summaryrefslogtreecommitdiffstats
path: root/ipa-server/ipa-install
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r--ipa-server/ipa-install/freeipa-setup-20070713.patch288
-rw-r--r--ipa-server/ipa-install/share/bind.zone.db.template26
-rw-r--r--ipa-server/ipa-install/share/default-aci.ldif6
-rw-r--r--ipa-server/ipa-install/share/fedora-ds.init.patch12
4 files changed, 292 insertions, 40 deletions
diff --git a/ipa-server/ipa-install/freeipa-setup-20070713.patch b/ipa-server/ipa-install/freeipa-setup-20070713.patch
new file mode 100644
index 00000000..5a36eee0
--- /dev/null
+++ b/ipa-server/ipa-install/freeipa-setup-20070713.patch
@@ -0,0 +1,288 @@
+diff -r 5ebd8adc48b8 ipa-install/README
+--- a/ipa-install/README Mon Jul 02 15:51:04 2007 -0400
++++ b/ipa-install/README Fri Jul 13 16:25:05 2007 -0400
+@@ -5,12 +5,17 @@ fedora-ds-base
+ fedora-ds-base
+ openldap-clients
+ krb5-server-ldap
++cyrus-sasl-gssapi
+
+
+ Installation example:
++
++TEMPORARY: (until fedora ds scripts are fixed)
++please use the fedora-ds.init.patch under share/ to patch your init scripts before
++running ipa-server-install
+
+ cd ipa-install
+ make install
+ cd ..
+-/usr/sbin/ipa-server-install -r FREEIPA.ORG -a rc1.freeipa.org -p freeipa -m ipafree
++/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree
+
+diff -r 5ebd8adc48b8 ipa-install/share/bind.zone.db.template
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/ipa-install/share/bind.zone.db.template Fri Jul 13 16:22:12 2007 -0400
+@@ -0,0 +1,26 @@
++$$ORIGIN $DOMAIN.
++$$TTL 86400
++@ IN SOA $DOMAIN. root.$DOMAIN. (
++ 01 ; serial (d. adams)
++ 3H ; refresh
++ 15M ; retry
++ 1W ; expiry
++ 1D ) ; minimum
++
++ IN NS $HOST
++$HOST IN A $IP
++;
++; ldap servers
++_ldap._tcp IN SRV 0 100 389 $HOST
++
++;kerberos realm
++_kerberos IN TXT $REALM
++
++; kerberos servers
++_kerberos._tcp IN SRV 0 100 88 $HOST
++_kerberos._udp IN SRV 0 100 88 $HOST
++_kerberos-master._tcp IN SRV 0 100 88 $HOST
++_kerberos-master._udp IN SRV 0 100 88 $HOST
++_kpasswd._tcp IN SRV 0 100 88 $HOST
++_kpasswd._udp IN SRV 0 100 88 $HOST
++
+diff -r 5ebd8adc48b8 ipa-install/share/fedora-ds.init.patch
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/ipa-install/share/fedora-ds.init.patch Fri Jul 13 14:45:53 2007 -0400
+@@ -0,0 +1,12 @@
++--- /etc/init.d/fedora-ds.orig 2007-07-06 18:21:30.000000000 -0400
+++++ /etc/init.d/fedora-ds 2007-05-18 19:36:24.000000000 -0400
++@@ -10,6 +10,9 @@
++ # datadir: /var/lib/fedora-ds/slapd-<instance name>
++ #
++
+++# Get config.
+++[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
+++
++ # Source function library.
++ if [ -f /etc/rc.d/init.d/functions ] ; then
++ . /etc/rc.d/init.d/functions
+diff -r 5ebd8adc48b8 ipa-install/share/krb5.conf.template
+--- a/ipa-install/share/krb5.conf.template Mon Jul 02 15:51:04 2007 -0400
++++ b/ipa-install/share/krb5.conf.template Fri Jul 13 11:01:36 2007 -0400
+@@ -9,6 +9,13 @@
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
++
++[realms]
++ $REALM = {
++ kdc = $FQDN:88
++ admin_server = $FQDN:749
++ default_domain = $DOMAIN
++}
+
+ [domain_realm]
+ .$DOMAIN = $REALM
+@@ -29,7 +36,7 @@
+ ldap_servers = ldap://127.0.0.1/
+ ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
+ ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
+-; ldap_kadmind_dn = cn=Directory Manager
++ ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
+ ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
+ }
+
+diff -r 5ebd8adc48b8 ipa-install/src/ipa-server-install
+--- a/ipa-install/src/ipa-server-install Mon Jul 02 15:51:04 2007 -0400
++++ b/ipa-install/src/ipa-server-install Fri Jul 13 19:43:13 2007 -0400
+@@ -26,6 +26,7 @@
+
+ VERSION = "%prog .1"
+
++import socket
+ import logging
+ from optparse import OptionParser
+ import ipa.dsinstance
+@@ -37,8 +38,6 @@ def parse_options():
+ help="ds user")
+ parser.add_option("-r", "--realm", dest="realm_name",
+ help="realm name")
+- parser.add_option("-a", "--host-address", dest="host_name",
+- help="host address (name or IP address)")
+ parser.add_option("-p", "--password", dest="password",
+ help="admin password")
+ parser.add_option("-m", "--master-password", dest="master_password",
+@@ -46,8 +45,8 @@ def parse_options():
+
+ options, args = parser.parse_args()
+
+- if not options.realm_name or not options.host_name or not options.password:
+- parser.error("error: password, realm, and host name required")
++ if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
++ parser.error("error: all options are required")
+
+ return options
+
+@@ -56,13 +55,35 @@ def main():
+ format='%(asctime)s %(levelname)s %(message)s',
+ filename='ipa-install.log',
+ filemode='w')
++
+ options = parse_options()
++
++ # check the hostname is correctly configured, it must be as the kldap
++ # utilities just use the hostname as returned by gethostbyname to set
++ # up some of the standard entries
++
++ host_name = socket.gethostname()
++ if len(host_name.split(".")) < 2:
++ print "Invalid hostname <"+host_name+">"
++ print "Check the /etc/hosts file and make sure to have a valid FQDN"
++ return "-Fatal Error-"
++
++ if socket.gethostbyname(host_name) == "127.0.0.1":
++ print "The hostname resolves to the localhost address (127.0.0.1)"
++ print "Please change your /etc/hosts file or your DNS so that the"
++ print "hostname resolves to the ip address of your network interface."
++ print "The KDC service does not listen on 127.0.0.1"
++ return "-Fatal Error-"
++
++ print "The Final KDC Host Name will be: " + host_name
++
+ ds = ipa.dsinstance.DsInstance()
+- ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
++ ds.create_instance(options.ds_user, options.realm_name, host_name, options.password)
+
+ krb = ipa.krbinstance.KrbInstance()
+- krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
+- #restart ds after the krb instance have add the sasl map
++ krb.create_instance(options.ds_user, options.realm_name, host_name, options.password, options.master_password)
++
++ #restart ds after the krb instance have add the sasl map and the ldap keytab
+ ds.restart()
+
+ return 0
+diff -r 5ebd8adc48b8 ipa-install/src/ipa/krbinstance.py
+--- a/ipa-install/src/ipa/krbinstance.py Mon Jul 02 15:51:04 2007 -0400
++++ b/ipa-install/src/ipa/krbinstance.py Fri Jul 13 19:20:41 2007 -0400
+@@ -25,6 +25,9 @@ import logging
+ import logging
+ from random import Random
+ from time import gmtime
++import os
++import pwd
++import socket
+
+ SHARE_DIR = "/usr/share/ipa/"
+
+@@ -32,6 +35,10 @@ def realm_to_suffix(realm_name):
+ s = realm_name.split(".")
+ terms = ["dc=" + x.lower() for x in s]
+ return ",".join(terms)
++
++def host_to_domain(fqdn):
++ s = fqdn.split(".")
++ return ".".join(s[1:])
+
+ def generate_kdc_password():
+ rndpwd = ''
+@@ -75,8 +82,10 @@ class KrbInstance:
+ class KrbInstance:
+ def __init__(self):
+ self.ds_user = None
+- self.realm_name = None
+- self.host_name = None
++ self.fqdn = None
++ self.realm = None
++ self.domain = None
++ self.host = None
+ self.admin_password = None
+ self.master_password = None
+ self.suffix = None
+@@ -85,12 +94,15 @@ class KrbInstance:
+
+ def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
+ self.ds_user = ds_user
+- self.realm_name = realm_name.upper()
+- self.host_name = host_name
++ self.fqdn = host_name
++ self.ip = socket.gethostbyname(host_name)
++ self.realm = realm_name.upper()
++ self.host = host_name.split(".")[0]
++ self.domain = host_to_domain(host_name)
+ self.admin_password = admin_password
+ self.master_password = master_password
+
+- self.suffix = realm_to_suffix(self.realm_name)
++ self.suffix = realm_to_suffix(self.realm)
+ self.kdc_password = generate_kdc_password()
+ self.__configure_kdc_account_password()
+
+@@ -99,6 +111,10 @@ class KrbInstance:
+ self.__configure_ldap()
+
+ self.__create_instance()
++
++ self.__create_ds_keytab()
++
++ self.__create_sample_bind_zone()
+
+ self.start()
+
+@@ -120,12 +136,13 @@ class KrbInstance:
+ pwd_fd.close()
+
+ def __setup_sub_dict(self):
+- #FIXME: can DOMAIN be different than REALM ?
+- self.sub_dict = dict(FQHN=self.host_name,
++ self.sub_dict = dict(FQDN=self.fqdn,
++ IP=self.ip,
+ PASSWORD=self.kdc_password,
+ SUFFIX=self.suffix,
+- DOMAIN= self.realm_name.lower(),
+- REALM=self.realm_name)
++ DOMAIN=self.domain,
++ HOST=self.host,
++ REALM=self.realm)
+
+ def __configure_ldap(self):
+
+@@ -153,7 +170,7 @@ class KrbInstance:
+ krb5_fd.close()
+
+ #populate the directory with the realm structure
+- args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
++ args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+ run(args)
+
+ # TODO: NOT called yet, need to find out how to make sure the plugin is available first
+@@ -165,5 +182,28 @@ class KrbInstance:
+ extop_fd.close()
+
+ #add an ACL to let the DS user read the master key
+- args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
++ args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
+ run(args)
++
++ def __create_sample_bind_zone(self):
++ bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
++ [bind_fd, bind_name] = tempfile.mkstemp(".db","sammple.zone.")
++ os.write(bind_fd, bind_txt)
++ os.close(bind_fd)
++ print "Sample zone file for bind has been created in "+bind_name
++
++ def __create_ds_keytab(self):
++ (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
++ kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
++ kwrite.flush()
++ kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
++ kwrite.flush()
++ kwrite.close()
++ kread.close()
++ kerr.close()
++
++ cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
++ cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
++ cfg_fd.close()
++ pent = pwd.getpwnam(self.ds_user)
++ os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
diff --git a/ipa-server/ipa-install/share/bind.zone.db.template b/ipa-server/ipa-install/share/bind.zone.db.template
deleted file mode 100644
index e846c4f2..00000000
--- a/ipa-server/ipa-install/share/bind.zone.db.template
+++ /dev/null
@@ -1,26 +0,0 @@
-$$ORIGIN $DOMAIN.
-$$TTL 86400
-@ IN SOA $DOMAIN. root.$DOMAIN. (
- 01 ; serial (d. adams)
- 3H ; refresh
- 15M ; retry
- 1W ; expiry
- 1D ) ; minimum
-
- IN NS $HOST
-$HOST IN A $IP
-;
-; ldap servers
-_ldap._tcp IN SRV 0 100 389 $HOST
-
-;kerberos realm
-_kerberos IN TXT $REALM
-
-; kerberos servers
-_kerberos._tcp IN SRV 0 100 88 $HOST
-_kerberos._udp IN SRV 0 100 88 $HOST
-_kerberos-master._tcp IN SRV 0 100 88 $HOST
-_kerberos-master._udp IN SRV 0 100 88 $HOST
-_kpasswd._tcp IN SRV 0 100 88 $HOST
-_kpasswd._udp IN SRV 0 100 88 $HOST
-
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index dc729ceb..8916833c 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -2,7 +2,9 @@
dn: $SUFFIX
changetype: modify
replace: aci
-aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";)
+aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
-aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow(read, search,compare)userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
+aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
+aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+
diff --git a/ipa-server/ipa-install/share/fedora-ds.init.patch b/ipa-server/ipa-install/share/fedora-ds.init.patch
deleted file mode 100644
index 88a04fc2..00000000
--- a/ipa-server/ipa-install/share/fedora-ds.init.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- /etc/init.d/fedora-ds.orig 2007-07-06 18:21:30.000000000 -0400
-+++ /etc/init.d/fedora-ds 2007-05-18 19:36:24.000000000 -0400
-@@ -10,6 +10,9 @@
- # datadir: /var/lib/fedora-ds/slapd-<instance name>
- #
-
-+# Get config.
-+[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
-+
- # Source function library.
- if [ -f /etc/rc.d/init.d/functions ] ; then
- . /etc/rc.d/init.d/functions
generated by cgit (git 2.34.1) at 2025-09-08 20:05:11 +0000