diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-04-30 23:50:41 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-04 08:27:33 +0000 |
commit | 35af0d6d66e623012755acca44bd77186067d156 (patch) | |
tree | 527b6f3108d83773c7913c949fee02a47d740392 /ipaserver/install/cainstance.py | |
parent | 273a297e97f157fb596cd9be0dc75a1382b94cfc (diff) | |
download | freeipa-35af0d6d66e623012755acca44bd77186067d156.tar.gz freeipa-35af0d6d66e623012755acca44bd77186067d156.tar.xz freeipa-35af0d6d66e623012755acca44bd77186067d156.zip |
Add ACL to allow CA agent to modify profiles
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/cainstance.py')
-rw-r--r-- | ipaserver/install/cainstance.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 030c9f12d..871581b4a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,6 +469,7 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) + self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -940,6 +941,10 @@ class CAInstance(DogtagInstance): conn.unbind() + def __configure_profiles_acl(self): + """Allow the Certificate Manager Agents group to modify profiles.""" + configure_profiles_acl() + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1825,6 +1830,30 @@ def update_people_entry(dercert): return True +def configure_profiles_acl(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) + rule = ( + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' + 'Certificate Manager agents may modify (create/update/delete) and read profiles' + ) + modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + + conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) + rules = conn.get_entry(dn).get('resourceACLS', []) + if rule not in rules: + conn.conn.modify_s(str(dn), modlist) + updated = True + + conn.disconnect() + return updated + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() |