5 files changed, 32 insertions, 4 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 92d50775..5f353683 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -13,6 +13,7 @@ app_DATA =				\
 	bootstrap-template.ldif		\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
+	default-hbac.ldif		\
 	default-keytypes.ldif		\
 	delegation.ldif			\
 	dns.ldif			\
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
new file mode 100644
index 00000000..541ff0df
--- /dev/null
+++ b/install/share/default-hbac.ldif
@@ -0,0 +1,14 @@
+# default HBAC policy that grants permission to all services
+dn: ipauniqueid=$UUID,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_all
+accessruletype: allow
+usercategory: all
+hostcategory: all
+sourcehostcategory: all
+ipaenabledflag: TRUE
+description: Allow all users to access any host from any host
+# ipauniqueid gets added for us by 389-ds
+
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 4fd520a6..c7fe6608 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -122,6 +122,9 @@ def parse_options():
                       help="The starting gid value (default random)")
     parser.add_option("--subject", dest="subject", default="O=IPA",
                       help="The certificate subject base (default O=IPA)")
+    parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
+                      action="store_true",
+                      help="Don't install allow_all HBAC rule")
     options, args = parser.parse_args()
 
     if not options.setup_dns:
@@ -722,11 +725,11 @@ def main():
     if options.dirsrv_pkcs12:
         pkcs12_info = (options.dirsrv_pkcs12, pw_name)
         try:
-            ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject)
+            ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow)
         finally:
             os.remove(pw_name)
     else:
-        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject)
+        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject, hbac_allow=not options.hbac_allow)
 
     # Create a kerberos instance
     krb = krbinstance.KrbInstance(fstore)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index edd54163..a64a2eba 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -101,6 +101,9 @@ The starting group id number (default random)
 \fB\-\-subject\fR=\fISUBJECT\fR
  The certificate subject base (default O=IPA)
 .TP
+\fB\-\-no_hbac_allow\fR
+Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
+.TP
 .SH "EXIT STATUS"
 0 if the installation was successful
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3987f08e..d6dbb80b 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -38,7 +38,7 @@ from ldap.dn import escape_dn_chars
 from ipaserver import ipaldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import httpinstance
-from ipalib import util
+from ipalib import util, uuid
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -157,7 +157,7 @@ class DsInstance(service.Service):
         else:
             self.suffix = None
 
-    def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None):
+    def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None, hbac_allow=True):
         self.ds_user = ds_user
         self.realm_name = realm_name.upper()
         self.serverid = realm_to_serverid(self.realm_name)
@@ -194,6 +194,8 @@ class DsInstance(service.Service):
                   self.__add_master_entry_first_master)
         self.step("initializing group membership",
                   self.init_memberof)
+        if hbac_allow:
+            self.step("creating default HBAC rule allow_all", self.add_hbac)
 
         self.step("configuring directory to start on boot", self.__enable)
 
@@ -411,6 +413,11 @@ class DsInstance(service.Service):
     def __enable_ldapi(self):
         self._ldap_mod("ldapi.ldif", self.sub_dict)
 
+    def add_hbac(self):
+        self.sub_dict['UUID'] = str(uuid.uuid1())
+        self._ldap_mod("default-hbac.ldif", self.sub_dict)
+        del self.sub_dict['UUID']
+
     def change_admin_password(self, password):
         logging.debug("Changing admin password")
         dirname = config_dirname(self.serverid)