diff options
Diffstat (limited to 'ipa-server')
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 61 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 80 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 15 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/kerberos.ldif | 31 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/krb5.conf.template | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-install/test/test-users-template.ldif | 18 | ||||
| -rw-r--r-- | ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 2 | ||||
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 27 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 29 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 4 |
10 files changed, 179 insertions, 92 deletions
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 91138c01..90296e5d 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa") import socket import logging +import pwd from optparse import OptionParser import ipaserver.dsinstance import ipaserver.krbinstance @@ -42,10 +43,12 @@ def parse_options(): help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") - parser.add_option("-p", "--ds-password", dest="ds_password", + parser.add_option("-p", "--ds-password", dest="dm_password", help="admin password") parser.add_option("-P", "--master-password", dest="master_password", help="kerberos master password") + parser.add_option("-a", "--admin-password", dest="admin_password", + help="admin user kerberos password") parser.add_option("-d", "--debug", dest="debug", action="store_true", dest="debug", default=False, help="print debugging information") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") @@ -56,7 +59,8 @@ def parse_options(): if options.unattended and (not options.ds_user or not options.realm_name or - not options.ds_password or + not options.dm_password or + not options.admin_password or not options.master_password): parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") @@ -95,7 +99,8 @@ def main(): realm_name = "" host_name = "" master_password = "" - ds_password = "" + dm_password = "" + admin_password = "" # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by gethostbyname to set @@ -137,13 +142,25 @@ def main(): print "" if not options.ds_user: - print "To securely run Directory Server we need a user account to be set up." - print "This will allow DS to run as a user and not as root." - print "The user account will have access to some security material so it should not be shared with any other application." - print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure." - print "" - ds_user = raw_input("Which account name do you want to use for the DS instance ? ") - print "" + + try: + pwd.getpwnam('dirsrv') + + print "To securely run Directory Server we need a user account to be set up." + print "This will allow DS to run as a user and not as root." + print "The user account will have access to some security material so it should not be shared with any other application." + print "A user account named 'dirsrv' already exist. You should not share the account with any other service." + print "" + yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)") + print "" + if yesno.lower() == "y": + ds_user = "dirsrv" + else: + ds_user = raw_input("Which account name do you want to use for the DS instance ? ") + print "" + except KeyError: + ds_user = "dirsrv" + if ds_user == "": return "-Aborted-" else: @@ -177,14 +194,15 @@ def main(): else: realm_name = options.realm_name - if not options.ds_password: + if not options.dm_password: print "The Directory Manager user is the equivalent of 'root' for Diretcory Server." + print "This account has full access to the Directory and is used for system management tasks." print "" #TODO: provide the option of generating a random password - ds_password = raw_input("Please provide a password for the Directory Manager: ") + dm_password = raw_input("Please provide a password for the Directory Manager: ") print "" else: - ds_password = options.ds_password + dm_password = options.dm_password if not options.master_password: print "The Kerberos database is usually encrypted using a master password." @@ -199,13 +217,23 @@ def main(): else: master_password = options.master_password + if not options.admin_password: + print "The 'admin' user is the administrative user used to administare an IPA server." + print "This account is the one that will be used for normal administration and is also a regular unix user" + print "" + #TODO: provide the option of generating a random password + admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ") + print "" + else: + admin_password = options.admin_password + # Create a directory server instance ds = ipaserver.dsinstance.DsInstance() - ds.create_instance(ds_user, realm_name, host_name, ds_password) + ds.create_instance(ds_user, realm_name, host_name, dm_password) # Create a kerberos instance krb = ipaserver.krbinstance.KrbInstance() - krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password) + krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) # Restart ds after the krb instance has changed ds configurations ds.restart() @@ -228,6 +256,9 @@ def main(): # Start Kpasswd run(["/sbin/service", "ipa-kpasswd", "start"]) + # Set the admin user kerberos password + ds.change_admin_password(admin_password) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 2986f3ab..0284caa8 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -4,55 +4,77 @@ add: objectClass objectClass: pilotObject info: IPA V1.0 -# default, $REALM -dn: ou=default,$SUFFIX +dn: cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: default +objectClass: nsContainer +cn: accounts -# users, default, $REALM -dn: ou=users,ou=default,$SUFFIX +dn: cn=users,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: users +objectClass: nsContainer +cn: users -# groups, default, $REALM -dn: ou=groups,ou=default,$SUFFIX +dn: cn=groups,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: groups +objectClass: nsContainer +cn: groups -# computers, default, $REALM -#dn: ou=computers,ou=default,$SUFFIX -#objectClass: organizationalUnit +#dn: cn=computers,cn=accounts,$SUFFIX #objectClass: top -#ou: computers +#objectClass: nsContainer +#cn: computers -dn: ou=special,$SUFFIX +dn: cn=etc,$SUFFIX changetype: add -objectClass: organizationalUnit +objectClass: nsContainer objectClass: top -ou: special +cn: etc -dn: uid=webservice,ou=special,$SUFFIX +dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: add -uid: webservice +objectClass: nsContainer +objectClass: top +cn: sysaccounts + +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add +objectClass: top objectClass: account +uid: webservice + +dn: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add objectClass: top -objectClass: inetOrgPerson -objectClass: organizationalPerson objectClass: person -cn: Web Service -sn: Service +objectClass: posixAccount +objectClass: KrbPrincipalAux +uid: admin +krbPrincipalName: admin@$REALM +cn: Administrator +sn: Administrator +uidNumber: 1000 +gidNumber: 1001 +homeDirectory: /home/admin +loginShell: /bin/bash +gecos: Administrator + +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofuniquenames +objectClass: posixGroup +cn: Account Admins +description: Account administrators group +gidNumber: 1001 +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: add -description: ou=users administrators objectClass: top objectClass: groupofuniquenames objectClass: posixGroup -gidNumber: 500 -cn: admin +gidNumber: 1002 +cn: ipausers diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 2b05e102..9ed65a43 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,12 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";) -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";) -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index ae4564f6..d55f39ce 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -1,26 +1,35 @@ -#kerberos base object -dn: cn=kerberos,$SUFFIX -changetype: add -objectClass: krbContainer -objectClass: top -cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";) - #kerberos user -dn: uid=kdc,cn=kerberos,$SUFFIX +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: kdc userPassword: $PASSWORD +#kerberos base object +dn: cn=kerberos,$SUFFIX +changetype: add +objectClass: krbContainer +objectClass: top +cn: kerberos +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) + #sasl mapping -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config +dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: kerberos +cn: Full Principal nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) +dn: cn=Name Only,cn=mapping,cn=sasl,cn=config +changetype: add +objectclass: top +objectclass: nsSaslMapping +cn: Name Only +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: $SUFFIX +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) + diff --git a/ipa-server/ipa-install/share/krb5.conf.template b/ipa-server/ipa-install/share/krb5.conf.template index 23a24703..b81cedfe 100644 --- a/ipa-server/ipa-install/share/krb5.conf.template +++ b/ipa-server/ipa-install/share/krb5.conf.template @@ -35,8 +35,8 @@ db_library = kldap ldap_servers = ldap://127.0.0.1/ ldap_kerberos_container_dn = cn=kerberos,$SUFFIX - ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX - ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX + ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX + ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd } diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif index 0057d976..f5573d83 100644 --- a/ipa-server/ipa-install/test/test-users-template.ldif +++ b/ipa-server/ipa-install/test/test-users-template.ldif @@ -1,30 +1,22 @@ # test, users, default, $REALM -dn: uid=test,ou=users,ou=default,$SUFFIX +dn: uid=test,cn=users,cn=accounts,$SUFFIX changetype: add -uidNumber: 1001 +uidNumber: 1003 uid: test gecos: test homeDirectory: /home/test loginShell: /bin/bash -shadowMin: 0 -shadowWarning: 7 -shadowMax: 99999 -shadowExpire: -1 -shadowInactive: -1 -shadowLastChange: 13655 -shadowFlag: -1 -gidNumber: 100 +gidNumber: 1002 objectclass: krbPrincipalAux objectclass: inetOrgPerson objectClass: posixAccount -objectClass: shadowAccount objectClass: account objectClass: top cn: Test User sn: User krbPrincipalName: test@$REALM -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: modify add: uniqueMember -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index f3771204..e920cec7 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb ) goto free_and_return; } - if ( (is_ssl <=1) && (sasl_ssf <= 1) ) { + if ( (is_ssl == 0) && (sasl_ssf <= 1) ) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto free_and_return; diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 2c7e0c7d..841bc31f 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -72,16 +72,18 @@ class DsInstance: def __init__(self): self.serverid = None self.realm_name = None + self.suffix = None self.host_name = None - self.admin_password = None + self.dm_password = None self.sub_dict = None - def create_instance(self, ds_user, realm_name, host_name, admin_password): + def create_instance(self, ds_user, realm_name, host_name, dm_password): self.ds_user = ds_user self.serverid = generate_serverid() self.realm_name = realm_name.upper() + self.suffix = realm_to_suffix(self.realm_name) self.host_name = host_name - self.admin_password = admin_password + self.dm_password = dm_password self.__setup_sub_dict() self.__create_ds_user() @@ -111,10 +113,9 @@ class DsInstance: run(["/sbin/service", "dirsrv", "restart"]) def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) server_root = find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, + PASSWORD=self.dm_password, SUFFIX=self.suffix, REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root) @@ -155,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") @@ -165,7 +166,7 @@ class DsInstance: inf_fd = write_tmp_file(txt) logging.debug("adding default ds layout") args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] + "-w", self.dm_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") @@ -184,5 +185,15 @@ class DsInstance: certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd.write(certmap_conf) certmap_fd.close() - logging.debug("done configuring certmap.conf for ds instance") + + def change_admin_password(self, password): + logging.debug("Changing admin password") + dirname = self.config_dirname() + args = ["/usr/lib/mozldap/ldappasswd", + "-D", "cn=Directory Manager", "-w", self.dm_password, + "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, + "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + run(args) + logging.debug("ldappasswd done") + diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 1c77b086..e17ab525 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -109,7 +109,7 @@ class KrbInstance: for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() def __setup_sub_dict(self): @@ -147,7 +147,7 @@ class KrbInstance: krb5_fd.close() #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] run(args) #add the password extop module @@ -178,6 +178,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/dirsrv/ds.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.close() @@ -199,6 +208,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.close() @@ -215,8 +233,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 while not file_exists("/etc/httpd/conf/ipa.keytab"): time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 4b1fe7ed..e3e58ce9 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -37,8 +37,8 @@ import re # Need a global to store this between requests _LDAPPool = None -DefaultUserContainer = "ou=users,ou=default" -DefaultGroupContainer = "ou=groups,ou=default" +DefaultUserContainer = "cn=users,cn=accounts" +DefaultGroupContainer = "cn=groups,cn=accounts" # # Apache runs in multi-process mode so each process will have its own |