diff options
Diffstat (limited to 'ipa-server/ipa-install')
44 files changed, 0 insertions, 3991 deletions
diff --git a/ipa-server/ipa-install/Makefile.am b/ipa-server/ipa-install/Makefile.am deleted file mode 100644 index 3f566175..00000000 --- a/ipa-server/ipa-install/Makefile.am +++ /dev/null @@ -1,24 +0,0 @@ -NULL = - -SUBDIRS = \ - share \ - updates \ - $(NULL) - -sbin_SCRIPTS = \ - ipa-server-install \ - ipa-replica-install \ - ipa-replica-prepare \ - ipa-replica-manage \ - ipa-server-certinstall \ - ipactl \ - $(NULL) - -EXTRA_DIST = \ - README \ - $(sbin_SCRIPTS) \ - $(NULL) - -MAINTAINERCLEANFILES = \ - *~ \ - Makefile.in diff --git a/ipa-server/ipa-install/README b/ipa-server/ipa-install/README deleted file mode 100644 index a52cede0..00000000 --- a/ipa-server/ipa-install/README +++ /dev/null @@ -1,67 +0,0 @@ - -Required packages: - -krb5-server -fedora-ds-base -fedora-ds-base-devel -openldap-clients -openldap-devel -krb5-server-ldap -cyrus-sasl-gssapi -httpd -mod_auth_kerb -ntp -openssl-devel -nspr-devel -nss-devel -mozldap-devel -mod_python -gcc -python-ldap -TurboGears -python-kerberos -python-krbV -python-tgexpandingformwidget -python-pyasn1 - -Installation example: - -TEMPORARY: until bug https://bugzilla.redhat.com/show_bug.cgi?id=248169 is - fixed. - -Please apply the fedora-ds.init.patch in freeipa/ipa-server/ipa-install/share/ -to patch your init scripts before running ipa-server-install. This tells -FDS where to find its kerberos keytab. - -Things done as root are denoted by #. Things done as a unix user are denoted -by %. - -# cd freeipa -# patch -p0 < ipa-server/ipa-install/share/fedora-ds.init.patch - -Now to do the installation. - -# cd freeipa -# make install - -To start an interactive installation use: -# /usr/sbin/ipa-server-install - -For more verbose output add the -d flag run the command with -h to see all options - -You have a basic working system with one super administrator (named admin). - -To create another administrative user: - -% kinit admin@FREEIPA.ORG -% /usr/sbin/ipa-adduser -f Test -l User test -% ldappasswd -Y GSSAPI -h localhost -s password uid=test,cn=users,cn=accounts,dc=freeipa,dc=org -% /usr/sbin/ipa-groupmod -a test admins - -An admin user is just a regular user in the group admin. - -Now you can destroy the old ticket and log in as test: - -% kdestroy -% kinit test@FREEIPA.ORG -% /usr/sbin/ipa-finduser test diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install deleted file mode 100644 index c2704be0..00000000 --- a/ipa-server/ipa-install/ipa-replica-install +++ /dev/null @@ -1,312 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import sys - -import tempfile, os, pwd, traceback, logging, shutil -from ConfigParser import SafeConfigParser -import ldap - -from ipa import ipautil - -from ipaserver import dsinstance, replication, installutils, krbinstance, service -from ipaserver import httpinstance, ntpinstance, certs, ipaldap -from ipa import version - -CACERT="/usr/share/ipa/html/ca.crt" - -class ReplicaConfig: - def __init__(self): - self.realm_name = "" - self.domain_name = "" - self.master_host_name = "" - self.dirman_password = "" - self.ds_user = "" - self.host_name = "" - self.repl_password = "" - self.dir = "" - -def parse_options(): - from optparse import OptionParser - parser = OptionParser(version=version.VERSION) - parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", - help="do not configure ntp", default=True) - parser.add_option("-d", "--debug", dest="debug", action="store_true", - default=False, help="gather extra debugging information") - parser.add_option("-p", "--password", dest="password", - help="Directory Manager (existing master) password") - - options, args = parser.parse_args() - - if len(args) != 1: - parser.error("you must provide a file generated by ipa-replica-prepare") - - return options, args[0] - -def get_dirman_password(): - return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) - -def expand_info(filename, password): - top_dir = tempfile.mkdtemp("ipa") - tarfile = top_dir+"/files.tar" - dir = top_dir + "/realm_info" - ipautil.decrypt_file(filename, tarfile, password, top_dir) - ipautil.run(["tar", "xf", tarfile, "-C", top_dir]) - os.remove(tarfile) - - return top_dir, dir - -def read_info(dir, rconfig): - filename = dir + "/realm_info" - fd = open(filename) - config = SafeConfigParser() - config.readfp(fd) - - rconfig.realm_name = config.get("realm", "realm_name") - rconfig.master_host_name = config.get("realm", "master_host_name") - rconfig.ds_user = config.get("realm", "ds_user") - rconfig.domain_name = config.get("realm", "domain_name") - rconfig.host_name = config.get("realm", "destination_host") - -def get_host_name(): - hostname = installutils.get_fqdn() - try: - installutils.verify_fqdn(hostname) - except RuntimeError, e: - logging.error(str(e)) - sys.exit(1) - - return hostname - -def set_owner(config, dir): - pw = pwd.getpwnam(config.ds_user) - os.chown(dir, pw.pw_uid, pw.pw_gid) - -def install_ds(config): - dsinstance.check_existing_installation() - dsinstance.check_ports() - - # if we have a pkcs12 file, create the cert db from - # that. Otherwise the ds setup will create the CA - # cert - pkcs12_info = None - if ipautil.file_exists(config.dir + "/dscert.p12"): - pkcs12_info = (config.dir + "/dscert.p12", - config.dir + "/dirsrv_pin.txt") - - ds = dsinstance.DsInstance() - ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) - - return ds - -def install_krb(config): - krb = krbinstance.KrbInstance() - ldappwd_filename = config.dir + "/ldappwd" - kpasswd_filename = config.dir + "/kpasswd.keytab" - krb.create_replica(config.ds_user, config.realm_name, config.host_name, - config.domain_name, config.dirman_password, - ldappwd_filename, kpasswd_filename) - -def install_ca_cert(config): - if ipautil.file_exists(config.dir + "/ca.crt"): - try: - shutil.copy(config.dir + "/ca.crt", CACERT) - os.chmod(CACERT, 0444) - except Exception, e: - print "error copying files: " + str(e) - sys.exit(1) - -def install_http(config): - # if we have a pkcs12 file, create the cert db from - # that. Otherwise the ds setup will create the CA - # cert - pkcs12_info = None - if ipautil.file_exists(config.dir + "/httpcert.p12"): - pkcs12_info = (config.dir + "/httpcert.p12", - config.dir + "/http_pin.txt") - - http = httpinstance.HTTPInstance() - http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info) - - # Now copy the autoconfiguration files - if ipautil.file_exists(config.dir + "/preferences.html"): - try: - shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html") - shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar") - except Exception, e: - print "error copying files: " + str(e) - sys.exit(1) - -def check_dirsrv(): - serverids = dsinstance.check_existing_installation() - if serverids: - print "" - print "An existing Directory Server has been detected." - if not ipautil.user_input("Do you wish to remove it and create a new one?", False): - print "" - print "Only a single Directory Server instance is allowed on an IPA" - print "server, the one used by IPA itself." - sys.exit(1) - - try: - service.stop("dirsrv") - except: - pass - - for serverid in serverids: - dsinstance.erase_ds_instance_data(serverid) - - (ds_unsecure, ds_secure) = dsinstance.check_ports() - if not ds_unsecure or not ds_secure: - print "IPA requires ports 389 and 636 for the Directory Server." - print "These are currently in use:" - if not ds_unsecure: - print "\t389" - if not ds_secure: - print "\t636" - sys.exit(1) - -def main(): - options, filename = parse_options() - installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug) - - if not ipautil.file_exists(filename): - sys.exit("Replica file %s does not exist" % filename) - - check_dirsrv() - - # get the directory manager password - dirman_password = options.password - if not dirman_password: - try: - dirman_password = get_dirman_password() - except KeyboardInterrupt: - sys.exit(0) - - try: - top_dir, dir = expand_info(filename, dirman_password) - except Exception, e: - print "ERROR: Failed to decrypt or open the replica file." - print "Verify you entered the correct Directory Manager password." - sys.exit(1) - - config = ReplicaConfig() - read_info(dir, config) - config.dirman_password = dirman_password - host = get_host_name() - if config.host_name != host: - try: - print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) - if not ipautil.user_input("This may cause problems. Continue?", True): - sys.exit(0) - config.host_name = host - print "" - except KeyboardInterrupt: - sys.exit(0) - config.repl_password = ipautil.ipa_generate_password() - config.dir = dir - - # Try out the password - try: - conn = ipaldap.IPAdmin(config.master_host_name) - conn.do_simple_bind(bindpw=config.dirman_password) - conn.unbind() - except ldap.CONNECT_ERROR, e: - sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) - except ldap.SERVER_DOWN, e: - sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) - except ldap.INVALID_CREDENTIALS, e : - sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) - - # Configure ntpd - if options.conf_ntp: - ntp = ntpinstance.NTPInstance() - ntp.create_instance() - - # Configure dirsrv - ds = install_ds(config) - - # Install CA cert so that we can do SSL connections with ldap - install_ca_cert(config) - - try: - repl = replication.ReplicationManager(config.host_name, config.dirman_password) - ret = repl.setup_replication(config.master_host_name, config.realm_name) - except Exception, e: - logging.debug("Connection error: %s" % e) - raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name) - if ret != 0: - raise RuntimeError("Failed to start replication") - - install_krb(config) - install_http(config) - - # Create the config file - fd = open("/etc/ipa/ipa.conf", "w") - fd.write("[defaults]\n") - fd.write("server=" + config.host_name + "\n") - fd.write("realm=" + config.realm_name + "\n") - fd.write("domain=" + config.domain_name + "\n") - fd.close() - - # Create a Web Gui instance - webgui = httpinstance.WebGuiInstance() - webgui.create_instance() - - # Apply any LDAP updates. Needs to be done after the replica is synced-up - service.print_msg("Applying LDAP updates") - ds.apply_updates() - - service.restart("dirsrv") - service.restart("krb5kdc") - - # Call client install script - try: - ipautil.run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]) - except Exception, e: - print "Configuration of client side components failed!" - print "ipa-client-install returned: " + str(e) - raise RuntimeError("Failed to configure the client") - - ds.init_memberof() - -try: - if not os.geteuid()==0: - sys.exit("\nYou must be root to run this script.\n") - - main() - sys.exit(0) -except SystemExit, e: - sys.exit(e) -except Exception, e: - print "creation of replica failed: %s" % str(e) - message = str(e) - for str in traceback.format_tb(sys.exc_info()[2]): - message = message + "\n" + str - logging.debug(message) -except KeyboardInterrupt: - print "Installation cancelled." - -print "" -print "Your system may be partly configured." -print "Run /usr/sbin/ipa-server-install --uninstall to clean up." - -# the only way to get here is on error or ^C -sys.exit(1) diff --git a/ipa-server/ipa-install/ipa-replica-manage b/ipa-server/ipa-install/ipa-replica-manage deleted file mode 100755 index db8c32d5..00000000 --- a/ipa-server/ipa-install/ipa-replica-manage +++ /dev/null @@ -1,218 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -import sys - -import getpass, ldap, re, krbV -import traceback, logging - -from ipa import ipautil -from ipaserver import replication, ipaldap, dsinstance, installutils -from ipa import version - -def parse_options(): - from optparse import OptionParser - - parser = OptionParser(version=version.VERSION) - parser.add_option("-H", "--host", dest="host", help="starting host") - parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password") - parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False, - help="provide additional information") - parser.add_option("--port", type="int", dest="port", - help="port number of other server") - parser.add_option("--binddn", dest="binddn", - help="Bind DN to use with remote server") - parser.add_option("--bindpw", dest="bindpw", - help="Password for Bind DN to use with remote server") - parser.add_option("--winsync", dest="winsync", action="store_true", default=False, - help="This is a Windows Sync Agreement") - parser.add_option("--cacert", dest="cacert", - help="Full path and filename of CA certificate to use with TLS/SSL to the remote server") - parser.add_option("--win-subtree", dest="win_subtree", - help="DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix)") - parser.add_option("--passsync", dest="passsync", - help="Password for the Windows PassSync user") - - options, args = parser.parse_args() - - if not len(args) or not ("list" in args[0] or "add" in args[0] or "del" in args[0] or "init" in args[0] or "synch" in args[0]): - parser.error("must provide a command [list | add | del | init | synch]") - - # set log level - if options.verbose: - # if verbose, output events at INFO level if not already - mylogger = logging.getLogger() - if mylogger.getEffectiveLevel() > logging.INFO: - mylogger.setLevel(logging.INFO) - # else user has already configured logging externally lower - return options, args - -def get_realm_name(): - c = krbV.default_context() - return c.default_realm - -def get_suffix(): - suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(get_realm_name())) - return suffix - -def get_host_name(): - hostname = installutils.get_fqdn() - try: - installutils.verify_fqdn(hostname) - except RuntimeError, e: - logging.error(str(e)) - sys.exit(1) - - return hostname - -def list_masters(replman, verbose): - dns = replman.find_replication_dns(replman.conn) - - for dn in dns: - entry = replman.conn.search_s(dn, ldap.SCOPE_SUBTREE)[0] - print entry.getValue('nsds5replicahost') - - if verbose: - print " last init status: %s" % entry.nsds5replicalastinitstatus - print " last init ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastinitend)) - print " last update status: %s" % entry.nsds5replicalastupdatestatus - print " last update ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastupdateend)) - -def del_master(replman, hostname): - try: - t = replman.get_agreement_type(hostname) - except ldap.NO_SUCH_OBJECT: - print "No replication agreement found for %s" % hostname - - if t == replication.IPA_REPLICA: - dirman_passwd = getpass.getpass("Directory Manager password (%s): " % hostname) - other_replman = replication.ReplicationManager(hostname, dirman_passwd) - other_replman.suffix = get_suffix() - other_replman.delete_agreement(replman.conn.host) - - replman.delete_agreement(hostname) - -def add_master(replman, hostname, options): - other_args = {} - if options.port: - other_args['port'] = options.port - if options.binddn: - other_args['binddn'] = options.binddn - if options.bindpw: - other_args['bindpw'] = options.bindpw - if options.cacert: - other_args['cacert'] = options.cacert - if options.win_subtree: - other_args['win_subtree'] = options.win_subtree - if options.passsync: - other_args['passsync'] = options.passsync - if options.winsync: - other_args['winsync'] = True - if not options.binddn or not options.bindpw or not options.cacert or not options.passsync: - logging.error("The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement") - sys.exit(1) - if options.cacert: - # have to install the given CA cert before doing anything else - ds = dsinstance.DsInstance(realm_name = get_realm_name(), - dm_password = replman.dirman_passwd) - if not ds.add_ca_cert(options.cacert): - logging.error("Could not load the required CA certificate file [%s]" % - options.cacert) - sys.exit(1) - else: - logging.info("Added CA certificate %s to certificate database for %s" % - (options.cacert, replman.hostname)) - # have to reconnect replman connection since the directory server was restarted - replman = replication.ReplicationManager(replman.hostname, replman.dirman_passwd) - logging.info("Restarted directory server " + replman.hostname) - replman.setup_replication(hostname, get_realm_name(), **other_args) - logging.info("Added agreement for other host " + hostname) - -def init_master(replman, dirman_passwd, hostname): - filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % hostname - entry = replman.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter) - if len(entry) == 0: - logging.error("Unable to find replication agreement for %s" % hostname) - sys.exit(1) - if len(entry) > 1: - logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (hostname, entry[0].dn)) - replman.initialize_replication(entry[0].dn, replman.conn) - ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = dirman_passwd) - ds.init_memberof() - -def synch_master(replman, hostname): - filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % hostname - entry = replman.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter) - if len(entry) == 0: - logging.error("Unable to find replication agreement for %s" % hostname) - sys.exit(1) - if len(entry) > 1: - logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (hostname, entry[0].dn)) - replman.force_synch(entry[0].dn, entry[0].nsds5replicaupdateschedule, replman.conn) - -def main(): - options, args = parse_options() - - if options.dirman_passwd: - dirman_passwd = options.dirman_passwd - else: - dirman_passwd = getpass.getpass("Directory Manager password: ") - - if options.host: - host = options.host - else: - host = get_host_name() - - r = replication.ReplicationManager(host, dirman_passwd) - r.suffix = get_suffix() - - if args[0] == "list": - list_masters(r, options.verbose) - elif args[0] == "del": - if len(args) != 2: - print "must provide hostname of master to delete" - sys.exit(1) - del_master(r, args[1]) - elif args[0] == "add": - if len(args) != 2: - print "must provide hostname of master to add" - sys.exit(1) - add_master(r, args[1], options) - elif args[0] == "init": - if len(args) != 2: - print "hostname of master to initialize is required." - sys.exit(1) - init_master(r, dirman_passwd, args[1]) - elif args[0] == "synch": - if len(args) != 2: - print "must provide hostname of supplier to synchronize with" - sys.exit(1) - synch_master(r, args[1]) - -try: - main() -except KeyboardInterrupt: - sys.exit(1) -except SystemExit, e: - sys.exit(e) -except ldap.INVALID_CREDENTIALS: - print "Invalid password" - sys.exit(1) -except Exception, e: - print "unexpected error: %s" % str(e) diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare deleted file mode 100644 index eb962b4c..00000000 --- a/ipa-server/ipa-install/ipa-replica-prepare +++ /dev/null @@ -1,294 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import sys - -import logging, tempfile, shutil, os, pwd -import traceback -from ConfigParser import SafeConfigParser -import krbV -from optparse import OptionParser - -import ipa.config -from ipa import ipautil -from ipaserver import dsinstance, installutils, certs, ipaldap -from ipa import version -import ldap - -def parse_options(): - usage = "%prog [options] FQDN (e.g. replica.example.com)" - parser = OptionParser(usage=usage, version=version.VERSION) - - parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", - help="install certificate for the directory server") - parser.add_option("--http_pkcs12", dest="http_pkcs12", - help="install certificate for the http server") - parser.add_option("--dirsrv_pin", dest="dirsrv_pin", - help="PIN for the Directory Server PKCS#12 file") - parser.add_option("--http_pin", dest="http_pin", - help="PIN for the Apache Server PKCS#12 file") - parser.add_option("-p", "--password", dest="password", - help="Directory Manager (existing master) password") - - ipa.config.add_standard_options(parser) - options, args = parser.parse_args() - - # If any of the PKCS#12 options are selected, all are required. Create a - # list of the options and count it to enforce that all are required without - # having a huge set of it blocks. - pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] - cnt = pkcs12.count(None) - if cnt > 0 and cnt < 4: - parser.error("error: All PKCS#12 options are required if any are used.") - - if len(args) != 1: - parser.error("must provide the fully-qualified name of the replica") - - ipa.config.init_config(options) - - return options, args - -def get_host_name(): - hostname = installutils.get_fqdn() - try: - installutils.verify_fqdn(hostname) - except RuntimeError, e: - logging.error(str(e)) - sys.exit(1) - - return hostname - -def get_realm_name(): - try: - c = krbV.default_context() - return c.default_realm - except Exception, e: - return None - -def get_domain_name(): - try: - ipa.config.init_config() - domain_name = ipa.config.config.get_domain() - except Exception, e: - return None - - return domain_name - -def check_ipa_configuration(realm_name): - config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - if not ipautil.dir_exists(config_dir): - logging.error("could not find directory instance: %s" % config_dir) - sys.exit(1) - -def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): - """realm is the kerberos realm for the IPA server. - ds_dir is the location of the master DS we are creating a replica for. - dir is the location of the files for the replica we are creating. - passwd_fname is the file containing the PKCS#12 password - fname is the filename of the PKCS#12 file for this cert (minus the .p12). - subject is the subject of the certificate we are creating - """ - try: - ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) - ca = certs.CertDB(dir) - ca.create_from_cacert(ds_ca.cacert_fname) - ca.create_server_cert("Server-Cert", subject, ds_ca) - except Exception, e: - raise e - - pkcs12_fname = dir + "/" + fname + ".p12" - - try: - ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") - except ipautil.CalledProcessError, e: - print "error exporting CA certificate: " + str(e) - try: - os.unlink(pkcs12_fname) - os.unlink(passwd_fname) - except: - pass - - os.unlink(dir + "/cert8.db") - os.unlink(dir + "/key3.db") - os.unlink(dir + "/secmod.db") - os.unlink(dir + "/noise.txt") - if ipautil.file_exists(passwd_fname + ".orig"): - os.unlink(passwd_fname + ".orig") - -def get_ds_user(ds_dir): - uid = os.stat(ds_dir).st_uid - user = pwd.getpwuid(uid)[0] - - return user - -def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host): - config = SafeConfigParser() - config.add_section("realm") - config.set("realm", "realm_name", realm_name) - config.set("realm", "master_host_name", host_name) - config.set("realm", "ds_user", ds_user) - config.set("realm", "domain_name", domain_name) - config.set("realm", "destination_host", dest_host) - fd = open(dir + "/realm_info", "w") - config.write(fd) - -def copy_files(realm_name, dir): - config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - - try: - shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") - shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") - shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt") - if ipautil.file_exists("/usr/share/ipa/html/preferences.html"): - shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") - shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") - except Exception, e: - print "error copying files: " + str(e) - sys.exit(1) - -def get_dirman_password(): - return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) - -def main(): - options, args = parse_options() - - replica_fqdn = args[0] - - if not ipautil.file_exists(certs.CA_SERIALNO) and not options.dirsrv_pin: - sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") - - print "Determining current realm name" - realm_name = get_realm_name() - if realm_name is None: - print "Unable to determine default realm" - sys.exit(1) - - check_ipa_configuration(realm_name) - - print "Getting domain name from LDAP" - domain_name = get_domain_name() - if domain_name is None: - print "Unable to determine LDAP default domain" - sys.exit(1) - - host_name = get_host_name() - if host_name == replica_fqdn: - print "You can't create a replica on itself" - sys.exit(1) - ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - ds_user = get_ds_user(ds_dir) - - # get the directory manager password - dirman_password = options.password - if not options.password: - try: - dirman_password = get_dirman_password() - except KeyboardInterrupt: - sys.exit(0) - - # Try out the password - try: - conn = ipaldap.IPAdmin(host_name) - conn.do_simple_bind(bindpw=dirman_password) - conn.unbind() - except ldap.CONNECT_ERROR, e: - sys.exit("\nUnable to connect to LDAP server %s" % host_name) - except ldap.SERVER_DOWN, e: - sys.exit("\nUnable to connect to LDAP server %s" % host_name) - except ldap.INVALID_CREDENTIALS, e : - sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name) - - print "Preparing replica for %s from %s" % (replica_fqdn, host_name) - - top_dir = tempfile.mkdtemp("ipa") - dir = top_dir + "/realm_info" - os.mkdir(dir, 0700) - - if options.dirsrv_pin: - passwd = options.dirsrv_pin - else: - passwd = "" - - passwd_fname = dir + "/dirsrv_pin.txt" - fd = open(passwd_fname, "w") - fd.write("%s\n" % passwd) - fd.close() - - if options.dirsrv_pkcs12: - print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12 - try: - shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12") - except IOError, e: - print "Copy failed %s" % e - sys.exit(1) - else: - print "Creating SSL certificate for the Directory Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) - - if options.http_pin: - passwd = options.http_pin - else: - passwd = "" - - passwd_fname = dir + "/http_pin.txt" - fd = open(passwd_fname, "w") - fd.write("%s\n" % passwd) - fd.close() - - if options.http_pkcs12: - print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12 - try: - shutil.copy(options.http_pkcs12, dir + "/httpcert.p12") - except IOError, e: - print "Copy failed %s" % e - sys.exit(1) - else: - print "Creating SSL certificate for the Web Server" - export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) - print "Copying additional files" - copy_files(realm_name, dir) - print "Finalizing configuration" - save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn) - - replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn - encfile = replicafile+".gpg" - - print "Packaging replica information into %s" % encfile - ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"]) - ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir); - - os.remove(replicafile) - shutil.rmtree(dir) - -try: - if not os.geteuid()==0: - sys.exit("\nYou must be root to run this script.\n") - - main() -except SystemExit, e: - sys.exit(e) -except Exception, e: - print "preparation of replica failed: %s" % str(e) - message = str(e) - for str in traceback.format_tb(sys.exc_info()[2]): - message = message + "\n" + str - logging.debug(message) - print message - sys.exit(1) diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall deleted file mode 100644 index a0d11856..00000000 --- a/ipa-server/ipa-install/ipa-server-certinstall +++ /dev/null @@ -1,157 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import sys -import os -import pwd -import tempfile - -import traceback - -import krbV, ldap, getpass - -from ipa.ipautil import user_input -from ipaserver import certs, dsinstance, httpinstance, ipaldap, installutils - -def get_realm_name(): - c = krbV.default_context() - return c.default_realm - -def parse_options(): - from optparse import OptionParser - parser = OptionParser() - - parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true", - default=False, help="install certificate for the directory server") - parser.add_option("-w", "--http", dest="http", action="store_true", - default=False, help="install certificate for the http server") - parser.add_option("--dirsrv_pin", dest="dirsrv_pin", - help="The password of the Directory Server PKCS#12 file") - parser.add_option("--http_pin", dest="http_pin", - help="The password of the Apache Server PKCS#12 file") - - options, args = parser.parse_args() - - if not options.dirsrv and not options.http: - parser.error("you must specify dirsrv and/or http") - if ((options.dirsrv and not options.dirsrv_pin) or - (options.http and not options.http_pin)): - parser.error("you must provide the password for the PKCS#12 file") - - if len(args) != 1: - parser.error("you must provide a pkcs12 filename") - - return options, args[0] - -def set_ds_cert_name(cert_name, dm_password): - conn = ipaldap.IPAdmin("127.0.0.1") - conn.simple_bind_s("cn=directory manager", dm_password) - - mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)] - - conn.modify_s("cn=RSA,cn=encryption,cn=config", mod) - - conn.unbind() - -def choose_server_cert(server_certs): - print "Please select the certificate to use:" - num = 1 - for cert in server_certs: - print "%d. %s" % (num, cert[0]) - num += 1 - - while 1: - num = user_input("Certificate number", 1) - print "" - if num < 1 or num > len(server_certs): - print "number out of range" - else: - break - - return server_certs[num - 1] - -def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): - cdb = certs.CertDB(dirname) - cdb.create_passwd_file(db_password) - cdb.create_certdbs() - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, pkcs12_passwd) - os.close(pw_fd) - - try: - try: - cdb.import_pkcs12(pkcs12_fname, pw_name) - except RuntimeError, e: - print str(e) - sys.exit(1) - finally: - os.remove(pw_name) - - server_certs = cdb.find_server_certs() - if len(server_certs) == 0: - print "could not find a suitable server cert in import" - sys.exit(1) - elif len(server_certs) == 1: - server_cert = server_certs[0] - else: - server_cert = choose_server_cert(server_certs) - - cdb.trust_root_cert(server_cert[0]) - - return server_cert - -def main(): - options, pkcs12_fname = parse_options() - - try: - if options.dirsrv: - dm_password = getpass.getpass("Directory Manager password: ") - realm = get_realm_name() - dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm)) - fd = open(dirname + "/pwdfile.txt") - passwd = fd.read() - fd.close() - - server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) - set_ds_cert_name(server_cert[0], dm_password) - - if options.http: - dirname = httpinstance.NSS_DIR - server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") - installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0]) - - # Fix the database permissions - os.chmod(dirname + "/cert8.db", 0640) - os.chmod(dirname + "/key3.db", 0640) - os.chmod(dirname + "/secmod.db", 0640) - - pent = pwd.getpwnam("apache") - os.chown(dirname + "/cert8.db", 0, pent.pw_gid ) - os.chown(dirname + "/key3.db", 0, pent.pw_gid ) - os.chown(dirname + "/secmod.db", 0, pent.pw_gid ) - - except Exception, e: - print "an unexpected error occurred: %s" % str(e) - traceback.print_exc() - return 1 - - return 0 - -sys.exit(main()) diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install deleted file mode 100644 index c9d5c5bf..00000000 --- a/ipa-server/ipa-install/ipa-server-install +++ /dev/null @@ -1,622 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -# requires the following packages: -# fedora-ds-base -# openldap-clients -# nss-tools - -import sys -import os -import socket -import errno -import logging -import pwd -import subprocess -import signal -import shutil -import glob -import traceback -from optparse import OptionParser - -import ipaserver.dsinstance -import ipaserver.krbinstance -import ipaserver.bindinstance -import ipaserver.httpinstance -import ipaserver.ntpinstance - -from ipaserver import service -from ipa import version -from ipaserver.installutils import * - -from ipa import sysrestore -from ipa.ipautil import * - -pw_name = None - -def parse_options(): - parser = OptionParser(version=version.VERSION) - parser.add_option("-u", "--user", dest="ds_user", - help="ds user") - parser.add_option("-r", "--realm", dest="realm_name", - help="realm name") - parser.add_option("-n", "--domain", dest="domain_name", - help="domain name") - parser.add_option("-p", "--ds-password", dest="dm_password", - help="admin password") - parser.add_option("-P", "--master-password", dest="master_password", - help="kerberos master password (normally autogenerated)") - parser.add_option("-a", "--admin-password", dest="admin_password", - help="admin user kerberos password") - parser.add_option("-d", "--debug", dest="debug", action="store_true", - default=False, help="print debugging information") - parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") - parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address") - parser.add_option("--setup-bind", dest="setup_bind", action="store_true", - default=False, help="configure bind with our zone file") - parser.add_option("-U", "--unattended", dest="unattended", action="store_true", - default=False, help="unattended installation never prompts the user") - parser.add_option("", "--uninstall", dest="uninstall", action="store_true", - default=False, help="uninstall an existing installation") - parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", - help="do not configure ntp", default=True) - parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", - help="PKCS#12 file containing the Directory Server SSL certificate") - parser.add_option("--http_pkcs12", dest="http_pkcs12", - help="PKCS#12 file containing the Apache Server SSL certificate") - parser.add_option("--dirsrv_pin", dest="dirsrv_pin", - help="The password of the Directory Server PKCS#12 file") - parser.add_option("--http_pin", dest="http_pin", - help="The password of the Apache Server PKCS#12 file") - parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", - default=False, - help="Do not use DNS for hostname lookup during installation") - - options, args = parser.parse_args() - - if options.uninstall: - if (options.ds_user or options.realm_name or - options.dm_password or options.admin_password or - options.master_password): - parser.error("error: In uninstall mode, -u, r, -p and -P options are not allowed") - elif options.unattended: - if (not options.ds_user or not options.realm_name or - not options.dm_password or not options.admin_password): - parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options") - - # If any of the PKCS#12 options are selected, all are required. Create a - # list of the options and count it to enforce that all are required without - # having a huge set of it blocks. - pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] - cnt = pkcs12.count(None) - if cnt > 0 and cnt < 4: - parser.error("error: All PKCS#12 options are required if any are used.") - - return options - -def signal_handler(signum, frame): - global ds - print "\nCleaning up..." - if ds: - print "Removing configuration for %s instance" % ds.serverid - ds.stop() - if ds.serverid: - ipaserver.dsinstance.erase_ds_instance_data (ds.serverid) - sys.exit(1) - -def read_host_name(host_default,no_host_dns=False): - host_name = "" - - print "Enter the fully qualified domain name of the computer" - print "on which you're setting up server software. Using the form" - print "<hostname>.<domainname>" - print "Example: master.example.com." - print "" - print "" - if host_default == "": - host_default = "master.example.com" - while True: - host_name = user_input("Server host name", host_default, allow_empty = False) - print "" - try: - verify_fqdn(host_name,no_host_dns) - except Exception, e: - raise e - else: - break - return host_name - -def resolve_host(host_name): - ip = "" - try: - ip = socket.gethostbyname(host_name) - - if ip == "127.0.0.1" or ip == "::1": - print "The hostname resolves to the localhost address (127.0.0.1/::1)" - print "Please change your /etc/hosts file so that the hostname" - print "resolves to the ip address of your network interface." - print "The KDC service does not listen on localhost" - print "" - print "Please fix your /etc/hosts file and restart the setup program" - return None - - except: - print "Unable to lookup the IP address of the provided host" - return ip - -def verify_ip_address(ip): - is_ok = True - try: - socket.inet_pton(socket.AF_INET, ip) - except: - try: - socket.inet_pton(socket.AF_INET6, ip) - except: - print "Unable to verify IP address" - is_ok = False - return is_ok - -def read_ip_address(host_name): - while True: - ip = user_input("Please provide the IP address to be used for this host name", allow_empty = False) - - if ip == "127.0.0.1" or ip == "::1": - print "The IPA Server can't use localhost as a valid IP" - continue - - if not verify_ip_address(ip): - continue - - print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file" - fstore.backup_file("/etc/hosts") - hosts_fd = open('/etc/hosts', 'r+') - hosts_fd.seek(0, 2) - hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n') - hosts_fd.close() - - return ip - -def read_ds_user(): - print "The server must run as a specific user in a specific group." - print "It is strongly recommended that this user should have no privileges" - print "on the computer (i.e. a non-root user). The setup procedure" - print "will give this user/group some permissions in specific paths/files" - print "to perform server-specific operations." - print "" - - ds_user = "" - try: - pwd.getpwnam('dirsrv') - - print "A user account named 'dirsrv' already exists. This is the user id" - print "that the Directory Server will run as." - print "" - if user_input("Do you want to use the existing 'dirsrv' account?", True): - ds_user = "dirsrv" - else: - print "" - ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False) - print "" - except KeyError: - ds_user = "dirsrv" - - return ds_user - -def read_domain_name(domain_name, unattended): - print "The domain name has been calculated based on the host name." - print "" - if not unattended: - domain_name = user_input("Please confirm the domain name", domain_name) - print "" - return domain_name - -def read_realm_name(domain_name, unattended): - print "The kerberos protocol requires a Realm name to be defined." - print "This is typically the domain name converted to uppercase." - print "" - - if unattended: - return domain_name.upper() - realm_name = user_input("Please provide a realm name", domain_name.upper()) - upper_dom = realm_name.upper() - if upper_dom != realm_name: - print "An upper-case realm name is required." - if not user_input("Do you want to use " + upper_dom + " as realm name?", True): - print "" - print "An upper-case realm name is required. Unable to continue." - sys.exit(1) - else: - realm_name = upper_dom - print "" - return realm_name - - -def read_dm_password(): - print "Certain directory server operations require an administrative user." - print "This user is referred to as the Directory Manager and has full access" - print "to the Directory for system management tasks and will be added to the" - print "instance of directory server created for IPA." - print "The password must be at least 8 characters long." - print "" - #TODO: provide the option of generating a random password - dm_password = read_password("Directory Manager") - return dm_password - -def read_admin_password(): - print "The IPA server requires an administrative user, named 'admin'." - print "This user is a regular system account used for IPA server administration." - print "" - #TODO: provide the option of generating a random password - admin_password = read_password("IPA admin") - return admin_password - -def check_dirsrv(unattended): - serverids = ipaserver.dsinstance.check_existing_installation() - if serverids: - print "" - print "An existing Directory Server has been detected." - if unattended or not user_input("Do you wish to remove it and create a new one?", False): - print "" - print "Only a single Directory Server instance is allowed on an IPA" - print "server, the one used by IPA itself." - sys.exit(1) - - try: - service.stop("dirsrv") - except: - pass - - for serverid in serverids: - ipaserver.dsinstance.erase_ds_instance_data(serverid) - - (ds_unsecure, ds_secure) = ipaserver.dsinstance.check_ports() - if not ds_unsecure or not ds_secure: - print "IPA requires ports 389 and 636 for the Directory Server." - print "These are currently in use:" - if not ds_unsecure: - print "\t389" - if not ds_secure: - print "\t636" - sys.exit(1) - -def uninstall(): - try: - run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"]) - except Exception, e: - print "Uninstall of client side components failed!" - print "ipa-client-install returned: " + str(e) - pass - - ipaserver.ntpinstance.NTPInstance(fstore).uninstall() - ipaserver.bindinstance.BindInstance(fstore).uninstall() - ipaserver.httpinstance.WebGuiInstance().uninstall() - ipaserver.httpinstance.HTTPInstance(fstore).uninstall() - ipaserver.krbinstance.KrbInstance(fstore).uninstall() - ipaserver.dsinstance.DsInstance().uninstall() - fstore.restore_all_files() - return 0 - -def main(): - global ds - global pw_name - ds = None - - options = parse_options() - - if os.getegid() != 0: - print "Must be root to setup server" - return 1 - - signal.signal(signal.SIGTERM, signal_handler) - signal.signal(signal.SIGINT, signal_handler) - - if options.uninstall: - standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug) - else: - standard_logging_setup("/var/log/ipaserver-install.log", options.debug) - print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log" - - global fstore - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - - if options.uninstall: - if not options.unattended: - print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n" - if not user_input("Are you sure you want to continue with the uninstall procedure?", False): - print "" - print "Aborting uninstall operation." - sys.exit(1) - - return uninstall() - - print "==============================================================================" - print "This program will setup the FreeIPA Server." - print "" - print "This includes:" - if options.conf_ntp: - print " * Configure the Network Time Daemon (ntpd)" - print " * Create and configure an instance of Directory Server" - print " * Create and configure a Kerberos Key Distribution Center (KDC)" - print " * Configure Apache (httpd)" - print " * Configure TurboGears" - if options.setup_bind: - print " * Configure DNS (bind)" - if not options.conf_ntp: - print "" - print "Excluded by options:" - print " * Configure the Network Time Daemon (ntpd)" - print "" - print "To accept the default shown in brackets, press the Enter key." - print "" - - check_dirsrv(options.unattended) - - ds_user = "" - realm_name = "" - host_name = "" - domain_name = "" - ip_address = "" - master_password = "" - dm_password = "" - admin_password = "" - - # check bind packages are installed - if options.setup_bind: - if not ipaserver.bindinstance.check_inst(): - print "--setup-bind was specified but bind is not installed on the system" - print "Please install bind and restart the setup program" - return 1 - - # check the hostname is correctly configured, it must be as the kldap - # utilities just use the hostname as returned by gethostbyname to set - # up some of the standard entries - - host_default = "" - if options.host_name: - host_default = options.host_name - else: - host_default = get_fqdn() - - if options.unattended: - try: - verify_fqdn(host_default,options.no_host_dns) - except RuntimeError, e: - logging.error(str(e) + "\n") - return 1 - - host_name = host_default - else: - host_name = read_host_name(host_default,options.no_host_dns) - - host_name = host_name.lower() - - if not options.domain_name: - domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended) - else: - domain_name = options.domain_name - - domain_name = domain_name.lower() - - # Check we have a public IP that is associated with the hostname - ip = resolve_host(host_name) - if ip is None: - if options.ip_address: - ip = options.ip_address - if ip is None and options.unattended: - print "Unable to resolve IP address for host name" - return 1 - - if not verify_ip_address(ip): - ip = "" - if options.unattended: - return 1 - - if options.ip_address and options.ip_address != ip: - if options.setup_bind: - ip = options.ip_address - else: - print "Error: the hostname resolves to an IP address that is different" - print "from the one provided on the command line. Please fix your DNS" - print "or /etc/hosts file and restart the installation." - return 1 - - if options.unattended: - if not ip: - print "Unable to resolve IP address" - return 1 - - if not ip: - ip = read_ip_address(host_name) - ip_address = ip - - print "The IPA Master Server will be configured with" - print "Hostname: " + host_name - print "IP address: " + ip_address - print "Domain name: " + domain_name - print "" - - if not options.ds_user: - ds_user = read_ds_user() - if ds_user == "": - return 1 - else: - ds_user = options.ds_user - - if not options.realm_name: - realm_name = read_realm_name(domain_name, options.unattended) - else: - realm_name = options.realm_name.upper() - - if not options.dm_password: - dm_password = read_dm_password() - else: - dm_password = options.dm_password - - if not options.master_password: - master_password = ipa_generate_password() - else: - master_password = options.master_password - - if not options.admin_password: - admin_password = read_admin_password() - else: - admin_password = options.admin_password - - if not options.unattended: - print "" - print "The following operations may take some minutes to complete." - print "Please wait until the prompt is returned." - - # Configure ntpd - if options.conf_ntp: - ntp = ipaserver.ntpinstance.NTPInstance(fstore) - ntp.create_instance() - - if options.dirsrv_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - - # Create a directory server instance - ds = ipaserver.dsinstance.DsInstance() - if options.dirsrv_pkcs12: - pkcs12_info = (options.dirsrv_pkcs12, pw_name) - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info) - os.remove(pw_name) - else: - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) - - # Create a kerberos instance - krb = ipaserver.krbinstance.KrbInstance(fstore) - krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) - - # Create a HTTP instance - - if options.http_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.http_pin) - os.close(pw_fd) - - http = ipaserver.httpinstance.HTTPInstance(fstore) - if options.http_pkcs12: - pkcs12_info = (options.http_pkcs12, pw_name) - http.create_instance(realm_name, host_name, domain_name, autoconfig=False, pkcs12_info=pkcs12_info) - os.remove(pw_name) - else: - http.create_instance(realm_name, host_name, domain_name, autoconfig=True) - - # Create the config file - fstore.backup_file("/etc/ipa/ipa.conf") - fd = open("/etc/ipa/ipa.conf", "w") - fd.write("[defaults]\n") - fd.write("server=" + host_name + "\n") - fd.write("realm=" + realm_name + "\n") - fd.write("domain=" + domain_name + "\n") - fd.close() - - # Create a Web Gui instance - webgui = ipaserver.httpinstance.WebGuiInstance() - webgui.create_instance() - - bind = ipaserver.bindinstance.BindInstance(fstore) - bind.setup(host_name, ip_address, realm_name, domain_name) - if options.setup_bind: - bind.create_instance() - else: - bind.create_sample_bind_zone() - - # Apply any LDAP updates. Needs to be done after the configuration file - # is created - service.print_msg("Applying LDAP updates") - ds.apply_updates() - - # Restart ds and krb after configurations have been changed - service.print_msg("restarting the directory server") - ds.restart() - - service.print_msg("restarting the KDC") - krb.restart() - - # Set the admin user kerberos password - ds.change_admin_password(admin_password) - - # Call client install script - try: - run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name]) - except Exception, e: - print "Configuration of client side components failed!" - print "ipa-client-install returned: " + str(e) - return 1 - - print "==============================================================================" - print "Setup complete" - print "" - print "Next steps:" - print "\t1. You must make sure these network ports are open:" - print "\t\tTCP Ports:" - print "\t\t * 80, 443: HTTP/HTTPS" - print "\t\t * 389, 636: LDAP/LDAPS" - print "\t\t * 88, 464: kerberos" - if options.setup_bind: - print "\t\t * 53: bind" - print "\t\tUDP Ports:" - print "\t\t * 88, 464: kerberos" - if options.setup_bind: - print "\t\t * 53: bind" - if options.conf_ntp: - print "\t\t * 123: ntp" - print "" - print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'" - print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)" - print "\t and the web user interface." - - if not service.is_running("ntpd"): - print "\t3. Kerberos requires time synchronization between clients" - print "\t and servers for correct operation. You should consider enabling ntpd." - - print "" - if not options.dirsrv_pkcs12: - print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12" - print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt" - else: - print "In order for Firefox autoconfiguration to work you will need to" - print "use a SSL signing certificate. See the IPA documentation for more details." - print "You also need to install a PEM copy of the HTTP issuing CA into" - print "/usr/share/ipa/html/ca.crt" - - return 0 - -try: - try: - sys.exit(main()) - except SystemExit, e: - sys.exit(e) - except Exception, e: - message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) - print message - message = str(e) - for str in traceback.format_tb(sys.exc_info()[2]): - message = message + "\n" + str - logging.debug(message) - sys.exit(1) -finally: - if pw_name and ipautil.file_exists(pw_name): - os.remove(pw_name) diff --git a/ipa-server/ipa-install/ipactl b/ipa-server/ipa-install/ipactl deleted file mode 100644 index 11038394..00000000 --- a/ipa-server/ipa-install/ipactl +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2008 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# -# IPA control to start/stop the various services required for IPA in the -# proper order -# - -function start() { - /sbin/service dirsrv start - /sbin/service ntpd start - /sbin/service krb5kdc start - /sbin/service ipa_kpasswd start - /sbin/service ipa_webgui start - /sbin/service httpd start -} - -function stop() { - /sbin/service ipa_webgui stop - /sbin/service ipa_kpasswd stop - /sbin/service httpd stop - /sbin/service krb5kdc stop - /sbin/service dirsrv stop - /sbin/service ntpd stop -} - -case "$1" in -restart) - stop - start - ;; -start) - start - ;; -stop) - stop - ;; -*) - echo "Usage: ipactl {start|stop|restart}" - exit 1 - ;; -esac diff --git a/ipa-server/ipa-install/share/60ipaconfig.ldif b/ipa-server/ipa-install/share/60ipaconfig.ldif deleted file mode 100644 index f4edbcc9..00000000 --- a/ipa-server/ipa-install/share/60ipaconfig.ldif +++ /dev/null @@ -1,42 +0,0 @@ -## schema file for ipa configuration -## -## IPA Base OID: 2.16.840.1.113730.3.8 -## -## Attributes: 2.16.840.1.113730.3.8.1 -## ObjectClasses: 2.16.840.1.113730.3.8.2 -dn: cn=schema -############################################### -## -## Attributes -## -## ipaUserSearchFields - attribute names to search against when looking for users -attributetypes: ( 2.16.840.1.113730.3.8.1.1 NAME 'ipaUserSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) -## ipaGroupSearchFields - attribute names to search against when looking for groups -attributetypes: ( 2.16.840.1.113730.3.8.1.2 NAME 'ipaGroupSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) -## ipaSearchTimeLimit - search time limit in seconds -attributetypes: ( 2.16.840.1.113730.3.8.1.3 NAME 'ipaSearchTimeLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -## ipaSearchRecordsLimit - maximum number of records to return -attributetypes: ( 2.16.840.1.113730.3.8.1.4 NAME 'ipaSearchRecordsLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -## ipaCustomFields - custom fields to show in the UI in addition to pre-defined ones -attributetypes: ( 2.16.840.1.113730.3.8.1.5 NAME 'ipaCustomFields' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -## ipaHomesRootDir - default posix home directory root dir to use when creating new accounts -attributetypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) -## ipaDefaultLoginShell - default posix login shell to use when creating new accounts -attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) -## ipaDefaultPrimaryGroup - default posix primary group to assign when creating new accounts -attributetypes: ( 2.16.840.1.113730.3.8.1.8 NAME 'ipaDefaultPrimaryGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) -## ipaMaxUsernameLength - maximum username length to allow in the UI -attributetypes: ( 2.16.840.1.113730.3.8.1.9 NAME 'ipaMaxUsernameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -## ipaPwdExpAdvNotify - time in days to send out paswword expiration notification before passwpord actually expires -attributetypes: ( 2.16.840.1.113730.3.8.1.10 NAME 'ipaPwdExpAdvNotify' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -# ipaUserObjectClasses - required objectclasses for users -attributetypes: ( 2.16.840.1.113730.3.8.1.11 NAME 'ipaUserObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -# ipaGroupObjectClasses - required objectclasses for groups -attributetypes: ( 2.16.840.1.113730.3.8.1.12 NAME 'ipaGroupObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -attributetypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -############################################### -## -## ObjectClasses -## -## ipaGuiConfig - GUI config parameters objectclass -objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain) ) diff --git a/ipa-server/ipa-install/share/60kerberos.ldif b/ipa-server/ipa-install/share/60kerberos.ldif deleted file mode 100644 index 3431d22e..00000000 --- a/ipa-server/ipa-install/share/60kerberos.ldif +++ /dev/null @@ -1,283 +0,0 @@ -dn: cn=schema -# Novell Kerberos Schema Definitions -# Novell Inc. -# 1800 South Novell Place -# Provo, UT 84606 -# -# VeRsIoN=1.0 -# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved -# -# OIDs: -# joint-iso-ccitt(2) -# country(16) -# us(840) -# organization(1) -# Novell(113719) -# applications(1) -# kerberos(301) -# Kerberos Attribute Type(4) attr# version# -# specific attribute definitions -# Kerberos Attribute Syntax(5) -# specific syntax definitions -# Kerberos Object Class(6) class# version# -# specific class definitions -######################################################################## -######################################################################## -# Attribute Type Definitions # -######################################################################## -##### This is the principal name in the RFC 1964 specified format -attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) -##### This specifies the type of the principal, the types could be any of -##### the types mentioned in section 6.2 of RFC 4120 -attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### This flag is used to find whether directory User Password has to be used -##### as kerberos password. -##### TRUE, if User Password is to be used as the kerberos password. -##### FALSE, if User Password and the kerberos password are different. -attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE) -##### The time at which the principal expires -attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) -##### The krbTicketFlags attribute holds information about the kerberos flags for a principal -##### The values (0x00000001 - 0x00800000) are reserved for standards and -##### values (0x01000000 - 0x80000000) can be used for proprietary extensions. -##### The flags and values as per RFC 4120 and MIT implementation are, -##### DISALLOW_POSTDATED 0x00000001 -##### DISALLOW_FORWARDABLE 0x00000002 -##### DISALLOW_TGT_BASED 0x00000004 -##### DISALLOW_RENEWABLE 0x00000008 -##### DISALLOW_PROXIABLE 0x00000010 -##### DISALLOW_DUP_SKEY 0x00000020 -##### DISALLOW_ALL_TIX 0x00000040 -##### REQUIRES_PRE_AUTH 0x00000080 -##### REQUIRES_HW_AUTH 0x00000100 -##### REQUIRES_PWCHANGE 0x00000200 -##### DISALLOW_SVR 0x00001000 -##### PWCHANGE_SERVICE 0x00002000 -attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### The maximum ticket lifetime for a principal in seconds -attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Maximum renewable lifetime for a principal's ticket in seconds -attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Forward reference to the Realm object. -##### (FDN of the krbRealmContainer object). -##### Example: cn=ACME.COM, cn=Kerberos, cn=Security -attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### List of LDAP servers that kerberos servers can contact. -##### The attribute holds data in the ldap uri format, -##### Example: ldaps://acme.com:636 -##### -##### The values of this attribute need to be updated, when -##### the LDAP servers listed here are renamed, moved or deleted. -attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -##### A set of forward references to the KDC Service objects. -##### (FDNs of the krbKdcService objects). -##### Example: cn=kdc - server 1, ou=uvw, o=xyz -attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### A set of forward references to the Password Service objects. -##### (FDNs of the krbPwdService objects). -##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz -attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### This attribute holds the Host Name or the ip address, -##### transport protocol and ports of the kerberos service host -##### The format is host_name-or-ip_address#protocol#port -##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP. -attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) -##### This attribute holds the scope for searching the principals -##### under krbSubTree attribute of krbRealmContainer -##### The value can either be 1 (ONE) or 2 (SUB_TREE). -attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### FDNs pointing to Kerberos principals -attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### This attribute specifies which attribute of the user objects -##### be used as the principal name component for Kerberos. -##### The allowed values are cn, sn, uid, givenname, fullname. -attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) -##### A set of forward references to the Administration Service objects. -##### (FDNs of the krbAdmService objects). -##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz -attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### Maximum lifetime of a principal's password -attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Minimum lifetime of a principal's password -attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Minimum number of character clases allowed in a password -attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Minimum length of the password -attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### Number of previous versions of passwords that are stored -attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### FDN pointing to a Kerberos Password Policy object -attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) -##### The time at which the principal's password expires -attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) -##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with -##### the master key (krbMKey). -##### The attribute is ASN.1 encoded. -##### -##### The format of the value for this attribute is explained below, -##### KrbKeySet ::= SEQUENCE { -##### attribute-major-vno [0] UInt16, -##### attribute-minor-vno [1] UInt16, -##### kvno [2] UInt32, -##### mkvno [3] UInt32 OPTIONAL, -##### keys [4] SEQUENCE OF KrbKey, -##### ... -##### } -##### -##### KrbKey ::= SEQUENCE { -##### salt [0] KrbSalt OPTIONAL, -##### key [1] EncryptionKey, -##### s2kparams [2] OCTET STRING OPTIONAL, -##### ... -##### } -##### -##### KrbSalt ::= SEQUENCE { -##### type [0] Int32, -##### salt [1] OCTET STRING OPTIONAL -##### } -##### -##### EncryptionKey ::= SEQUENCE { -##### keytype [0] Int32, -##### keyvalue [1] OCTET STRING -##### } -attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### FDN pointing to a Kerberos Ticket Policy object. -attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE) -##### Forward reference to an entry that starts sub-trees -##### where principals and other kerberos objects in the realm are configured. -##### Example: ou=acme, ou=pq, o=xyz -attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### Holds the default encryption/salt type combinations of principals for -##### the Realm. Stores in the form of key:salt strings. -##### Example: des-cbc-crc:normal -attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -##### Holds the Supported encryption/salt type combinations of principals for -##### the Realm. Stores in the form of key:salt strings. -##### The supported encryption types are mentioned in RFC 3961 -##### The supported salt types are, -##### NORMAL -##### V4 -##### NOREALM -##### ONLYREALM -##### SPECIAL -##### AFS3 -##### Example: des-cbc-crc:normal -##### -##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes -##### attributes. -attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) -##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with -##### the kadmin/history key. -##### The attribute is ASN.1 encoded. -##### -##### The format of the value for this attribute is explained below, -##### KrbKeySet ::= SEQUENCE { -##### attribute-major-vno [0] UInt16, -##### attribute-minor-vno [1] UInt16, -##### kvno [2] UInt32, -##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key, -##### keys [4] SEQUENCE OF KrbKey, -##### ... -##### } -##### -##### KrbKey ::= SEQUENCE { -##### salt [0] KrbSalt OPTIONAL, -##### key [1] EncryptionKey, -##### s2kparams [2] OCTET STRING OPTIONAL, -##### ... -##### } -##### -##### KrbSalt ::= SEQUENCE { -##### type [0] Int32, -##### salt [1] OCTET STRING OPTIONAL -##### } -##### -##### EncryptionKey ::= SEQUENCE { -##### keytype [0] Int32, -##### keyvalue [1] OCTET STRING -##### } -attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### The time at which the principal's password last password change happened. -attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) -##### This attribute holds the kerberos master key. -##### This can be used to encrypt principal keys. -##### This attribute has to be secured in directory. -##### -##### This attribute is ASN.1 encoded. -##### The format of the value for this attribute is explained below, -##### KrbMKey ::= SEQUENCE { -##### kvno [0] UInt32, -##### key [1] MasterKey -##### } -##### -##### MasterKey ::= SEQUENCE { -##### keytype [0] Int32, -##### keyvalue [1] OCTET STRING -##### } -attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### This stores the alternate principal names for the principal in the RFC 1961 specified format -attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) -##### The time at which the principal's last successful authentication happened. -attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) -##### The time at which the principal's last failed authentication happened. -attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) -##### This attribute stores the number of failed authentication attempts -##### happened for the principal since the last successful authentication. -attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE) -##### This attribute holds the application specific data. -attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) -##### This attributes holds references to the set of directory objects. -##### This stores the DNs of the directory objects to which the -##### principal object belongs to. -attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -##### This attribute holds references to a Container object where -##### the additional principal objects and stand alone principal -##### objects (krbPrincipal) can be created. -attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12) -######################################################################## -######################################################################## -# Object Class Definitions # -######################################################################## -#### This is a kerberos container for all the realms in a tree. -objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top MUST ( cn ) ) -##### The krbRealmContainer is created per realm and holds realm specific data. -objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) ) -##### An instance of a class derived from krbService is created per -##### kerberos authentication or administration server in an realm and holds -##### references to the realm objects. These references is used to further read -##### realm specific data to service AS/TGS requests. Additionally this object -##### contains some server specific data like pathnames and ports that the -##### server uses. This is the identity the kerberos server logs in with. A key -##### pair for the same is created and the kerberos server logs in with the same. -##### -##### krbKdcService, krbAdmService and krbPwdService derive from this class. -objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' ABSTRACT SUP ( top ) MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences ) ) -##### Representative object for the KDC server to bind into a LDAP directory -##### and have a connection to access Kerberos data with the required -##### access rights. -objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) ) -##### Representative object for the Kerberos Password server to bind into a LDAP directory -##### and have a connection to access Kerberos data with the required -##### access rights. -objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) ) -###### The principal data auxiliary class. Holds principal information -###### and is used to store principal information for Person, Service objects. -objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) ) -###### This class is used to create additional principals and stand alone principals. -objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) ) -###### The principal references auxiliary class. Holds all principals referred -###### from a service -objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences ) -##### Representative object for the Kerberos Administration server to bind into a LDAP directory -##### and have a connection Id to access Kerberos data with the required access rights. -objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbService ) ) -##### The krbPwdPolicy object is a template password policy that -##### can be applied to principals when they are created. -##### These policy attributes will be in effect, when the Kerberos -##### passwords are different from users' passwords (UP). -objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) ) -##### The krbTicketPolicyAux holds Kerberos ticket policy attributes. -##### This class can be attached to a principal object or realm object. -objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) -##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal -objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) ) diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif deleted file mode 100644 index 93a5ba31..00000000 --- a/ipa-server/ipa-install/share/60radius.ldif +++ /dev/null @@ -1,559 +0,0 @@ -# This is a LDAPv3 schema for RADIUS attributes. -# Tested on OpenLDAP 2.0.7 -# Posted by Javier Fernandez-Sanguino Pena <jfernandez@sgi.es> -# LDAP v3 version by Jochen Friedrich <jochen@scram.de> -# Updates by Adrian Pavlykevych <pam@polynet.lviv.ua> -# Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA -# -# Note: These OID's do not seem to be registered, the closest I could find -# was 1.3.6.1.4.1.3317 -# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)} -# -############## -dn: cn=schema -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.1 - NAME 'radiusArapFeatures' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.2 - NAME 'radiusArapSecurity' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.3 - NAME 'radiusArapZoneAccess' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.44 - NAME 'radiusAuthType' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.4 - NAME 'radiusCallbackId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.5 - NAME 'radiusCallbackNumber' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.6 - NAME 'radiusCalledStationId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.7 - NAME 'radiusCallingStationId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.8 - NAME 'radiusClass' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.45 - NAME 'radiusClientIPAddress' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.9 - NAME 'radiusFilterId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.10 - NAME 'radiusFramedAppleTalkLink' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.11 - NAME 'radiusFramedAppleTalkNetwork' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.12 - NAME 'radiusFramedAppleTalkZone' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.13 - NAME 'radiusFramedCompression' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.14 - NAME 'radiusFramedIPAddress' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.15 - NAME 'radiusFramedIPNetmask' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.16 - NAME 'radiusFramedIPXNetwork' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.17 - NAME 'radiusFramedMTU' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.18 - NAME 'radiusFramedProtocol' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.19 - NAME 'radiusFramedRoute' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.20 - NAME 'radiusFramedRouting' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.46 - NAME 'radiusGroupName' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.47 - NAME 'radiusHint' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.48 - NAME 'radiusHuntgroupName' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.21 - NAME 'radiusIdleTimeout' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.22 - NAME 'radiusLoginIPHost' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.23 - NAME 'radiusLoginLATGroup' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.24 - NAME 'radiusLoginLATNode' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.25 - NAME 'radiusLoginLATPort' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.26 - NAME 'radiusLoginLATService' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.27 - NAME 'radiusLoginService' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.28 - NAME 'radiusLoginTCPPort' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.29 - NAME 'radiusPasswordRetry' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.30 - NAME 'radiusPortLimit' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.49 - NAME 'radiusProfileDn' - DESC '' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.31 - NAME 'radiusPrompt' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.50 - NAME 'radiusProxyToRealm' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.51 - NAME 'radiusReplicateToRealm' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.52 - NAME 'radiusRealm' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.32 - NAME 'radiusServiceType' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.33 - NAME 'radiusSessionTimeout' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.34 - NAME 'radiusTerminationAction' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.35 - NAME 'radiusTunnelAssignmentId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.36 - NAME 'radiusTunnelMediumType' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.37 - NAME 'radiusTunnelPassword' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.38 - NAME 'radiusTunnelPreference' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.39 - NAME 'radiusTunnelPrivateGroupId' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.40 - NAME 'radiusTunnelServerEndpoint' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.41 - NAME 'radiusTunnelType' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.42 - NAME 'radiusVSA' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.43 - NAME 'radiusTunnelClientEndpoint' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -#need to change asn1.id -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.53 - NAME 'radiusSimultaneousUse' - DESC '' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.54 - NAME 'radiusLoginTime' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.55 - NAME 'radiusUserCategory' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.56 - NAME 'radiusStripUserName' - DESC '' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.57 - NAME 'dialupAccess' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.58 - NAME 'radiusExpiration' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.59 - NAME 'radiusCheckItem' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.60 - NAME 'radiusReplyItem' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.61 - NAME 'radiusNASIpAddress' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.62 - NAME 'radiusReplyMessage' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -objectClasses: - ( 1.3.6.1.4.1.3317.4.3.2.1 - NAME 'radiusprofile' - SUP top AUXILIARY - DESC '' - MUST uid - MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ - radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ - radiusCalledStationId $ radiusCallingStationId $ radiusClass $ - radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ - radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ - radiusFramedCompression $ radiusFramedIPAddress $ - radiusFramedIPNetmask $ radiusFramedIPXNetwork $ - radiusFramedMTU $ radiusFramedProtocol $ - radiusCheckItem $ radiusReplyItem $ - radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ - radiusGroupName $ radiusHint $ radiusHuntgroupName $ - radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ - radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ - radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ - radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ - radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ - radiusSessionTimeout $ radiusStripUserName $ - radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ - radiusSimultaneousUse $ radiusTunnelAssignmentId $ - radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ - radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ - radiusTunnelType $ radiusUserCategory $ radiusVSA $ - radiusExpiration $ dialupAccess $ radiusNASIpAddress $ - radiusReplyMessage ) - ) -objectClasses: - ( 1.3.6.1.4.1.3317.4.3.2.2 - NAME 'radiusObjectProfile' - SUP top STRUCTURAL - DESC 'A Container Objectclass to be used for creating radius profile object' - MUST cn - MAY ( uid $ userPassword $ description ) - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.64 - NAME 'radiusClientSecret' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.65 - NAME 'radiusClientNASType' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - ) -attributeTypes: - ( 1.3.6.1.4.1.3317.4.3.1.66 - NAME 'radiusClientShortName' - DESC '' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - ) -objectClasses: - ( 1.3.6.1.4.1.3317.4.3.2.3 - NAME 'radiusClientProfile' - SUP top STRUCTURAL - DESC 'A Container Objectclass to be used for describing radius clients' - MUST (radiusClientIPAddress $ radiusClientSecret) - MAY ( radiusClientNASType $ radiusClientShortName $ description ) - ) diff --git a/ipa-server/ipa-install/share/60samba.ldif b/ipa-server/ipa-install/share/60samba.ldif deleted file mode 100644 index d3a6d31b..00000000 --- a/ipa-server/ipa-install/share/60samba.ldif +++ /dev/null @@ -1,152 +0,0 @@ -## schema file for Fedora DS -## -## Schema for storing Samba user accounts and group maps in LDAP -## OIDs are owned by the Samba Team -## -## Prerequisite schemas - uid (cosine.schema) -## - displayName (inetorgperson.schema) -## - gidNumber (nis.schema) -## -## 1.3.6.1.4.1.7165.2.1.x - attributeTypess -## 1.3.6.1.4.1.7165.2.2.x - objectClasseses -## -## Printer support -## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess -## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses -## -## Samba4 -## 1.3.6.1.4.1.7165.4.1.x - attributeTypess -## 1.3.6.1.4.1.7165.4.2.x - objectClasseses -## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls -## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations -## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track -## -dn: cn=schema -## -####################################################################### -## Attributes used by Samba 3.0 schema ## -####################################################################### -## -## Password hashes## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) -## -## Account flags in string format ([UWDX ]) -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) -## -## Password timestamps & policies -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) -## -## string settings -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) -## -## SID, of any type -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) -## -## Primary group SID, compatible with ntSid -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) -## -## group mapping attributes -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -## -## Store info on the domain -## -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' -## SUP name ) -## -##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' -## DESC 'Privileges List' -## EQUALITY caseIgnoreIA5Match -## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -# "min password length" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "password history" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "user must logon to change password" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "maximum password age" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "minimum password age" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "lockout duration" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "reset count minutes" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "bad lockout attempt" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "disconnect time" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -# "refuse machine password change" -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -## -####################################################################### -## objectClasses: used by Samba 3.0 schema ## -####################################################################### -## -## The X.500 data model (and therefore LDAPv3) says that each entry can -## only have one structural objectClasses. OpenLDAP 2.0 does not enforce -## this currently but will in v2.1 -## -## added new objectClasses: (and OID) for 3.0 to help us deal with backwards -## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry -## -objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours)) -## -## Group mapping info -## -objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList )) -## -## Trust password for trust relationships (any kind) -## -objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet )) -## -## Whole-of-domain info -## -objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange )) -## -## used for idmap_ldap module -## -objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) -objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) ) -objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) ) -objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) -objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) ) -objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) ) -## retired during privilege rewrite -##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY -## DESC 'Samba Privilege' -## MUST ( sambaSID ) -## MAY ( sambaPrivilegeList ) ) diff --git a/ipa-server/ipa-install/share/Makefile.am b/ipa-server/ipa-install/share/Makefile.am deleted file mode 100644 index 6be2e13d..00000000 --- a/ipa-server/ipa-install/share/Makefile.am +++ /dev/null @@ -1,39 +0,0 @@ -NULL = - -appdir = $(IPA_DATA_DIR) -app_DATA = \ - 60kerberos.ldif \ - 60samba.ldif \ - 60radius.ldif \ - 60ipaconfig.ldif \ - bootstrap-template.ldif \ - default-aci.ldif \ - default-keytypes.ldif \ - kerberos.ldif \ - indices.ldif \ - bind.named.conf.template \ - bind.zone.db.template \ - certmap.conf.template \ - kdc.conf.template \ - krb5.conf.template \ - krb5.ini.template \ - krb.con.template \ - krbrealm.con.template \ - ntp.conf.server.template \ - ntpd.sysconfig.template \ - preferences.html.template \ - referint-conf.ldif \ - dna-posix.ldif \ - master-entry.ldif \ - memberof-task.ldif \ - unique-attributes.ldif \ - schema_compat.uldif \ - $(NULL) - -EXTRA_DIST = \ - $(app_DATA) \ - $(NULL) - -MAINTAINERCLEANFILES = \ - *~ \ - Makefile.in diff --git a/ipa-server/ipa-install/share/bind.named.conf.template b/ipa-server/ipa-install/share/bind.named.conf.template deleted file mode 100644 index c1d2817e..00000000 --- a/ipa-server/ipa-install/share/bind.named.conf.template +++ /dev/null @@ -1,41 +0,0 @@ -options { - /* make named use port 53 for the source of all queries, to allow - * firewalls to block all ports except 53: - */ - query-source port 53; - query-source-v6 port 53; - - // Put files that named is allowed to write in the data/ directory: - directory "/var/named"; // the default - dump-file "data/cache_dump.db"; - statistics-file "data/named_stats.txt"; - memstatistics-file "data/named_mem_stats.txt"; - - /* Not used yet, support only on very recent bind versions */ -# tkey-gssapi-credential "DNS/$FQDN"; -# tkey-domain "$REALM"; -}; - -logging { -/* If you want to enable debugging, eg. using the 'rndc trace' command, - * By default, SELinux policy does not allow named to modify the /var/named directory, - * so put the default debug log file in data/ : - */ - channel default_debug { - file "data/named.run"; - severity dynamic; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -include "/etc/named.rfc1912.zones"; - -zone "$DOMAIN" { - type master; - file "$DOMAIN.zone.db"; -}; - diff --git a/ipa-server/ipa-install/share/bind.zone.db.template b/ipa-server/ipa-install/share/bind.zone.db.template deleted file mode 100644 index aca7d2d2..00000000 --- a/ipa-server/ipa-install/share/bind.zone.db.template +++ /dev/null @@ -1,28 +0,0 @@ -$$ORIGIN $DOMAIN. -$$TTL 86400 -@ IN SOA $DOMAIN. root.$DOMAIN. ( - 01 ; serial - 3H ; refresh - 15M ; retry - 1W ; expiry - 1D ) ; minimum - - IN NS $HOST -$HOST IN A $IP -; -; ldap servers -_ldap._tcp IN SRV 0 100 389 $HOST - -;kerberos realm -_kerberos IN TXT $REALM - -; kerberos servers -_kerberos._tcp IN SRV 0 100 88 $HOST -_kerberos._udp IN SRV 0 100 88 $HOST -_kerberos-master._tcp IN SRV 0 100 88 $HOST -_kerberos-master._udp IN SRV 0 100 88 $HOST -_kpasswd._tcp IN SRV 0 100 464 $HOST -_kpasswd._udp IN SRV 0 100 464 $HOST - -;ntp server -_ntp._udp IN SRV 0 100 123 $HOST diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif deleted file mode 100644 index eb69ae4d..00000000 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ /dev/null @@ -1,202 +0,0 @@ -dn: cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -objectClass: krbPwdPolicy -cn: accounts -krbMinPwdLife: 3600 -krbPwdMinDiffChars: 0 -krbPwdMinLength: 8 -krbPwdHistoryLength: 0 -krbMaxPwdLife: 7776000 - -dn: cn=users,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -cn: users - -dn: cn=groups,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -cn: groups - -dn: cn=services,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -cn: services - -dn: cn=computers,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: nsContainer -cn: computers - -dn: cn=etc,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: etc - -dn: cn=sysaccounts,cn=etc,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: sysaccounts - -dn: cn=ipa,cn=etc,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: ipa - -dn: cn=masters,cn=ipa,cn=etc,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: masters - -dn: uid=admin,cn=users,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: person -objectClass: posixAccount -objectClass: KrbPrincipalAux -objectClass: inetUser -uid: admin -krbPrincipalName: admin@$REALM -cn: Administrator -sn: Administrator -uidNumber: 999 -gidNumber: 1001 -homeDirectory: /home/admin -loginShell: /bin/bash -gecos: Administrator -nsAccountLock: False - -dn: cn=radius,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: radius - -dn: cn=clients,cn=radius,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: clients - -dn: cn=profiles,cn=radius,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -cn: profiles - -dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX -changetype: add -objectClass: top -objectClass: radiusprofile -uid: ipa_default - -dn: cn=admins,cn=groups,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: posixGroup -cn: admins -description: Account administrators group -gidNumber: 1001 -member: uid=admin,cn=users,cn=accounts,$SUFFIX -nsAccountLock: False - -dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: posixGroup -gidNumber: 1002 -description: Default group for all users -cn: ipausers - -dn: cn=editors,cn=groups,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: posixGroup -gidNumber: 1003 -description: Limited admins who can edit other users -cn: editors - -dn: cn=ipaConfig,cn=etc,$SUFFIX -changetype: add -objectClass: nsContainer -objectClass: top -objectClass: ipaGuiConfig -ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title -ipaGroupSearchFields: cn,description -ipaSearchTimeLimit: 2 -ipaSearchRecordsLimit: 0 -ipaHomesRootDir: /home -ipaDefaultLoginShell: /bin/sh -ipaDefaultPrimaryGroup: ipausers -ipaMaxUsernameLength: 8 -ipaPwdExpAdvNotify: 4 -ipaGroupObjectClasses: top -ipaGroupObjectClasses: groupofnames -ipaGroupObjectClasses: posixGroup -ipaGroupObjectClasses: inetUser -ipaUserObjectClasses: top -ipaUserObjectClasses: person -ipaUserObjectClasses: organizationalPerson -ipaUserObjectClasses: inetOrgPerson -ipaUserObjectClasses: inetUser -ipaUserObjectClasses: posixAccount -ipaUserObjectClasses: krbPrincipalAux -ipaUserObjectClasses: radiusprofile -ipaDefaultEmailDomain: $DOMAIN - -dn: cn=account inactivation,cn=accounts,$SUFFIX -changetype: add -description: Lock accounts based on group membership -objectClass: top -objectClass: ldapsubentry -objectClass: cosSuperDefinition -objectClass: cosClassicDefinition -cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX -cosAttribute: nsAccountLock operational -cosSpecifier: memberOf -cn: Account Inactivation - -dn: cn=cosTemplates,cn=accounts,$SUFFIX -changetype: add -objectclass: top -objectclass: nsContainer -cn: cosTemplates - -dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: cosTemplate -objectClass: extensibleobject -nsAccountLock: true -cosPriority: 1 - -dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX -changetype: add -objectclass: top -objectclass: groupofnames - -dn: cn="cn=activated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX -changetype: add -objectClass: top -objectClass: cosTemplate -objectClass: extensibleobject -nsAccountLock: false -cosPriority: 0 - -dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX -changetype: add -objectclass: top -objectclass: groupofnames diff --git a/ipa-server/ipa-install/share/certmap.conf.template b/ipa-server/ipa-install/share/certmap.conf.template deleted file mode 100644 index 676d3ef3..00000000 --- a/ipa-server/ipa-install/share/certmap.conf.template +++ /dev/null @@ -1,82 +0,0 @@ -# -# BEGIN COPYRIGHT BLOCK -# This Program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation; version 2 of the License. -# -# This Program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple -# Place, Suite 330, Boston, MA 02111-1307 USA. -# -# In addition, as a special exception, Red Hat, Inc. gives You the additional -# right to link the code of this Program with code not covered under the GNU -# General Public License ("Non-GPL Code") and to distribute linked combinations -# including the two, subject to the limitations in this paragraph. Non-GPL Code -# permitted under this exception must only link to the code of this Program -# through those well defined interfaces identified in the file named EXCEPTION -# found in the source code files (the "Approved Interfaces"). The files of -# Non-GPL Code may instantiate templates or use macros or inline functions from -# the Approved Interfaces without causing the resulting work to be covered by -# the GNU General Public License. Only Red Hat, Inc. may make changes or -# additions to the list of Approved Interfaces. You must obey the GNU General -# Public License in all respects for all of the Program code and other code used -# in conjunction with the Program except the Non-GPL Code covered by this -# exception. If you modify this file, you may extend this exception to your -# version of the file, but you are not obligated to do so. If you do not wish to -# provide this exception without modification, you must delete this exception -# statement from your version and license this file solely under the GPL without -# exception. -# -# -# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. -# Copyright (C) 2005 Red Hat, Inc. -# All rights reserved. -# END COPYRIGHT BLOCK -# -# -# This file configures how a certificate is mapped to an LDAP entry. See the -# documentation for more information on this file. -# -# The format of this file is as follows: -# certmap <name> <issuerDN> -# <name>:<prop1> [<val1>] -# <name>:<prop2> [<val2>] -# -# Notes: -# -# 1. Mapping can be defined per issuer of a certificate. If mapping doesn't -# exists for a particular 'issuerDN' then the server uses the default -# mapping. -# -# 2. There must be an entry for <name>=default and issuerDN "default". -# This mapping is the default mapping. -# -# 3. '#' can be used to comment out a line. -# -# 4. DNComps & FilterComps are used to form the base DN and filter resp. for -# performing an LDAP search while mapping the cert to a user entry. -# -# 5. DNComps can be one of the following: -# commented out - take the user's DN from the cert as is -# empty - search the entire LDAP tree (DN == suffix) -# attr names - a comma separated list of attributes to form DN -# -# 6. FilterComps can be one of the following: -# commented out - set the filter to "objectclass=*" -# empty - set the filter to "objectclass=*" -# attr names - a comma separated list of attributes to form the filter -# - -certmap default default -#default:DNComps -#default:FilterComps e, uid -#default:verifycert on -#default:CmapLdapAttr certSubjectDN -#default:library <path_to_shared_lib_or_dll> -#default:InitFn <Init function's name> -default:DNComps -default:FilterComps uid diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif deleted file mode 100644 index 25bd3b22..00000000 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ /dev/null @@ -1,38 +0,0 @@ -# $SUFFIX (base entry) -# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users -dn: $SUFFIX -changetype: modify -add: aci -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) -aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) - -dn: cn=ipaConfig,cn=etc,$SUFFIX -changetype: modify -add: aci -aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) - -dn: cn=accounts,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) - -dn: cn=radius,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) - -dn: cn=services,cn=accounts,$SUFFIX -changetype: modify -add: aci -aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/default-keytypes.ldif b/ipa-server/ipa-install/share/default-keytypes.ldif deleted file mode 100644 index 1d54a059..00000000 --- a/ipa-server/ipa-install/share/default-keytypes.ldif +++ /dev/null @@ -1,25 +0,0 @@ -#kerberos keytypes -dn: cn=$REALM,cn=kerberos,$SUFFIX -changetype: modify -add: krbSupportedEncSaltTypes -krbSupportedEncSaltTypes: aes256-cts:normal -krbSupportedEncSaltTypes: aes128-cts:normal -krbSupportedEncSaltTypes: des3-hmac-sha1:normal -krbSupportedEncSaltTypes: arcfour-hmac:normal -krbSupportedEncSaltTypes: des-hmac-sha1:normal -krbSupportedEncSaltTypes: des-cbc-md5:normal -krbSupportedEncSaltTypes: des-cbc-crc:normal -krbSupportedEncSaltTypes: des-cbc-crc:v4 -krbSupportedEncSaltTypes: des-cbc-crc:afs3 - -#kerberos keytypes -dn: cn=$REALM,cn=kerberos,$SUFFIX -changetype: modify -add: krbDefaultEncSaltTypes -krbDefaultEncSaltTypes: aes256-cts:normal -krbDefaultEncSaltTypes: aes128-cts:normal -krbDefaultEncSaltTypes: des3-hmac-sha1:normal -krbDefaultEncSaltTypes: arcfour-hmac:normal -krbDefaultEncSaltTypes: des-hmac-sha1:normal -krbDefaultEncSaltTypes: des-cbc-md5:normal - diff --git a/ipa-server/ipa-install/share/dna-posix.ldif b/ipa-server/ipa-install/share/dna-posix.ldif deleted file mode 100644 index a8848545..00000000 --- a/ipa-server/ipa-install/share/dna-posix.ldif +++ /dev/null @@ -1,39 +0,0 @@ -# add container for posix configuration - -dn: cn=Posix,cn=ipa-dna,cn=plugins,cn=config -changetype: add -objectclass: top -objectclass: nsContainer -objectclass: extensibleObject -cn: Posix - -# add plugin configuration for posix users - -dn: cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config -changetype: add -objectclass: top -objectclass: extensibleObject -cn: Accounts -dnaType: uidNumber -dnaNextValue: 1100 -dnaInterval: 1 -dnaMaxValue: 1000000000 -dnaMagicRegen: 999 -dnaFilter: (objectclass=posixAccount) -dnaScope: $SUFFIX - -# add plugin configuration for posix groups - -dn: cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config -changetype: add -objectclass: top -objectclass: extensibleObject -cn: Groups -dnaType: gidNumber -dnaNextValue: 1100 -dnaInterval: 1 -dnaMaxValue: 1000000000 -dnaMagicRegen: 999 -dnaFilter: (objectclass=posixGroup) -dnaScope: $SUFFIX - diff --git a/ipa-server/ipa-install/share/encrypted_attribute.ldif b/ipa-server/ipa-install/share/encrypted_attribute.ldif deleted file mode 100644 index 3f5e1b43..00000000 --- a/ipa-server/ipa-install/share/encrypted_attribute.ldif +++ /dev/null @@ -1,6 +0,0 @@ -dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config -changetype: add -objectClass: top -objectClass: nsAttributeEncryption -cn: $ENCRYPTED_ATTRIBUTE -nsEncryptionAlgorithm: AES diff --git a/ipa-server/ipa-install/share/fedora-ds.init.patch b/ipa-server/ipa-install/share/fedora-ds.init.patch deleted file mode 100644 index 865611d9..00000000 --- a/ipa-server/ipa-install/share/fedora-ds.init.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- /etc/init.d/dirsrv.orig 2007-07-06 18:21:30.000000000 -0400 -+++ /etc/init.d/dirsrv 2007-05-18 19:36:24.000000000 -0400 -@@ -10,6 +10,9 @@ - # datadir: /var/lib/dirsrv/slapd-<instance name> - # - -+# Get config. -+[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv -+ - # Source function library. - if [ -f /etc/rc.d/init.d/functions ] ; then - . /etc/rc.d/init.d/functions diff --git a/ipa-server/ipa-install/share/indices.ldif b/ipa-server/ipa-install/share/indices.ldif deleted file mode 100644 index 05c27655..00000000 --- a/ipa-server/ipa-install/share/indices.ldif +++ /dev/null @@ -1,93 +0,0 @@ -dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:krbPrincipalName -nsSystemIndex:false -nsIndexType:eq -nsIndexType:sub - -dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:ou -nsSystemIndex:false -nsIndexType:eq -nsIndexType:sub - -dn: cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:carLicense -nsSystemIndex:false -nsIndexType:eq -nsIndexType:sub - -dn: cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:title -nsSystemIndex:false -nsIndexType:eq -nsIndexType:sub - -dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:manager -nsSystemIndex:false -nsIndexType:eq - -dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:secretary -nsSystemIndex:false -nsIndexType:eq - -dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:displayname -nsSystemIndex:false -nsIndexType:eq -nsIndexType:sub - -dn: cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: modify -add: nsIndexType -nsIndexType:sub - -dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:uidnumber -nsSystemIndex:false -nsIndexType:eq -nsMatchingRule: integerOrderingMatch - -dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: add -objectClass:top -objectClass:nsIndex -cn:gidnumber -nsSystemIndex:false -nsIndexType:eq -nsMatchingRule: integerOrderingMatch - -dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: modify -replace: nsIndexType -nsIndexType: eq,pres - -dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -changetype: modify -replace: nsIndexType -nsIndexType: eq,pres diff --git a/ipa-server/ipa-install/share/kdc.conf.template b/ipa-server/ipa-install/share/kdc.conf.template deleted file mode 100644 index 0a574783..00000000 --- a/ipa-server/ipa-install/share/kdc.conf.template +++ /dev/null @@ -1,15 +0,0 @@ -[kdcdefaults] - kdc_ports = 88 - kdc_tcp_ports = 88 - -[realms] - $REALM = { - master_key_type = des3-hmac-sha1 - supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 - max_life = 7d - max_renewable_life = 14d - acl_file = /var/kerberos/krb5kdc/kadm5.acl - dict_file = /usr/share/dict/words - default_principal_flags = +preauth -; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab - } diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif deleted file mode 100644 index f1b651d5..00000000 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ /dev/null @@ -1,16 +0,0 @@ -#kerberos user -dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX -changetype: add -objectclass: account -objectclass: simplesecurityobject -uid: kdc -userPassword: $PASSWORD - -#kerberos base object -dn: cn=kerberos,$SUFFIX -changetype: add -objectClass: krbContainer -objectClass: top -cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) - diff --git a/ipa-server/ipa-install/share/krb.con.template b/ipa-server/ipa-install/share/krb.con.template deleted file mode 100644 index d75a8f60..00000000 --- a/ipa-server/ipa-install/share/krb.con.template +++ /dev/null @@ -1,2 +0,0 @@ -$REALM $DOMAIN
-$REALM $DOMAIN admin server
diff --git a/ipa-server/ipa-install/share/krb5.conf.template b/ipa-server/ipa-install/share/krb5.conf.template deleted file mode 100644 index b81cedfe..00000000 --- a/ipa-server/ipa-install/share/krb5.conf.template +++ /dev/null @@ -1,42 +0,0 @@ -[logging] - default = FILE:/var/log/krb5libs.log - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmind.log - -[libdefaults] - default_realm = $REALM - dns_lookup_realm = true - dns_lookup_kdc = true - ticket_lifetime = 24h - forwardable = yes - -[realms] - $REALM = { - kdc = $FQDN:88 - admin_server = $FQDN:749 - default_domain = $DOMAIN -} - -[domain_realm] - .$DOMAIN = $REALM - $DOMAIN = $REALM - -[appdefaults] - pam = { - debug = false - ticket_lifetime = 36000 - renew_lifetime = 36000 - forwardable = true - krb4_convert = false - } - -[dbmodules] - $REALM = { - db_library = kldap - ldap_servers = ldap://127.0.0.1/ - ldap_kerberos_container_dn = cn=kerberos,$SUFFIX - ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX - ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX - ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd - } - diff --git a/ipa-server/ipa-install/share/krb5.ini.template b/ipa-server/ipa-install/share/krb5.ini.template deleted file mode 100644 index 89f4a370..00000000 --- a/ipa-server/ipa-install/share/krb5.ini.template +++ /dev/null @@ -1,19 +0,0 @@ -[libdefaults]
- default_realm = $REALM
- krb4_config = /usr/kerberos/lib/krb.conf
- krb4_realms = /usr/kerberos/lib/krb.realms
- dns_lookup_kdc = true
-
-[realms]
- $REALM = {
- admin_server = $FQDN
- kdc = $FQDN
- default_domain = $REALM
- }
-
-[domain_realm]
- .$DOMAIN = $REALM
- $DOMAIN = $REALM
-
-[logging]
-# kdc = CONSOLE
diff --git a/ipa-server/ipa-install/share/krbrealm.con.template b/ipa-server/ipa-install/share/krbrealm.con.template deleted file mode 100644 index c6781386..00000000 --- a/ipa-server/ipa-install/share/krbrealm.con.template +++ /dev/null @@ -1,3 +0,0 @@ -.$REALM $REALM
-.$REALM. $REALM
-$REALM $REALM
diff --git a/ipa-server/ipa-install/share/master-entry.ldif b/ipa-server/ipa-install/share/master-entry.ldif deleted file mode 100644 index 09c1d44f..00000000 --- a/ipa-server/ipa-install/share/master-entry.ldif +++ /dev/null @@ -1,7 +0,0 @@ -dn: cn=$FQHN,cn=masters,cn=ipa,cn=etc,$SUFFIX -changetype: add -objectclass: top -objectclass: extensibleObject -cn: $FQHN -dnabase: 1100 -dnainterval: 4 diff --git a/ipa-server/ipa-install/share/memberof-task.ldif b/ipa-server/ipa-install/share/memberof-task.ldif deleted file mode 100644 index 827949e3..00000000 --- a/ipa-server/ipa-install/share/memberof-task.ldif +++ /dev/null @@ -1,8 +0,0 @@ -dn: cn=IPA install $TIME, cn=memberof task, cn=tasks, cn=config -changetype: add -objectClass: top -objectClass: extensibleObject -cn: IPA install -basedn: $SUFFIX -filter: (objectclass=*) -ttl: 10 diff --git a/ipa-server/ipa-install/share/ntp.conf.server.template b/ipa-server/ipa-install/share/ntp.conf.server.template deleted file mode 100644 index 09149dfc..00000000 --- a/ipa-server/ipa-install/share/ntp.conf.server.template +++ /dev/null @@ -1,50 +0,0 @@ -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -restrict default kod nomodify notrap -restrict -6 default kod nomodify notrap - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict -6 ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -server $SERVERA -server $SERVERB -server $SERVERC - -#broadcast 192.168.1.255 key 42 # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 key 42 # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 key 42 # manycast client - -# Undisciplined Local Clock. This is a fake driver intended for backup -# and when no outside source of synchronized time is available. -server 127.127.1.0 # local clock -#fudge 127.127.1.0 stratum 10 - -# Drift file. Put this in a directory which the daemon can write to. -# No symbolic links allowed, either, since the daemon updates the file -# by creating a temporary in the same directory and then rename()'ing -# it to the file. -driftfile /var/lib/ntp/drift - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 diff --git a/ipa-server/ipa-install/share/ntpd.sysconfig.template b/ipa-server/ipa-install/share/ntpd.sysconfig.template deleted file mode 100644 index 3412a0e8..00000000 --- a/ipa-server/ipa-install/share/ntpd.sysconfig.template +++ /dev/null @@ -1,8 +0,0 @@ -# Drop root to id 'ntp:ntp' by default. -OPTIONS="-x -u ntp:ntp -p /var/run/ntpd.pid" - -# Set to 'yes' to sync hw clock after successful ntpdate -SYNC_HWCLOCK=yes - -# Additional options for ntpdate -NTPDATE_OPTIONS="" diff --git a/ipa-server/ipa-install/share/preferences.html.template b/ipa-server/ipa-install/share/preferences.html.template deleted file mode 100644 index 2d3684dc..00000000 --- a/ipa-server/ipa-install/share/preferences.html.template +++ /dev/null @@ -1,33 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<head> - <title>Automatically set browser preferences</title> -</head> -<body> -<form action="undefined" method="get"> -<input type=button onclick="setPreferences()" name="prefs" value="Configure Firefox"> -</form> - -<script type="text/javascript"> -function setPreferences() { - try { - netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesWrite"); - try { - navigator.preference("network.negotiate-auth.using-native-gsslib", true) - navigator.preference("network.negotiate-auth.delegation-uris", ".$DOMAIN") - navigator.preference("network.negotiate-auth.trusted-uris", ".$DOMAIN") - navigator.preference("network.negotiate-auth.allow-proxies", true) - } catch (e) { - alert("Unable to store preferences: " + e) - } - netscape.security.PrivilegeManager.disablePrivilege("UniversalPreferencesWrite"); - alert("Successfully configured Firefox for single sign on.") - } catch (e) { - alert("Unable to apply recommended settings.\n\nClick on the Certificate Authority link and select trust for all, then reload this page and try again.\n\nThe error returned was: " + e); - return; - } -} -</script> - -</body> -</html> diff --git a/ipa-server/ipa-install/share/referint-conf.ldif b/ipa-server/ipa-install/share/referint-conf.ldif deleted file mode 100644 index 533b97de..00000000 --- a/ipa-server/ipa-install/share/referint-conf.ldif +++ /dev/null @@ -1,11 +0,0 @@ -dn: cn=referential integrity postoperation,cn=plugins,cn=config -changetype: modify -replace: nsslapd-pluginenabled -nsslapd-pluginenabled: on -- -add: nsslapd-pluginArg7 -nsslapd-pluginArg7: manager -- -add: nsslapd-pluginArg8 -nsslapd-pluginArg8: secretary - diff --git a/ipa-server/ipa-install/share/schema_compat.uldif b/ipa-server/ipa-install/share/schema_compat.uldif deleted file mode 100644 index 71732c99..00000000 --- a/ipa-server/ipa-install/share/schema_compat.uldif +++ /dev/null @@ -1,50 +0,0 @@ -# -# Enable the Schema Compatibility plugin provided by slapi-nis. -# -# http://slapi-nis.fedorahosted.org/ -# -dn: cn=Schema Compatibility, cn=plugins, cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: Schema Compatibility -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so -default:nsslapd-plugininitfunc: schema_compat_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginenabled: on -default:nsslapd-pluginid: schema-compat-plugin -default:nsslapd-pluginversion: 0.8 -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: Schema Compatibility Plugin - -dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: users -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=users -default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixAccount -default:schema-compat-entry-rdn: uid=%{uid} -default:schema-compat-entry-attribute: objectclass=posixAccount -default:schema-compat-entry-attribute: gecos=%{cn} -default:schema-compat-entry-attribute: cn=%{cn} -default:schema-compat-entry-attribute: uidNumber=%{uidNumber} -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: loginShell=%{loginShell} -default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory} - -dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config -default:objectClass: top -default:objectClass: extensibleObject -default:cn: groups -default:schema-compat-container-group: cn=compat, $SUFFIX -default:schema-compat-container-rdn: cn=groups -default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX -default:schema-compat-search-filter: objectclass=posixGroup -default:schema-compat-entry-rdn: cn=%{cn} -default:schema-compat-entry-attribute: objectclass=posixGroup -default:schema-compat-entry-attribute: gidNumber=%{gidNumber} -default:schema-compat-entry-attribute: memberUid=%{memberUid} -default:schema-compat-entry-attribute: memberUid=%deref("member","uid") -default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid") diff --git a/ipa-server/ipa-install/share/unique-attributes.ldif b/ipa-server/ipa-install/share/unique-attributes.ldif deleted file mode 100644 index 82ec52d1..00000000 --- a/ipa-server/ipa-install/share/unique-attributes.ldif +++ /dev/null @@ -1,35 +0,0 @@ -dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config -changetype: add -objectClass: top -objectClass: nsSlapdPlugin -objectClass: extensibleObject -cn: krbPrincipalName uniqueness -nsslapd-pluginPath: libattr-unique-plugin -nsslapd-pluginInitfunc: NSUniqueAttr_Init -nsslapd-pluginType: preoperation -nsslapd-pluginEnabled: on -nsslapd-pluginarg0: krbPrincipalName -nsslapd-pluginarg1: $SUFFIX -nsslapd-plugin-depends-on-type: database -nsslapd-pluginId: NSUniqueAttr -nsslapd-pluginVersion: 1.1.0 -nsslapd-pluginVendor: Fedora Project -nsslapd-pluginDescription: Enforce unique attribute values - -#dn: cn=uid uniqueness,cn=plugins,cn=config -#objectClass: top -#objectClass: nsSlapdPlugin -#objectClass: extensibleObject -#cn: uid uniqueness -#nsslapd-pluginPath: libattr-unique-plugin -#nsslapd-pluginInitfunc: NSUniqueAttr_Init -#nsslapd-pluginType: preoperation -#nsslapd-pluginEnabled: on -#nsslapd-pluginarg0: uid -#nsslapd-pluginarg1: cn=accounts,$SUFFIX -#nsslapd-plugin-depends-on-type: database -#nsslapd-pluginId: NSUniqueAttr -#nsslapd-pluginVersion: 1.1.0 -#nsslapd-pluginVendor: Fedora Project -#nsslapd-pluginDescription: Enforce unique attribute values -# diff --git a/ipa-server/ipa-install/updates/Makefile.am b/ipa-server/ipa-install/updates/Makefile.am deleted file mode 100644 index 11d20ddd..00000000 --- a/ipa-server/ipa-install/updates/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -NULL = - -appdir = $(IPA_DATA_DIR)/updates -app_DATA = \ - RFC4876.update \ - RFC2307bis.update \ - nss_ldap.update \ - winsync_index.update \ - replication.update \ - indices.update \ - $(NULL) - -EXTRA_DIST = \ - $(app_DATA) \ - $(NULL) - -MAINTAINERCLEANFILES = \ - *~ \ - Makefile.in diff --git a/ipa-server/ipa-install/updates/RFC2307bis.update b/ipa-server/ipa-install/updates/RFC2307bis.update deleted file mode 100644 index 1ddebc1a..00000000 --- a/ipa-server/ipa-install/updates/RFC2307bis.update +++ /dev/null @@ -1,65 +0,0 @@ -# -# Schema derived from RFC 2307bis: -# "An Approach for Using LDAP as a Network Information Service" -# -dn: cn=schema -add: attributeTypes: - ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' - DESC 'nisPublickey' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' - DESC 'nisSecretkey' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' - DESC 'NIS domain' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' - DESC 'mgrpRFC822MailMember' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' - DESC 'nisNetIdUser' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' - DESC 'nisNetIdGroup' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:attributeTypes: - ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' - DESC 'nisNetIdHost' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC2307bis' ) -add:objectClasses: - ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' - DESC 'nisKeyObject' SUP top - MUST ( cn $ nisPublickey $ nisSecretkey ) - MAY ( uidNumber $ description ) ) -add:objectClasses: - ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' - DESC 'nisDomainObject' SUP top AUXILIARY - MUST ( nisDomain ) ) -add:objectClasses: - ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' - DESC 'mailGroup' SUP top - MUST ( mail ) - MAY ( cn $ mgrpRFC822MailMember ) ) -add:objectClasses: - ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' - DESC 'nisNetId' SUP top - MUST ( cn ) - MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) diff --git a/ipa-server/ipa-install/updates/RFC4876.update b/ipa-server/ipa-install/updates/RFC4876.update deleted file mode 100644 index 5a372c20..00000000 --- a/ipa-server/ipa-install/updates/RFC4876.update +++ /dev/null @@ -1,146 +0,0 @@ -# -# Schema more or less verbatim from RFC 4876: -# "A Configuration Profile Schema for Lightweight Directory Access -# Protocol (LDAP)-Based Agents" -# -dn: cn=schema -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' - DESC 'List of default servers' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' - DESC 'Default base for searches' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' - DESC 'List of preferred servers' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' - DESC 'Maximum time an agent or service allows for a - search to complete' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' - DESC 'Maximum time an agent or service allows for a - bind operation to complete' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' - DESC 'An agent or service does or should follow referrals' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' - DESC 'Identifies the types of authentication methods either - used, required, or provided by a service or peer' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' - DESC 'Time to live, in seconds, before a profile is - considered stale' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' - DESC 'Attribute mappings used, required, or supported by an - agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' - DESC 'Identifies type of credentials either used, required, - or supported by an agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' - DESC 'Object class mappings used, required, or supported by - an agent or service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' - DESC 'Default scope used when performing a search' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' - DESC 'Specifies the type of credentials either used, required, - or supported by a specific service' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' - DESC 'Specifies search descriptors required, used, or - supported by a particular service or agent' - EQUALITY caseExactMatch - SUBSTR caseExactSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' - DESC 'Specifies types authentication methods either - used, required, or supported by a particular service' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - X-ORIGIN 'RFC4876' ) -add:attributeTypes: - ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' - DESC 'Specifies if a service or agent either requires, - supports, or uses dereferencing of aliases.' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE - X-ORIGIN 'RFC4876' ) -add:objectClasses: - ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' - SUP top STRUCTURAL - DESC 'Abstraction of a base configuration for a DUA' - MUST ( cn ) - MAY ( defaultServerList $ preferredServerList $ - defaultSearchBase $ defaultSearchScope $ - searchTimeLimit $ bindTimeLimit $ - credentialLevel $ authenticationMethod $ - followReferrals $ dereferenceAliases $ - serviceSearchDescriptor $ serviceCredentialLevel $ - serviceAuthenticationMethod $ objectclassMap $ - attributeMap $ profileTTL ) - X-ORIGIN 'RFC4876' ) diff --git a/ipa-server/ipa-install/updates/indices.update b/ipa-server/ipa-install/updates/indices.update deleted file mode 100644 index 3d0e42af..00000000 --- a/ipa-server/ipa-install/updates/indices.update +++ /dev/null @@ -1,18 +0,0 @@ -# -# Some nss_ldap implementations will always ask for memberuid so we must -# have an index for it. -# -dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -default:cn: memberuid -default:ObjectClass: top -default:ObjectClass: nsIndex -default:nsSystemIndex: false -default:nsIndexType: eq,pres - -dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -default:cn: memberof -default:ObjectClass: top -default:ObjectClass: nsIndex -default:nsSystemIndex: false -default:nsIndexType: eq - diff --git a/ipa-server/ipa-install/updates/nss_ldap.update b/ipa-server/ipa-install/updates/nss_ldap.update deleted file mode 100644 index e8c1e00f..00000000 --- a/ipa-server/ipa-install/updates/nss_ldap.update +++ /dev/null @@ -1,33 +0,0 @@ -# -# Add profile for RFC 4876 agents (Solaris and HP/ux) -# - -# Update the top-level entry -dn: $SUFFIX -add:objectClass: domain -add:objectClass: domainRelatedObject -add:objectClass: nisDomainObject -add:associatedDomain: $DOMAIN -add:nisDomain: $DOMAIN - -# Add a place to store the nss_ldap default profile -dn: ou=profile,$SUFFIX -add: objectClass: top -add: objectClass: organizationalUnit -add: ou: profiles - -# The DUA profile. On Solaris one can run: -# ldap_client init ipa.example.com -dn: cn=default,ou=profile,$SUFFIX -default:ObjectClass: top -default:ObjectClass: DUAConfigProfile -default:defaultServerList: $FQDN -default:defaultSearchBase: $SUFFIX -default:authenticationMethod: none -default:searchTimeLimit: 15 -default:cn: default -default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX -default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX -default:bindTimeLimit: 5 -default:objectClassMap: shadow:shadowAccount=posixAccount -default:followReferrals:TRUE diff --git a/ipa-server/ipa-install/updates/replication.update b/ipa-server/ipa-install/updates/replication.update deleted file mode 100644 index 29823a6f..00000000 --- a/ipa-server/ipa-install/updates/replication.update +++ /dev/null @@ -1,9 +0,0 @@ -# -# Counter used to store the next replica id -# -# Start at 3 to avoid conflicts with v1.0 replica ids. The value itself -# isn't important but each replica needs a unique id. -dn: cn=replication,cn=etc,$SUFFIX -add: objectclass: nsDS5Replica -add: nsDS5ReplicaId: 3 -add: nsDS5ReplicaRoot: '$SUFFIX' diff --git a/ipa-server/ipa-install/updates/winsync_index.update b/ipa-server/ipa-install/updates/winsync_index.update deleted file mode 100644 index f24bdf8b..00000000 --- a/ipa-server/ipa-install/updates/winsync_index.update +++ /dev/null @@ -1,10 +0,0 @@ -# -# Make sure winsync attributes have the correct indexing -# - -dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -only: nsIndexType: eq,pres - -dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -only: nsIndexType: eq,pres - |