aci: replace per-server ACIs with ipaserver-based ACIs

https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2015-12-01 10:44:59 +0100
committer: Jan Cholasta <jcholast@redhat.com> 2015-12-07 08:13:23 +0100
commit: 7b9a97383ce4090d30e624fc8b7263d6c5f1b823 (patch)
tree: 14678dd397565aa86b65bf8efdc5c7d67cce94d3
parent: a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d (diff)
download: freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.tar.gz
freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.tar.xz
freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.zip
3 files changed, 12 insertions, 128 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 7b174e774..dd15cbe56 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -77,17 +77,6 @@ changetype: modify
 add: aci
 aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
 
-# Let host add and update CA renewal certificates
-dn: cn=ipa,cn=etc,$SUFFIX
-changetype: modify
-add: aci
-aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
-
-dn: cn=ipa,cn=etc,$SUFFIX
-changetype: modify
-add: aci
-aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
-
 # Let users manage their own tokens
 dn: $SUFFIX
 changetype: modify
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 08906a663..f0431b92d 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -60,8 +60,10 @@ default:cn: SELinux User Map Administrators
 default:description: SELinux User Map Administrators
 
 dn: cn=ipa,cn=etc,$SUFFIX
-add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
-add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
+add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
 
 # Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
 # to privilege "Host Administrators"
@@ -72,10 +74,12 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=ipa,cn=etc,$SUFFIX
-add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
 
 dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
-add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
 
 # Automember tasks
 dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -197,8 +201,10 @@ default:cn: IPA Masters Readers
 default:description: Read list of IPA masters
 
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
-add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
+add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
+add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
 
 # PassSync
 dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 13a8b82cc..aaa841ca6 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1267,117 +1267,6 @@ class ReplicationManager(object):
                 err = e
 
         try:
-            entry = self.conn.get_entry(
-                DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci'])
-
-            sub = {'suffix': self.suffix, 'fqdn': replica}
-            try:
-                entry.raw['aci'].remove(
-                    b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,'
-                    b'%(suffix)s")(version 3.0; acl "Add CA Certificates for '
-                    b'renewals"; allow(add) userdn = "ldap:///fqdn=%(fqdn)s,'
-                    b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-            try:
-                entry.raw['aci'].remove(
-                    b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,'
-                    b'%(suffix)s")(targetattr = "userCertificate")'
-                    b'(version 3.0; acl "Modify CA Certificates for renewals"; '
-                    b'allow(write) userdn = "ldap:///fqdn=%(fqdn)s,'
-                    b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-            try:
-                entry.raw['aci'].remove(
-                    b'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,%(suffix)s")'
-                    b'(targetattr = cACertificate)(version 3.0; acl "Modify CA '
-                    b'Certificate"; allow (write) userdn = "ldap:///fqdn='
-                    b'%(fqdn)s,cn=computers,cn=accounts,%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-
-            try:
-                self.conn.update_entry(entry)
-            except errors.EmptyModlist:
-                pass
-        except errors.NotFound:
-            pass
-        except Exception as e:
-            if not force:
-                raise e
-            elif not err:
-                err = e
-
-        try:
-            entry = self.conn.get_entry(
-                DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
-                   self.suffix),
-                ['aci'])
-
-            sub = {'suffix': self.suffix, 'fqdn': replica}
-            try:
-                entry.raw['aci'].remove(
-                    b'(targetfilter = "(objectClass=nsContainer)")'
-                    b'(targetattr = "cn || objectClass || ipaConfigString")'
-                    b'(version 3.0; acl "Read IPA Masters"; allow (read, '
-                    b'search, compare) userdn = "ldap:///fqdn=%(fqdn)s,'
-                    b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-            try:
-                entry.raw['aci'].remove(
-                    b'(targetfilter = "(objectClass=nsContainer)")'
-                    b'(targetattr = "ipaConfigString")(version 3.0; acl '
-                    b'"Modify IPA Masters"; allow (write) userdn = '
-                    b'"ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,'
-                    b'%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-
-            try:
-                self.conn.update_entry(entry)
-            except errors.EmptyModlist:
-                pass
-        except errors.NotFound:
-            pass
-        except Exception as e:
-            if not force:
-                raise e
-            elif not err:
-                err = e
-
-        try:
-            entry = self.conn.get_entry(
-                DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
-                   self.suffix),
-                ['aci'])
-
-            sub = {'suffix': self.suffix, 'fqdn': replica}
-            try:
-                entry.raw['aci'].remove(
-                    b'(targetfilter = "(&(objectClass=ipaCertificate)'
-                    b'(ipaConfigString=ipaCA))")(targetattr = '
-                    b'"ipaCertIssuerSerial || cACertificate")(version 3.0; acl '
-                    b'"Modify CA Certificate Store Entry"; allow (write) '
-                    b'userdn = "ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,'
-                    b'%(suffix)s";)' % sub)
-            except ValueError:
-                pass
-
-            try:
-                self.conn.update_entry(entry)
-            except errors.EmptyModlist:
-                pass
-        except errors.NotFound:
-            pass
-        except Exception as e:
-            if not force:
-                raise e
-            elif not err:
-                err = e
-
-        try:
             basedn = DN(('cn', 'etc'), self.suffix)
             filter = '(dnaHostname=%s)' % replica
             entries = self.conn.get_entries(
author	Jan Cholasta <jcholast@redhat.com>	2015-12-01 10:44:59 +0100
committer	Jan Cholasta <jcholast@redhat.com>	2015-12-07 08:13:23 +0100
commit	7b9a97383ce4090d30e624fc8b7263d6c5f1b823 (patch)
tree	14678dd397565aa86b65bf8efdc5c7d67cce94d3
parent	a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d (diff)
download	freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.tar.gz freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.tar.xz freeipa-7b9a97383ce4090d30e624fc8b7263d6c5f1b823.zip