From 7b9a97383ce4090d30e624fc8b7263d6c5f1b823 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 1 Dec 2015 10:44:59 +0100 Subject: aci: replace per-server ACIs with ipaserver-based ACIs https://fedorahosted.org/freeipa/ticket/3416 Reviewed-By: Martin Basti Reviewed-By: Simo Sorce --- install/share/default-aci.ldif | 11 ---- install/updates/40-delegation.update | 18 ++++-- ipaserver/install/replication.py | 111 ----------------------------------- 3 files changed, 12 insertions(+), 128 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 7b174e774..dd15cbe56 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -77,17 +77,6 @@ changetype: modify add: aci aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) -# Let host add and update CA renewal certificates -dn: cn=ipa,cn=etc,$SUFFIX -changetype: modify -add: aci -aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) - -dn: cn=ipa,cn=etc,$SUFFIX -changetype: modify -add: aci -aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) - # Let users manage their own tokens dn: $SUFFIX changetype: modify diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 08906a663..f0431b92d 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -60,8 +60,10 @@ default:cn: SELinux User Map Administrators default:description: SELinux User Map Administrators dn: cn=ipa,cn=etc,$SUFFIX -add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) -add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) +add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) # Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate" # to privilege "Host Administrators" @@ -72,10 +74,12 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX dn: cn=ipa,cn=etc,$SUFFIX -add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX -add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) # Automember tasks dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX @@ -197,8 +201,10 @@ default:cn: IPA Masters Readers default:description: Read list of IPA masters dn: cn=masters,cn=ipa,cn=etc,$SUFFIX -add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) -add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) +add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) +add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";) # PassSync dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 13a8b82cc..aaa841ca6 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1266,117 +1266,6 @@ class ReplicationManager(object): elif not err: err = e - try: - entry = self.conn.get_entry( - DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci']) - - sub = {'suffix': self.suffix, 'fqdn': replica} - try: - entry.raw['aci'].remove( - b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,' - b'%(suffix)s")(version 3.0; acl "Add CA Certificates for ' - b'renewals"; allow(add) userdn = "ldap:///fqdn=%(fqdn)s,' - b'cn=computers,cn=accounts,%(suffix)s";)' % sub) - except ValueError: - pass - try: - entry.raw['aci'].remove( - b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,' - b'%(suffix)s")(targetattr = "userCertificate")' - b'(version 3.0; acl "Modify CA Certificates for renewals"; ' - b'allow(write) userdn = "ldap:///fqdn=%(fqdn)s,' - b'cn=computers,cn=accounts,%(suffix)s";)' % sub) - except ValueError: - pass - try: - entry.raw['aci'].remove( - b'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,%(suffix)s")' - b'(targetattr = cACertificate)(version 3.0; acl "Modify CA ' - b'Certificate"; allow (write) userdn = "ldap:///fqdn=' - b'%(fqdn)s,cn=computers,cn=accounts,%(suffix)s";)' % sub) - except ValueError: - pass - - try: - self.conn.update_entry(entry) - except errors.EmptyModlist: - pass - except errors.NotFound: - pass - except Exception as e: - if not force: - raise e - elif not err: - err = e - - try: - entry = self.conn.get_entry( - DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), - self.suffix), - ['aci']) - - sub = {'suffix': self.suffix, 'fqdn': replica} - try: - entry.raw['aci'].remove( - b'(targetfilter = "(objectClass=nsContainer)")' - b'(targetattr = "cn || objectClass || ipaConfigString")' - b'(version 3.0; acl "Read IPA Masters"; allow (read, ' - b'search, compare) userdn = "ldap:///fqdn=%(fqdn)s,' - b'cn=computers,cn=accounts,%(suffix)s";)' % sub) - except ValueError: - pass - try: - entry.raw['aci'].remove( - b'(targetfilter = "(objectClass=nsContainer)")' - b'(targetattr = "ipaConfigString")(version 3.0; acl ' - b'"Modify IPA Masters"; allow (write) userdn = ' - b'"ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,' - b'%(suffix)s";)' % sub) - except ValueError: - pass - - try: - self.conn.update_entry(entry) - except errors.EmptyModlist: - pass - except errors.NotFound: - pass - except Exception as e: - if not force: - raise e - elif not err: - err = e - - try: - entry = self.conn.get_entry( - DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'), - self.suffix), - ['aci']) - - sub = {'suffix': self.suffix, 'fqdn': replica} - try: - entry.raw['aci'].remove( - b'(targetfilter = "(&(objectClass=ipaCertificate)' - b'(ipaConfigString=ipaCA))")(targetattr = ' - b'"ipaCertIssuerSerial || cACertificate")(version 3.0; acl ' - b'"Modify CA Certificate Store Entry"; allow (write) ' - b'userdn = "ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,' - b'%(suffix)s";)' % sub) - except ValueError: - pass - - try: - self.conn.update_entry(entry) - except errors.EmptyModlist: - pass - except errors.NotFound: - pass - except Exception as e: - if not force: - raise e - elif not err: - err = e - try: basedn = DN(('cn', 'etc'), self.suffix) filter = '(dnaHostname=%s)' % replica -- cgit