Add ipa-custodia service

Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 35 insertions, 0 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d68c40e69..d952679e6 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -28,6 +28,7 @@ app_DATA =				\
 	anonymous-vlv.ldif		\
 	bootstrap-template.ldif		\
 	caJarSigningCert.cfg.template	\
+	custodia.conf.template		\
 	default-aci.ldif		\
 	default-caacl.ldif		\
 	default-hbac.ldif		\
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 2387f220f..357062780 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -167,6 +167,12 @@ objectClass: nsContainer
 objectClass: top
 cn: certificates
 
+dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: custodia
+
 dn: cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: add
 objectClass: nsContainer
diff --git a/install/share/custodia.conf.template b/install/share/custodia.conf.template
new file mode 100644
index 000000000..688229a50
--- /dev/null
+++ b/install/share/custodia.conf.template
@@ -0,0 +1,28 @@
+[global]
+server_version = "IPAKeys/0.0.1"
+server_socket = $IPA_CUSTODIA_SOCKET
+auditlog = $IPA_CUSTODIA_AUDIT_LOG
+
+[auth:simple]
+handler = custodia.httpd.authenticators.SimpleCredsAuth
+uid = 48
+gid = 48
+
+[auth:header]
+handler = custodia.httpd.authenticators.SimpleHeaderAuth
+header = GSS_NAME
+
+[authz:kemkeys]
+handler = ipapython.secrets.kem.IPAKEMKeys
+paths = /keys
+store = ipa
+server_keys = $IPA_CUSTODIA_CONF_DIR/server.keys
+
+[store:ipa]
+handler = ipapython.secrets.store.iSecStore
+ldap_uri = $LDAP_URI
+
+[/keys]
+handler = custodia.secrets.Secrets
+allowed_keytypes = kem
+store = ipa