From 9fe707a3f2e9a25e908cc9279c46a0f0c5acb15f Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 4 Jun 2009 15:33:49 -0400 Subject: Basic changes to get a default principal for DNS Also moves delagation layout installation in dsinstance. This is needed to allow us to set default membership in other modules like bindinstance. Signed-off-by: Martin Nagy --- install/share/60basev2.ldif | 2 +- install/share/Makefile.am | 1 + install/share/delegation.ldif | 348 +++++++++++++++++++++++++++++++++++ install/share/dns.ldif | 1 + install/updates/40-delegation.update | 20 ++ ipaserver/install/bindinstance.py | 58 +++++- ipaserver/install/dsinstance.py | 4 + 7 files changed, 432 insertions(+), 2 deletions(-) create mode 100644 install/share/delegation.ldif diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index b151bf3fa..03607308b 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -5,7 +5,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'enrollmentPwd' DESC 'Password used to bulk enroll machines' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.43 NAME 'fqdn' DESC 'FQDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) -objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 511f8f3ab..df329d00f 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -13,6 +13,7 @@ app_DATA = \ caJarSigningCert.cfg.template \ default-aci.ldif \ default-keytypes.ldif \ + delegation.ldif \ dns.ldif \ kerberos.ldif \ indices.ldif \ diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif new file mode 100644 index 000000000..1539ae1d5 --- /dev/null +++ b/install/share/delegation.ldif @@ -0,0 +1,348 @@ +dn: cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: rolegroups + +dn: cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: taskgroups + +# Add the default roles +dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: helpdesk +description: Helpdesk + +dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: useradmin +description: User Administrators + +dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: groupadmin +description: Group Administrators + +dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: hostadmin +description: Host Administrators + +dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: hostgroupadmin +description: Host Group Administrators + +dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: delegationadmin +description: Role administration + +dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: serviceadmin +description: Service Administrators + +dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: automountadmin +description: Automount Administrators + +dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: netgroupadmin +description: Netgroups Administrators + +dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: dnsadmin +description: DNS Administrators + +dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: dnsserver +description: DNS Servers + +dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addusers +description: Add Users +member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: change_password +description: Change a user password +member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: add_user_to_default_group +description: Add user to default group +member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeusers +description: Remove Users +member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyusers +description: Modify Users +member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for group administration +dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addgroups +description: Add Groups +member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removegroups +description: Remove Groups +member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifygroups +description: Modify Groups +member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifygroupmembership +description: Modify Group membership +member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for host administration +dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addhosts +description: Add Hosts +member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removehosts +description: Remove Hosts +member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyhosts +description: Modify Hosts +member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for hostgroup administration +dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addhostgroups +description: Add Host Groups +member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removehostgroups +description: Remove Host Groups +member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyhostgroups +description: Modify Host Groups +member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyhostgroupmembership +description: Modify Host Group membership +member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for service administration +dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addservices +description: Add Services +member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeservices +description: Remove Services +member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for delegation administration +# This just lets one manage taskgroup membership and create and delete roles +dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addhrole +description: Add Roles +member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeroles +description: Remove Roles +member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyroles +description: Modify Roles +member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifyrolegroupmembership +description: Modify Role Group membership +member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifytaskgroupmembership +description: Modify Task Group membership +member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for automount administration +dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addautomount +description: Add Automount maps/keys +member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removeautomount +description: Remove Automount maps/keys +member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Add the taskgroups referenced by the ACIs for netgroup administration +dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: addnetgroups +description: Add netgroups +member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: removenetgroups +description: Remove netgroups +member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifynetgroups +description: Modify netgroups +member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: modifynetgroupmembership +description: Modify netgroup membership +member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Taskgroup for retrieving host keytabs +dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: manage_host_keytab +description: Manage host keytab +member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX + +# Taskgroup for updating the DNS entries +dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +cn: manage_host_keytab +description: Updates DNS +member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 939f80dd2..85cf30853 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -3,6 +3,7 @@ changetype: add objectClass: nsContainer objectClass: top cn: dns +aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";) dn: idnsName=$DOMAIN,cn=dns,$SUFFIX changetype: add diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 78de12f7b..8532e5000 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -54,6 +54,18 @@ add:objectClass: groupofnames add:cn: netgroupadmin add:description: Netgroups Administrators +dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: dnsadmin +add:description: DNS Administrators + +dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: dnsserver +add:description: DNS Servers + # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX @@ -436,3 +448,11 @@ add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*, allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,$SUFFIX";)' +# Taskgroup for updating the DNS entries +dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX +add:objectClass: top +add:objectClass: groupofnames +add:cn: manage_host_keytab +add:description: Updates DNS +add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX' +add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX' diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 72d1102b6..d62fce12f 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -21,10 +21,14 @@ import string import tempfile import shutil import os +import pwd import socket import logging +import installutils +import ldap import service +from ipaserver import ipaldap from ipapython import sysrestore from ipapython import ipautil from ipalib import util @@ -45,6 +49,7 @@ def check_inst(): class BindInstance(service.Service): def __init__(self, fstore=None, dm_password=None): service.Service.__init__(self, "named", dm_password=dm_password) + self.named_user = None self.fqdn = None self.domain = None self.host = None @@ -57,7 +62,8 @@ class BindInstance(service.Service): else: self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - def setup(self, fqdn, ip_address, realm_name, domain_name): + def setup(self, fqdn, ip_address, realm_name, domain_name, named_user="named"): + self.named_user = named_user self.fqdn = fqdn self.ip_address = ip_address self.realm = realm_name @@ -81,7 +87,11 @@ class BindInstance(service.Service): except: pass + # FIXME: this need to be split off, as only the first server can do + # this operation self.step("Setting up our zone", self.__setup_zone) + + self.step("Setting up kerberos principal", self.__setup_principal) self.step("Setting up named.conf", self.__setup_named_conf) self.step("restarting named", self.__start) @@ -113,6 +123,52 @@ class BindInstance(service.Service): self.backup_state("domain", self.domain) self._ldap_mod("dns.ldif", self.sub_dict) + def __setup_principal(self): + dns_principal = "DNS/" + self.fqdn + "@" + self.realm + installutils.kadmin_addprinc(dns_principal) + + # Store the keytab on disk + self.fstore.backup_file("/etc/named.keytab") + installutils.create_keytab("/etc/named.keytab", dns_principal) + + # Make sure access is strictly reserved to the named user + pent = pwd.getpwnam(self.named_user) + os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid) + os.chmod("/etc/named.keytab", 0400) + + # modify the principal so that it is marked as an ipa service so that + # it can host the memberof attribute, then also add it to the + # dnsserver role group, this way the DNS is allowed to perform + # DNS Updates + conn = None + + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.dm_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s" % self.fqdn) + raise e + + dns_princ_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (dns_principal, self.realm, self.suffix) + mod = [(ldap.MOD_ADD, 'objectClass', 'ipaService')] + + try: + conn.modify_s(dns_princ_dn, mod) + except Exception, e: + logging.critical("Could not modify principal's %s entry" % dns_principal) + raise e + + dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix + mod = [(ldap.MOD_ADD, 'member', dns_princ_dn)] + + try: + conn.modify_s(dns_group, mod) + except Exception, e: + logging.critical("Could not modify principal's %s entry" % dns_principal) + raise e + + conn.unbind() + def __setup_named_conf(self): self.fstore.backup_file('/etc/named.conf') named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index b9b74e685..e31cd081f 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -176,6 +176,7 @@ class DsInstance(service.Service): self.step("configuring certmap.conf", self.__certmap_conf) self.step("restarting directory server", self.__restart_instance) self.step("adding default layout", self.__add_default_layout) + self.step("adding delegation layout", self.__add_delegation_layout) self.step("configuring Posix uid/gid generation as first master", self.__config_uidgid_gen_first_master) self.step("adding master entry as first master", @@ -364,6 +365,9 @@ class DsInstance(service.Service): def __add_default_layout(self): self._ldap_mod("bootstrap-template.ldif", self.sub_dict) + def __add_delegation_layout(self): + self._ldap_mod("delegation.ldif", self.sub_dict) + def __create_indices(self): self._ldap_mod("indices.ldif") -- cgit