From 861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 19 Jan 2011 15:17:25 -0500
Subject: Allow SASL/EXTERNAL authentication for the root user

This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.

Fixes: https://fedorahosted.org/freeipa/ticket/795
---
 install/share/Makefile.am        |  1 +
 install/share/root-autobind.ldif | 24 ++++++++++++++++++++++++
 install/tools/ipactl             |  5 ++++-
 ipaserver/install/dsinstance.py  |  5 +++++
 4 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 install/share/root-autobind.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 0fb5c8961..4527a922c 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -47,6 +47,7 @@ app_DATA =				\
 	uuid-ipauniqueid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
+	root-autobind.ldif		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif
new file mode 100644
index 000000000..e7bbc8dbe
--- /dev/null
+++ b/install/share/root-autobind.ldif
@@ -0,0 +1,24 @@
+# root-autobind, config
+dn: cn=root-autobind,cn=config
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+cn: root-autobind
+uidNumber: 0
+gidNumber: 0
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapiautobind
+nsslapd-ldapiautobind: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapimaptoentries
+nsslapd-ldapimaptoentries: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapientrysearchbase
+nsslapd-ldapientrysearchbase: cn=config
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762..fc652c975 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -26,6 +26,7 @@ try:
     from ipalib import api, errors
     import logging
     import ldap
+    import ldap.sasl
     import socket
 except ImportError:
     print >> sys.stderr, """\
@@ -36,6 +37,8 @@ error was:
 """ % sys.exc_value
     sys.exit(1)
 
+SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
+
 def parse_options():
     usage = "%prog start|stop|restart|status\n"
     parser = config.IPAOptionParser(usage=usage,
@@ -60,7 +63,7 @@ def get_config():
 
     try:
         con = ldap.initialize(api.env.ldap_uri)
-        con.simple_bind()
+        con.sasl_interactive_bind_s('', SASL_EXTERNAL)
         res = con.search_st(base,
                             ldap.SCOPE_SUBTREE,
                             filterstr=srcfilter,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 859d5c8ff..378e01234 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -207,6 +207,7 @@ class DsInstance(service.Service):
         self.step("creating indices", self.__create_indices)
         self.step("configuring ssl for ds instance", self.__enable_ssl)
         self.step("configuring certmap.conf", self.__certmap_conf)
+        self.step("configure autobind for root", self.__root_autobind)
         self.step("restarting directory server", self.__restart_instance)
 
     def __common_post_setup(self):
@@ -728,3 +729,7 @@ class DsInstance(service.Service):
 
     def __tuning(self):
         self.tune_nofile(8192)
+
+    def __root_autobind(self):
+        self._ldap_mod("root-autobind.ldif")
+
-- 
cgit