6 files changed, 130 insertions, 79 deletions

diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index 91138c01..90296e5d 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa")
 
 import socket
 import logging
+import pwd
 from optparse import OptionParser
 import ipaserver.dsinstance
 import ipaserver.krbinstance
@@ -42,10 +43,12 @@ def parse_options():
                       help="ds user")
     parser.add_option("-r", "--realm", dest="realm_name",
                       help="realm name")
-    parser.add_option("-p", "--ds-password", dest="ds_password",
+    parser.add_option("-p", "--ds-password", dest="dm_password",
                       help="admin password")
     parser.add_option("-P", "--master-password", dest="master_password",
                       help="kerberos master password")
+    parser.add_option("-a", "--admin-password", dest="admin_password",
+                      help="admin user kerberos password")
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      dest="debug", default=False, help="print debugging information")
     parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
@@ -56,7 +59,8 @@ def parse_options():
 
     if options.unattended and (not options.ds_user or
                                not options.realm_name or
-                               not options.ds_password or
+                               not options.dm_password or
+                               not options.admin_password or
                                not options.master_password):
         parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options")
 
@@ -95,7 +99,8 @@ def main():
     realm_name = ""
     host_name = ""
     master_password = ""
-    ds_password = ""
+    dm_password = ""
+    admin_password = ""
 
     # check the hostname is correctly configured, it must be as the kldap
     # utilities just use the hostname as returned by gethostbyname to set
@@ -137,13 +142,25 @@ def main():
     print ""
 
     if not options.ds_user:
-        print "To securely run Directory Server we need a user account to be set up."
-        print "This will allow DS to run as a user and not as root."
-        print "The user account will have access to some security material so it should not be shared with any other application."
-        print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure."
-        print ""
-        ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
-        print ""
+
+        try:
+            pwd.getpwnam('dirsrv')
+
+            print "To securely run Directory Server we need a user account to be set up."
+            print "This will allow DS to run as a user and not as root."
+            print "The user account will have access to some security material so it should not be shared with any other application."
+            print "A user account named 'dirsrv' already exist. You should not share the account with any other service."
+            print ""
+            yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)")
+            print ""
+            if yesno.lower() == "y":
+                ds_user = "dirsrv"
+            else:
+                ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
+                print ""
+        except KeyError:
+            ds_user = "dirsrv"
+
         if ds_user == "":
              return "-Aborted-"
     else:
@@ -177,14 +194,15 @@ def main():
     else:
         realm_name = options.realm_name
 
-    if not options.ds_password:
+    if not options.dm_password:
         print "The Directory Manager user is the equivalent of 'root' for Diretcory Server."
+        print "This account has full access to the Directory and is used for system management tasks."
         print ""
         #TODO: provide the option of generating a random password
-        ds_password = raw_input("Please provide a password for the Directory Manager: ")
+        dm_password = raw_input("Please provide a password for the Directory Manager: ")
         print ""
     else:
-        ds_password = options.ds_password
+        dm_password = options.dm_password
 
     if not options.master_password:
         print "The Kerberos database is usually encrypted using a master password."
@@ -199,13 +217,23 @@ def main():
     else:
         master_password = options.master_password
 
+    if not options.admin_password:
+        print "The 'admin' user is the administrative user used to administare an IPA server."
+        print "This account is the one that will be used for normal administration and is also a regular unix user"
+        print ""
+        #TODO: provide the option of generating a random password
+        admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ")
+        print ""
+    else:
+        admin_password = options.admin_password
+
     # Create a directory server instance
     ds = ipaserver.dsinstance.DsInstance()
-    ds.create_instance(ds_user, realm_name, host_name, ds_password)
+    ds.create_instance(ds_user, realm_name, host_name, dm_password)
 
     # Create a kerberos instance
     krb = ipaserver.krbinstance.KrbInstance()
-    krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password)
+    krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)
 
     # Restart ds after the krb instance has changed ds configurations
     ds.restart()
@@ -228,6 +256,9 @@ def main():
     # Start Kpasswd
     run(["/sbin/service", "ipa-kpasswd", "start"])
 
+    # Set the admin user kerberos password
+    ds.change_admin_password(admin_password)
+
     # Create the config file
     fd = open("/etc/ipa/ipa.conf", "w")
     fd.write("[defaults]\n")
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 2986f3ab..0284caa8 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -4,55 +4,77 @@ add: objectClass
 objectClass: pilotObject
 info: IPA V1.0
 
-# default, $REALM
-dn: ou=default,$SUFFIX
+dn: cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: default
+objectClass: nsContainer
+cn: accounts
 
-# users, default, $REALM
-dn: ou=users,ou=default,$SUFFIX
+dn: cn=users,cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: users
+objectClass: nsContainer
+cn: users
 
-# groups, default, $REALM
-dn: ou=groups,ou=default,$SUFFIX
+dn: cn=groups,cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: groups
+objectClass: nsContainer
+cn: groups
 
-# computers, default, $REALM
-#dn: ou=computers,ou=default,$SUFFIX
-#objectClass: organizationalUnit
+#dn: cn=computers,cn=accounts,$SUFFIX
 #objectClass: top
-#ou: computers
+#objectClass: nsContainer
+#cn: computers
 
-dn: ou=special,$SUFFIX
+dn: cn=etc,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
+objectClass: nsContainer
 objectClass: top
-ou: special
+cn: etc
 
-dn: uid=webservice,ou=special,$SUFFIX
+dn: cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
-uid: webservice
+objectClass: nsContainer
+objectClass: top
+cn: sysaccounts
+
+dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
 objectClass: account
+uid: webservice
+
+dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
 objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
 objectClass: person
-cn: Web Service
-sn: Service
+objectClass: posixAccount
+objectClass: KrbPrincipalAux
+uid: admin
+krbPrincipalName: admin@$REALM
+cn: Administrator
+sn: Administrator
+uidNumber: 1000
+gidNumber: 1001
+homeDirectory: /home/admin
+loginShell: /bin/bash
+gecos: Administrator
+
+dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofuniquenames
+objectClass: posixGroup
+cn: Account Admins
+description: Account administrators group
+gidNumber: 1001
+uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
 
-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: add
-description: ou=users administrators
 objectClass: top
 objectClass: groupofuniquenames
 objectClass: posixGroup
-gidNumber: 500
-cn: admin
+gidNumber: 1002
+cn: ipausers
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 2b05e102..9ed65a43 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -3,12 +3,9 @@ dn: $SUFFIX
 changetype: modify
 replace: aci
 aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
-aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
-aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
-aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) 
+aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif
index ae4564f6..d55f39ce 100644
--- a/ipa-server/ipa-install/share/kerberos.ldif
+++ b/ipa-server/ipa-install/share/kerberos.ldif
@@ -1,26 +1,35 @@
-#kerberos base object
-dn: cn=kerberos,$SUFFIX
-changetype: add
-objectClass: krbContainer
-objectClass: top
-cn: kerberos
-aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-
 #kerberos user
-dn: uid=kdc,cn=kerberos,$SUFFIX
+dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: kdc
 userPassword: $PASSWORD
 
+#kerberos base object
+dn: cn=kerberos,$SUFFIX
+changetype: add
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+
 #sasl mapping
-dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
+dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
 changetype: add
 objectclass: top
 objectclass: nsSaslMapping
-cn: kerberos
+cn: Full Principal
 nsSaslMapRegexString: \(.*\)@\(.*\)
 nsSaslMapBaseDNTemplate: $SUFFIX
 nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
 
+dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
+changetype: add
+objectclass: top
+objectclass: nsSaslMapping
+cn: Name Only
+nsSaslMapRegexString: \(.*\)
+nsSaslMapBaseDNTemplate: $SUFFIX
+nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
+
diff --git a/ipa-server/ipa-install/share/krb5.conf.template b/ipa-server/ipa-install/share/krb5.conf.template
index 23a24703..b81cedfe 100644
--- a/ipa-server/ipa-install/share/krb5.conf.template
+++ b/ipa-server/ipa-install/share/krb5.conf.template
@@ -35,8 +35,8 @@
     db_library = kldap
     ldap_servers = ldap://127.0.0.1/
     ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
-    ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
-    ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
+    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
+    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
     ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
   }
 
diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif
index 0057d976..f5573d83 100644
--- a/ipa-server/ipa-install/test/test-users-template.ldif
+++ b/ipa-server/ipa-install/test/test-users-template.ldif
@@ -1,30 +1,22 @@
 # test, users, default, $REALM
-dn: uid=test,ou=users,ou=default,$SUFFIX
+dn: uid=test,cn=users,cn=accounts,$SUFFIX
 changetype: add
-uidNumber: 1001
+uidNumber: 1003
 uid: test
 gecos: test
 homeDirectory: /home/test
 loginShell: /bin/bash
-shadowMin: 0
-shadowWarning: 7
-shadowMax: 99999
-shadowExpire: -1
-shadowInactive: -1
-shadowLastChange: 13655
-shadowFlag: -1
-gidNumber: 100
+gidNumber: 1002
 objectclass: krbPrincipalAux
 objectclass: inetOrgPerson
 objectClass: posixAccount
-objectClass: shadowAccount
 objectClass: account
 objectClass: top
 cn: Test User
 sn: User
 krbPrincipalName: test@$REALM
 
-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: modify
 add: uniqueMember
-uniqueMember: uid=test,ou=users,ou=default,$SUFFIX
+uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX