From bebc413366506f4d19d98c8bb33041094beff117 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 29 Aug 2007 18:07:05 -0400 Subject: Finalize DIT, this is waht we are probably going to have in the end, or something very close to this one Add default groups and admin user TODO: need to discuss more in deep uid/gid generation, this will probably change as soon as the DNA plugin is activated --- .../ipa-install/share/bootstrap-template.ldif | 81 ++++++++++++++-------- ipa-server/ipa-install/share/default-aci.ldif | 15 ++-- ipa-server/ipa-install/share/kerberos.ldif | 31 ++++++--- .../ipa-install/test/test-users-template.ldif | 18 ++--- ipa-server/xmlrpc-server/funcs.py | 4 +- 5 files changed, 85 insertions(+), 64 deletions(-) diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 2986f3ab0..e8e6b9b4a 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -4,55 +4,78 @@ add: objectClass objectClass: pilotObject info: IPA V1.0 -# default, $REALM -dn: ou=default,$SUFFIX +dn: cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: default +objectClass: nsContainer +cn: accounts -# users, default, $REALM -dn: ou=users,ou=default,$SUFFIX +dn: cn=users,cn=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: users +objectClass: nsContainer +cn: users -# groups, default, $REALM -dn: ou=groups,ou=default,$SUFFIX +dn: cn=groups,ou=accounts,$SUFFIX changetype: add -objectClass: organizationalUnit objectClass: top -ou: groups +objectClass: nsContainer +cn: groups -# computers, default, $REALM -#dn: ou=computers,ou=default,$SUFFIX -#objectClass: organizationalUnit +#dn: cn=computers,cn=accounts,$SUFFIX #objectClass: top -#ou: computers +#objectClass: nsContainer +#cn: computers -dn: ou=special,$SUFFIX +dn: cn=etc,$SUFFIX changetype: add -objectClass: organizationalUnit +objectClass: nsContainer objectClass: top -ou: special +cn: etc -dn: uid=webservice,ou=special,$SUFFIX +dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: add -uid: webservice +objectClass: nsContainer +objectClass: top +cn: sysaccounts + +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add +objectClass: top objectClass: account +uid: webservice + +dn: uid=admin,cn=users,cn=accounts,$SUFFIX +changetype: add objectClass: top -objectClass: inetOrgPerson -objectClass: organizationalPerson objectClass: person -cn: Web Service -sn: Service +objectClass: organizationalPerson +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: KrbPrincipalAux +uid: admin +krbPrincipalName: admin@$REALM +cn: Administrator +sn: Administrator +uidNumber: 1000 +gidNumber: 1001 +homeDirectory: /home/admin +loginShell: /bin/bash +gecos: Administrator + +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofuniquenames +objectClass: posixGroup +cn: admins +gidNumber: 1001 +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: add -description: ou=users administrators objectClass: top objectClass: groupofuniquenames objectClass: posixGroup -gidNumber: 500 -cn: admin +gidNumber: 1002 +cn: ipausers diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 2b05e102a..a942b683e 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,12 +3,9 @@ dn: $SUFFIX changetype: modify replace: aci aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";) -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";) -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) +aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/kerberos.ldif b/ipa-server/ipa-install/share/kerberos.ldif index ae4564f6f..0ffc2bba0 100644 --- a/ipa-server/ipa-install/share/kerberos.ldif +++ b/ipa-server/ipa-install/share/kerberos.ldif @@ -1,26 +1,35 @@ -#kerberos base object -dn: cn=kerberos,$SUFFIX -changetype: add -objectClass: krbContainer -objectClass: top -cn: kerberos -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";) - #kerberos user -dn: uid=kdc,cn=kerberos,$SUFFIX +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX changetype: add objectclass: account objectclass: simplesecurityobject uid: kdc userPassword: $PASSWORD +#kerberos base object +dn: cn=kerberos,$SUFFIX +changetype: add +objectClass: krbContainer +objectClass: top +cn: kerberos +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) + #sasl mapping -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config +dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config changetype: add objectclass: top objectclass: nsSaslMapping -cn: kerberos +cn: fullprinc nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: $SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) +dn: cn=justname,cn=mapping,cn=sasl,cn=config +changetype: add +objectclass: top +objectclass: nsSaslMapping +cn: justname +nsSaslMapRegexString: \(.*\) +nsSaslMapBaseDNTemplate: $SUFFIX +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM) + diff --git a/ipa-server/ipa-install/test/test-users-template.ldif b/ipa-server/ipa-install/test/test-users-template.ldif index 0057d9766..f5573d839 100644 --- a/ipa-server/ipa-install/test/test-users-template.ldif +++ b/ipa-server/ipa-install/test/test-users-template.ldif @@ -1,30 +1,22 @@ # test, users, default, $REALM -dn: uid=test,ou=users,ou=default,$SUFFIX +dn: uid=test,cn=users,cn=accounts,$SUFFIX changetype: add -uidNumber: 1001 +uidNumber: 1003 uid: test gecos: test homeDirectory: /home/test loginShell: /bin/bash -shadowMin: 0 -shadowWarning: 7 -shadowMax: 99999 -shadowExpire: -1 -shadowInactive: -1 -shadowLastChange: 13655 -shadowFlag: -1 -gidNumber: 100 +gidNumber: 1002 objectclass: krbPrincipalAux objectclass: inetOrgPerson objectClass: posixAccount -objectClass: shadowAccount objectClass: account objectClass: top cn: Test User sn: User krbPrincipalName: test@$REALM -dn: cn=admin,ou=groups,ou=default,$SUFFIX +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX changetype: modify add: uniqueMember -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index fe48a1ffa..23576b358 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -37,8 +37,8 @@ import re # Need a global to store this between requests _LDAPPool = None -DefaultUserContainer = "ou=users,ou=default" -DefaultGroupContainer = "ou=groups,ou=default" +DefaultUserContainer = "cn=users,cn=accounts" +DefaultGroupContainer = "cn=groups,cn=accounts" # # Apache runs in multi-process mode so each process will have its own -- cgit