: cn=users,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: users +objectClass: nsContainer +cn: users -# groups, default, $REALM -dn: ou=groups,ou=default,$SUFFIX +dn: cn=groups,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: groups +objectClass: nsContainer +cn: groups -# computers, default, $REALM -#dn: ou=computers,ou=default,$SUFFIX -#objectClass: organizationalUnit +#dn: cn=computers,cn=accounts,$SUFFIX #objectClass: top -#ou: computers +#objectClass: nsContainer +#cn: computers -dn: ou=special,$SUFFIX +dn: cn=etc,$SUFFIX changetype: add -objectClass: organizationalUnit +objectClass: nsContainer objectClass: top -ou: special +cn: etc -dn: uid=webservice,ou=special,$SUFFIX +dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: add -uid: webservice +objectClass: nsContainer +objectClass: top +cn: sysaccounts + +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add +objectClass: top objectClass: account +uid: webservice + +dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add objectClass: top -objectClass: inetOrgPerson -objectClass: organizationalPerson objectClass: person -cn: Web Service -sn: Service +objectClass: posixAccount +objectClass: KrbPrincipalAux +uid: admin +krbPrincipalName: admin@$REALM +cn: Administrator +sn: Administrator +uidNumber: 1000 +gidNumber: 1001 +homeDirectory: /home/admin +loginShell: /bin/bash +gecos: Administrator + +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofuniquenames +objectClass: posixGroup +cn: Account Admins +description: Account administrators group +gidNumber: 1001 +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: add -description: ou=users administrators objectClass: top objectClass: groupofuniquenames objectClass: posixGroup -gidNumber: 500 -cn: admin +gidNumber: 1002 +cn: ipausers diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 2b05e102..9ed65a43 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,12 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";) -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";) -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index ae4564f6..d55f39ce 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -1,26 +1,35 @@ -#kerberos base object -dn: cn=kerberos,$SUFFIX -changetype: add -objectClass: krbContainer -objectClass: top -cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";) - #kerberos user -dn: uid=kdc,cn=kerberos,$SUFFIX +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: kdc userPassword: $PASSWORD +#kerberos base object +dn: cn=kerberos,$SUFFIX +changetype: add +objectClass: krbContainer +objectClass: top +cn: kerberos +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) + #sasl mapping -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config +dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: kerberos +cn: Full Principal nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) +dn: cn=Name Only,cn=mapping,cn=sasl,cn=config +changetype: add +objectclass: top +objectclass: nsSaslMapping +cn: Name Only +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: $SUFFIX +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) + diff --git a/ipa-server/ipa-install/share/krb5.conf.template b/ipa-server/ipa-install/share/krb5.conf.template index 23a24703..b81cedfe 100644 --- a/ipa-server/ipa-install/share/krb5.conf.template +++ b/ipa-server/ipa-install/share/krb5.conf.template @@ -35,8 +35,8 @@ db_library = kldap ldap_servers = ldap://127.0.0.1/ ldap_kerberos_container_dn = cn=kerberos,$SUFFIX - ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX - ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX + ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX + ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd } diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif index 0057d976..f5573d83 100644 --- a/ipa-server/ipa-install/test/test-users-template.ldif +++ b/ipa-server/ipa-install/test/test-users-template.ldif @@ -1,30 +1,22 @@ # test, users, default, $REALM -dn: uid=test,ou=users,ou=default,$SUFFIX +dn: uid=test,cn=users,cn=accounts,$SUFFIX changetype: add -uidNumber: 1001 +uidNumber: 1003 uid: test gecos: test homeDirectory: /home/test loginShell: /bin/bash -shadowMin: 0 -shadowWarning: 7 -shadowMax: 99999 -shadowExpire: -1 -shadowInactive: -1 -shadowLastChange: 13655 -shadowFlag: -1 -gidNumber: 100 +gidNumber: 1002 objectclass: krbPrincipalAux objectclass: inetOrgPerson objectClass: posixAccount -objectClass: shadowAccount objectClass: account objectClass: top cn: Test User sn: User krbPrincipalName: test@$REALM -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: modify add: uniqueMember -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index f3771204..e920cec7 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb ) goto free_and_return; } - if ( (is_ssl <=1) && (sasl_ssf <= 1) ) { + if ( (is_ssl == 0) && (sasl_ssf <= 1) ) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto free_and_return; diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 2c7e0c7d..841bc31f 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -72,16 +72,18 @@ class DsInstance: def __init__(self): self.serverid = None self.realm_name = None + self.suffix = None self.host_name = None - self.admin_password = None + self.dm_password = None self.sub_dict = None - def create_instance(self, ds_user, realm_name, host_name, admin_password): + def create_instance(self, ds_user, realm_name, host_name, dm_password): self.ds_user = ds_user self.serverid = generate_serverid() self.realm_name = realm_name.upper() + self.suffix = realm_to_suffix(self.realm_name) self.host_name = host_name - self.admin_password = admin_password + self.dm_password = dm_password self.__setup_sub_dict() self.__create_ds_user() @@ -111,10 +113,9 @@ class DsInstance: run(["/sbin/service", "dirsrv", "restart"]) def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) server_root = find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, + PASSWORD=self.dm_password, SUFFIX=self.suffix, REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root) @@ -155,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") @@ -165,7 +166,7 @@ class DsInstance: inf_fd = write_tmp_file(txt) logging.debug("adding default ds layout") args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] + "-w", self.dm_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") @@ -184,5 +185,15 @@ class DsInstance: certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd.write(certmap_conf) certmap_fd.close() - logging.debug("done configuring certmap.conf for ds instance") + + def change_admin_password(self, password): + logging.debug("Changing admin password") + dirname = self.config_dirname() + args = ["/usr/lib/mozldap/ldappasswd", + "-D", "cn=Directory Manager", "-w", self.dm_password, + "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, + "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + run(args) + logging.debug("ldappasswd done") + diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 1c77b086..e17ab525 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -109,7 +109,7 @@ class KrbInstance: for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() def __setup_sub_dict(self): @@ -147,7 +147,7 @@ class KrbInstance: krb5_fd.close() #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] run(args) #add the password extop module @@ -178,6 +178,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/dirsrv/ds.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.close() @@ -199,6 +208,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.close() @@ -215,8 +233,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 while not file_exists("/etc/httpd/conf/ipa.keytab"): time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 4b1fe7ed..e3e58ce9 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -37,8 +37,8 @@ import re # Need a global to store this between requests _LDAPPool = None -DefaultUserContainer = "ou=users,ou=default" -DefaultGroupContainer = "ou=groups,ou=default" +DefaultUserContainer = "cn=users,cn=accounts" +DefaultGroupContainer = "cn=groups,cn=accounts" # # Apache runs in multi-process mode so each process will have its own |