IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'experimental' into master-exp

Browse Source
This commit is contained in:
Timo Aaltonen 2014-06-26 16:10:50 +03:00
commit 38644e34f9
134 changed files with 7752 additions and 3130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
ACI.txt
View File

@ -4,58 +4,202 @@ dn: cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Add Automount Keys";allow (add) groupdn = "ldap:///cn=System: Add Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "automountinformation || automountkey || description")(targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Modify Automount Keys";allow (write) groupdn = "ldap:///cn=System: Modify Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Remove Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automount)")(version 3.0;acl "permission:System: Remove Automount Keys";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Add Automount Locations";allow (add) groupdn = "ldap:///cn=System: Add Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Remove Automount Locations";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Add Automount Maps";allow (add) groupdn = "ldap:///cn=System: Add Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Add HBAC Rule";allow (add) groupdn = "ldap:///cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Delete HBAC Rule";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "externalhost || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Manage HBAC Rule Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Delete HBAC Services";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Add HBAC Service Groups";allow (add) groupdn = "ldap:///cn=System: Add HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Delete HBAC Service Groups";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage HBAC Service Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Manage HBAC Service Group Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Service Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add Hosts";allow (add) groupdn = "ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Certificates";allow (write) groupdn = "ldap:///cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "externalhost || member || memberhost || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroups";allow (write) groupdn = "ldap:///cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Modify Privilege Membership";allow (write) groupdn = "ldap:///cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Privileges";allow (add) groupdn = "ldap:///cn=System: Add Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || o || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Privileges";allow (write) groupdn = "ldap:///cn=System: Modify Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Remove Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Privileges";allow (delete) groupdn = "ldap:///cn=System: Remove Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Add Roles";allow (add) groupdn = "ldap:///cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Role Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Role Membership";allow (write) groupdn = "ldap:///cn=System: Modify Role Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Modify Roles";allow (write) groupdn = "ldap:///cn=System: Modify Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Remove Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Remove Roles";allow (delete) groupdn = "ldap:///cn=System: Remove Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=System: Add SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || ipaenabledflag || ipaselinuxuser || memberhost || memberuser || seealso")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=System: Modify SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Delete Sudo Command";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Modify Sudo Command";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Add Sudo Command Group";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Delete Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Delete Sudo Command Group";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Manage Sudo Command Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Manage Sudo Command Group Membership";allow (write) groupdn = "ldap:///cn=System: Manage Sudo Command Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Modify Sudo Command Group";allow (write) groupdn = "ldap:///cn=System: Modify Sudo Command Group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || memberhost || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
@ -63,13 +207,15 @@ aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:Sy
dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipanttrusteddomainsid || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add User to default group";allow (write) groupdn = "ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
@ -93,7 +239,7 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example

175
API.txt
View File

@ -704,8 +704,102 @@ option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsforwardzone_add
args: 1,8,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('idnsforwarders', attribute=True, cli_name='forwarder', csv=True, multivalue=True, required=False)
option: StrEnum('idnsforwardpolicy', attribute=True, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
option: Str('name_from_ip', attribute=False, cli_name='name_from_ip', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsforwardzone_add_permission
args: 1,1,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: dnsforwardzone_del
args: 1,2,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=True, only_absolute=True, primary_key=True, query=True, required=True)
option: Flag('continue', autofill=True, cli_name='continue', default=False)
option: Str('version?', exclude='webui')
output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: ListOfPrimaryKeys('value', None, None)
command: dnsforwardzone_disable
args: 1,1,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsforwardzone_enable
args: 1,1,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsforwardzone_find
args: 1,11,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, query=True, required=False)
option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, query=True, required=False, values=(u'only', u'first', u'none'))
option: DNSNameParam('idnsname', attribute=True, autofill=False, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=False)
option: Bool('idnszoneactive', attribute=True, autofill=False, cli_name='zone_active', multivalue=False, query=True, required=False)
option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Int('sizelimit?', autofill=False, minvalue=0)
option: Int('timelimit?', autofill=False, minvalue=0)
option: Str('version?', exclude='webui')
output: Output('count', <type 'int'>, None)
output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: dnsforwardzone_mod
args: 1,10,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Str('idnsforwarders', attribute=True, autofill=False, cli_name='forwarder', csv=True, multivalue=True, required=False)
option: StrEnum('idnsforwardpolicy', attribute=True, autofill=False, cli_name='forward_policy', multivalue=False, required=False, values=(u'only', u'first', u'none'))
option: Str('name_from_ip', attribute=False, autofill=False, cli_name='name_from_ip', multivalue=False, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsforwardzone_remove_permission
args: 1,1,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: dnsforwardzone_show
args: 1,4,3
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Flag('rights', autofill=True, default=False)
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: dnsrecord_add
args: 2,116,3
args: 2,100,3
arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
option: Str('a6_part_data', attribute=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@ -730,6 +824,10 @@ option: CERTRecord('certrecord', attribute=True, cli_name='cert_rec', csv=True,
option: DNSNameParam('cname_part_hostname', attribute=False, cli_name='cname_hostname', multivalue=False, option_group=u'CNAME Record', required=False)
option: CNAMERecord('cnamerecord', attribute=True, cli_name='cname_rec', csv=True, multivalue=True, option_group=u'CNAME Record', required=False)
option: DHCIDRecord('dhcidrecord', attribute=True, cli_name='dhcid_rec', csv=True, multivalue=True, option_group=u'DHCID Record', required=False)
option: Int('dlv_part_algorithm', attribute=False, cli_name='dlv_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: Str('dlv_part_digest', attribute=False, cli_name='dlv_digest', multivalue=False, option_group=u'DLV Record', pattern='^[0-9a-fA-F]+$', required=False)
option: Int('dlv_part_digest_type', attribute=False, cli_name='dlv_digest_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: Int('dlv_part_key_tag', attribute=False, cli_name='dlv_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: DLVRecord('dlvrecord', attribute=True, cli_name='dlv_rec', csv=True, multivalue=True, option_group=u'DLV Record', required=False)
option: DNSNameParam('dname_part_target', attribute=False, cli_name='dname_target', multivalue=False, option_group=u'DNAME Record', required=False)
option: DNAMERecord('dnamerecord', attribute=True, cli_name='dname_rec', csv=True, multivalue=True, option_group=u'DNAME Record', required=False)
@ -737,17 +835,13 @@ option: StrEnum('dnsclass', attribute=True, cli_name='class', multivalue=False,
option: DNSKEYRecord('dnskeyrecord', attribute=True, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=u'DNSKEY Record', required=False)
option: Int('dnsttl', attribute=True, cli_name='ttl', multivalue=False, required=False)
option: Int('ds_part_algorithm', attribute=False, cli_name='ds_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: Str('ds_part_digest', attribute=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', required=False)
option: Str('ds_part_digest', attribute=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', pattern='^[0-9a-fA-F]+$', required=False)
option: Int('ds_part_digest_type', attribute=False, cli_name='ds_digest_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: Int('ds_part_key_tag', attribute=False, cli_name='ds_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: DSRecord('dsrecord', attribute=True, cli_name='ds_rec', csv=True, multivalue=True, option_group=u'DS Record', required=False)
option: Flag('force', autofill=True, default=False)
option: HIPRecord('hiprecord', attribute=True, cli_name='hip_rec', csv=True, multivalue=True, option_group=u'HIP Record', required=False)
option: IPSECKEYRecord('ipseckeyrecord', attribute=True, cli_name='ipseckey_rec', csv=True, multivalue=True, option_group=u'IPSECKEY Record', required=False)
option: Int('key_part_algorithm', attribute=False, cli_name='key_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Int('key_part_flags', attribute=False, cli_name='key_flags', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Int('key_part_protocol', attribute=False, cli_name='key_protocol', maxvalue=255, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Str('key_part_public_key', attribute=False, cli_name='key_public_key', multivalue=False, option_group=u'KEY Record', required=False)
option: KEYRecord('keyrecord', attribute=True, cli_name='key_rec', csv=True, multivalue=True, option_group=u'KEY Record', required=False)
option: DNSNameParam('kx_part_exchanger', attribute=False, cli_name='kx_exchanger', multivalue=False, option_group=u'KX Record', required=False)
option: Int('kx_part_preference', attribute=False, cli_name='kx_preference', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'KX Record', required=False)
@ -776,36 +870,20 @@ option: Str('naptr_part_replacement', attribute=False, cli_name='naptr_replaceme
option: Str('naptr_part_service', attribute=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
option: NAPTRRecord('naptrrecord', attribute=True, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
option: DNSNameParam('ns_part_hostname', attribute=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
option: Int('nsec3param_part_algorithm', attribute=False, cli_name='nsec3param_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Int('nsec3param_part_flags', attribute=False, cli_name='nsec3param_flags', default=0, maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Int('nsec3param_part_iterations', attribute=False, cli_name='nsec3param_iterations', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Str('nsec3param_part_salt', attribute=False, cli_name='nsec3param_salt', default=u'-', minlength=1, multivalue=False, option_group=u'NSEC3PARAM Record', pattern='^([0-9a-fA-F]+|-)$', required=False)
option: NSEC3PARAMRecord('nsec3paramrecord', attribute=True, cli_name='nsec3param_rec', csv=True, multivalue=True, option_group=u'NSEC3PARAM Record', required=False)
option: NSEC3Record('nsec3record', attribute=True, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
option: DNSNameParam('nsec_part_next', attribute=False, cli_name='nsec_next', multivalue=False, option_group=u'NSEC Record', required=False)
option: StrEnum('nsec_part_types', attribute=False, cli_name='nsec_types', csv=True, multivalue=True, option_group=u'NSEC Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: NSECRecord('nsecrecord', attribute=True, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
option: NSRecord('nsrecord', attribute=True, cli_name='ns_rec', csv=True, multivalue=True, option_group=u'NS Record', required=False)
option: DNSNameParam('ptr_part_hostname', attribute=False, cli_name='ptr_hostname', multivalue=False, option_group=u'PTR Record', required=False)
option: PTRRecord('ptrrecord', attribute=True, cli_name='ptr_rec', csv=True, multivalue=True, option_group=u'PTR Record', required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: RPRecord('rprecord', attribute=True, cli_name='rp_rec', csv=True, multivalue=True, option_group=u'RP Record', required=False)
option: Int('rrsig_part_algorithm', attribute=False, cli_name='rrsig_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_key_tag', attribute=False, cli_name='rrsig_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_labels', attribute=False, cli_name='rrsig_labels', maxvalue=255, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_original_ttl', attribute=False, cli_name='rrsig_original_ttl', minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature', attribute=False, cli_name='rrsig_signature', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature_expiration', attribute=False, cli_name='rrsig_signature_expiration', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature_inception', attribute=False, cli_name='rrsig_signature_inception', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signers_name', attribute=False, cli_name='rrsig_signers_name', multivalue=False, option_group=u'RRSIG Record', required=False)
option: StrEnum('rrsig_part_type_covered', attribute=False, cli_name='rrsig_type_covered', multivalue=False, option_group=u'RRSIG Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: RRSIGRecord('rrsigrecord', attribute=True, cli_name='rrsig_rec', csv=True, multivalue=True, option_group=u'RRSIG Record', required=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Int('sig_part_algorithm', attribute=False, cli_name='sig_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_key_tag', attribute=False, cli_name='sig_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_labels', attribute=False, cli_name='sig_labels', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_original_ttl', attribute=False, cli_name='sig_original_ttl', minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature', attribute=False, cli_name='sig_signature', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature_expiration', attribute=False, cli_name='sig_signature_expiration', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature_inception', attribute=False, cli_name='sig_signature_inception', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signers_name', attribute=False, cli_name='sig_signers_name', multivalue=False, option_group=u'SIG Record', required=False)
option: StrEnum('sig_part_type_covered', attribute=False, cli_name='sig_type_covered', multivalue=False, option_group=u'SIG Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: SIGRecord('sigrecord', attribute=True, cli_name='sig_rec', csv=True, multivalue=True, option_group=u'SIG Record', required=False)
option: SPFRecord('spfrecord', attribute=True, cli_name='spf_rec', csv=True, multivalue=True, option_group=u'SPF Record', required=False)
option: Int('srv_part_port', attribute=False, cli_name='srv_port', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'SRV Record', required=False)
@ -935,7 +1013,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: dnsrecord_mod
args: 2,116,3
args: 2,100,3
arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: Str('a6_part_data', attribute=False, autofill=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@ -959,6 +1037,10 @@ option: DNSNameParam('cname_part_hostname', attribute=False, autofill=False, cli
option: CNAMERecord('cnamerecord', attribute=True, autofill=False, cli_name='cname_rec', csv=True, multivalue=True, option_group=u'CNAME Record', required=False)
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: DHCIDRecord('dhcidrecord', attribute=True, autofill=False, cli_name='dhcid_rec', csv=True, multivalue=True, option_group=u'DHCID Record', required=False)
option: Int('dlv_part_algorithm', attribute=False, autofill=False, cli_name='dlv_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: Str('dlv_part_digest', attribute=False, autofill=False, cli_name='dlv_digest', multivalue=False, option_group=u'DLV Record', pattern='^[0-9a-fA-F]+$', required=False)
option: Int('dlv_part_digest_type', attribute=False, autofill=False, cli_name='dlv_digest_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: Int('dlv_part_key_tag', attribute=False, autofill=False, cli_name='dlv_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'DLV Record', required=False)
option: DLVRecord('dlvrecord', attribute=True, autofill=False, cli_name='dlv_rec', csv=True, multivalue=True, option_group=u'DLV Record', required=False)
option: DNSNameParam('dname_part_target', attribute=False, autofill=False, cli_name='dname_target', multivalue=False, option_group=u'DNAME Record', required=False)
option: DNAMERecord('dnamerecord', attribute=True, autofill=False, cli_name='dname_rec', csv=True, multivalue=True, option_group=u'DNAME Record', required=False)
@ -966,16 +1048,12 @@ option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', mu
option: DNSKEYRecord('dnskeyrecord', attribute=True, autofill=False, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=u'DNSKEY Record', required=False)
option: Int('dnsttl', attribute=True, autofill=False, cli_name='ttl', multivalue=False, required=False)
option: Int('ds_part_algorithm', attribute=False, autofill=False, cli_name='ds_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: Str('ds_part_digest', attribute=False, autofill=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', required=False)
option: Str('ds_part_digest', attribute=False, autofill=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', pattern='^[0-9a-fA-F]+$', required=False)
option: Int('ds_part_digest_type', attribute=False, autofill=False, cli_name='ds_digest_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: Int('ds_part_key_tag', attribute=False, autofill=False, cli_name='ds_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
option: DSRecord('dsrecord', attribute=True, autofill=False, cli_name='ds_rec', csv=True, multivalue=True, option_group=u'DS Record', required=False)
option: HIPRecord('hiprecord', attribute=True, autofill=False, cli_name='hip_rec', csv=True, multivalue=True, option_group=u'HIP Record', required=False)
option: IPSECKEYRecord('ipseckeyrecord', attribute=True, autofill=False, cli_name='ipseckey_rec', csv=True, multivalue=True, option_group=u'IPSECKEY Record', required=False)
option: Int('key_part_algorithm', attribute=False, autofill=False, cli_name='key_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Int('key_part_flags', attribute=False, autofill=False, cli_name='key_flags', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Int('key_part_protocol', attribute=False, autofill=False, cli_name='key_protocol', maxvalue=255, minvalue=0, multivalue=False, option_group=u'KEY Record', required=False)
option: Str('key_part_public_key', attribute=False, autofill=False, cli_name='key_public_key', multivalue=False, option_group=u'KEY Record', required=False)
option: KEYRecord('keyrecord', attribute=True, autofill=False, cli_name='key_rec', csv=True, multivalue=True, option_group=u'KEY Record', required=False)
option: DNSNameParam('kx_part_exchanger', attribute=False, autofill=False, cli_name='kx_exchanger', multivalue=False, option_group=u'KX Record', required=False)
option: Int('kx_part_preference', attribute=False, autofill=False, cli_name='kx_preference', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'KX Record', required=False)
@ -1004,10 +1082,12 @@ option: Str('naptr_part_replacement', attribute=False, autofill=False, cli_name=
option: Str('naptr_part_service', attribute=False, autofill=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
option: NAPTRRecord('naptrrecord', attribute=True, autofill=False, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
option: DNSNameParam('ns_part_hostname', attribute=False, autofill=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
option: Int('nsec3param_part_algorithm', attribute=False, autofill=False, cli_name='nsec3param_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Int('nsec3param_part_flags', attribute=False, autofill=False, cli_name='nsec3param_flags', default=0, maxvalue=255, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Int('nsec3param_part_iterations', attribute=False, autofill=False, cli_name='nsec3param_iterations', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'NSEC3PARAM Record', required=False)
option: Str('nsec3param_part_salt', attribute=False, autofill=False, cli_name='nsec3param_salt', default=u'-', minlength=1, multivalue=False, option_group=u'NSEC3PARAM Record', pattern='^([0-9a-fA-F]+|-)$', required=False)
option: NSEC3PARAMRecord('nsec3paramrecord', attribute=True, autofill=False, cli_name='nsec3param_rec', csv=True, multivalue=True, option_group=u'NSEC3PARAM Record', required=False)
option: NSEC3Record('nsec3record', attribute=True, autofill=False, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
option: DNSNameParam('nsec_part_next', attribute=False, autofill=False, cli_name='nsec_next', multivalue=False, option_group=u'NSEC Record', required=False)
option: StrEnum('nsec_part_types', attribute=False, autofill=False, cli_name='nsec_types', csv=True, multivalue=True, option_group=u'NSEC Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: NSECRecord('nsecrecord', attribute=True, autofill=False, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
option: NSRecord('nsrecord', attribute=True, autofill=False, cli_name='ns_rec', csv=True, multivalue=True, option_group=u'NS Record', required=False)
option: DNSNameParam('ptr_part_hostname', attribute=False, autofill=False, cli_name='ptr_hostname', multivalue=False, option_group=u'PTR Record', required=False)
@ -1016,26 +1096,8 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui
option: DNSNameParam('rename', cli_name='rename', multivalue=False, primary_key=True, required=False)
option: Flag('rights', autofill=True, default=False)
option: RPRecord('rprecord', attribute=True, autofill=False, cli_name='rp_rec', csv=True, multivalue=True, option_group=u'RP Record', required=False)
option: Int('rrsig_part_algorithm', attribute=False, autofill=False, cli_name='rrsig_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_key_tag', attribute=False, autofill=False, cli_name='rrsig_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_labels', attribute=False, autofill=False, cli_name='rrsig_labels', maxvalue=255, minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Int('rrsig_part_original_ttl', attribute=False, autofill=False, cli_name='rrsig_original_ttl', minvalue=0, multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature', attribute=False, autofill=False, cli_name='rrsig_signature', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature_expiration', attribute=False, autofill=False, cli_name='rrsig_signature_expiration', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signature_inception', attribute=False, autofill=False, cli_name='rrsig_signature_inception', multivalue=False, option_group=u'RRSIG Record', required=False)
option: Str('rrsig_part_signers_name', attribute=False, autofill=False, cli_name='rrsig_signers_name', multivalue=False, option_group=u'RRSIG Record', required=False)
option: StrEnum('rrsig_part_type_covered', attribute=False, autofill=False, cli_name='rrsig_type_covered', multivalue=False, option_group=u'RRSIG Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: RRSIGRecord('rrsigrecord', attribute=True, autofill=False, cli_name='rrsig_rec', csv=True, multivalue=True, option_group=u'RRSIG Record', required=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Int('sig_part_algorithm', attribute=False, autofill=False, cli_name='sig_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_key_tag', attribute=False, autofill=False, cli_name='sig_key_tag', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_labels', attribute=False, autofill=False, cli_name='sig_labels', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Int('sig_part_original_ttl', attribute=False, autofill=False, cli_name='sig_original_ttl', minvalue=0, multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature', attribute=False, autofill=False, cli_name='sig_signature', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature_expiration', attribute=False, autofill=False, cli_name='sig_signature_expiration', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signature_inception', attribute=False, autofill=False, cli_name='sig_signature_inception', multivalue=False, option_group=u'SIG Record', required=False)
option: Str('sig_part_signers_name', attribute=False, autofill=False, cli_name='sig_signers_name', multivalue=False, option_group=u'SIG Record', required=False)
option: StrEnum('sig_part_type_covered', attribute=False, autofill=False, cli_name='sig_type_covered', multivalue=False, option_group=u'SIG Record', required=False, values=(u'SOA', u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV', u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC', u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'NSEC3PARAM', u'PTR', u'RRSIG', u'RP', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY', u'TSIG', u'TXT'))
option: SIGRecord('sigrecord', attribute=True, autofill=False, cli_name='sig_rec', csv=True, multivalue=True, option_group=u'SIG Record', required=False)
option: SPFRecord('spfrecord', attribute=True, autofill=False, cli_name='spf_rec', csv=True, multivalue=True, option_group=u'SPF Record', required=False)
option: Int('srv_part_port', attribute=False, autofill=False, cli_name='srv_port', maxvalue=65535, minvalue=0, multivalue=False, option_group=u'SRV Record', required=False)
@ -2347,10 +2409,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: passwd
args: 3,1,3
args: 3,2,3
arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
arg: Password('password')
arg: Password('current_password', autofill=True, confirm=False)
option: Password('otp?', confirm=False)
option: Str('version?', exclude='webui')
output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
@ -3412,11 +3475,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: sudorule_add_host
args: 1,6,3
args: 1,7,3
arg: Str('cn', attribute=True, cli_name='sudorule_name', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Str('hostmask?', multivalue=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui')
@ -3565,11 +3629,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: sudorule_remove_host
args: 1,6,3
args: 1,7,3
arg: Str('cn', attribute=True, cli_name='sudorule_name', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Str('hostmask?', multivalue=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui')

4
VERSION
View File

@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=89
# Last change: npmccallum - Add support for managedBy to tokens
IPA_API_VERSION_MINOR=94
# Last change: pvoborni - Add OTP option to passwd command

82
daemons/ipa-kdb/ipa_kdb.c
View File

@ -25,6 +25,8 @@
#include "ipa_kdb.h"
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
struct ipadb_context *ipadb_get_context(krb5_context kcontext)
{
void *db_ctx;
@ -41,6 +43,7 @@ struct ipadb_context *ipadb_get_context(krb5_context kcontext)
static void ipadb_context_free(krb5_context kcontext,
struct ipadb_context **ctx)
{
struct ipadb_global_config *cfg;
size_t c;
if (*ctx != NULL) {
@ -56,10 +59,11 @@ static void ipadb_context_free(krb5_context kcontext,
ipadb_mspac_struct_free(&(*ctx)->mspac);
krb5_free_default_realm(kcontext, (*ctx)->realm);
for (c = 0; (*ctx)->authz_data && (*ctx)->authz_data[c]; c++) {
free((*ctx)->authz_data[c]);
cfg = &(*ctx)->config;
for (c = 0; cfg->authz_data && cfg->authz_data[c]; c++) {
free(cfg->authz_data[c]);
}
free((*ctx)->authz_data);
free(cfg->authz_data);
free(*ctx);
*ctx = NULL;
@ -209,7 +213,7 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
ldap_value_free_len(vals);
}
int ipadb_get_global_configs(struct ipadb_context *ipactx)
static int ipadb_load_global_config(struct ipadb_context *ipactx)
{
char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR,
IPA_USER_AUTH_TYPE, NULL };
@ -217,7 +221,6 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
LDAPMessage *res = NULL;
LDAPMessage *first;
char *base = NULL;
int i;
int ret;
char **authz_data_list;
@ -241,45 +244,44 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
}
/* Check for permitted authentication types. */
ipadb_parse_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
ipadb_parse_user_auth(ipactx->lcontext, res, &ipactx->config.user_auth);
vals = ldap_get_values_len(ipactx->lcontext, first,
"ipaConfigString");
if (!vals || !vals[0]) {
/* no config, set nothing */
ret = 0;
goto done;
}
/* Load config strings. */
vals = ldap_get_values_len(ipactx->lcontext, first, "ipaConfigString");
if (vals) {
ipactx->config.disable_last_success = false;
ipactx->config.disable_lockout = false;
for (int i = 0; vals[i]; i++) {
if (strncasecmp("KDC:Disable Last Success",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_last_success = true;
continue;
}
for (i = 0; vals[i]; i++) {
if (strncasecmp("KDC:Disable Last Success",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->disable_last_success = true;
continue;
}
if (strncasecmp("KDC:Disable Lockout",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->disable_lockout = true;
continue;
if (strncasecmp("KDC:Disable Lockout",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_lockout = true;
continue;
}
}
}
/* Load authz data. */
ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, first,
IPA_KRB_AUTHZ_DATA_ATTR, &authz_data_list);
if (ret != 0 && ret != ENOENT) {
goto done;
}
if (ret == 0) {
if (ipactx->authz_data != NULL) {
for (i = 0; ipactx->authz_data[i]; i++) {
free(ipactx->authz_data[i]);
}
free(ipactx->authz_data);
if (ipactx->config.authz_data != NULL) {
for (int i = 0; ipactx->config.authz_data[i]; i++)
free(ipactx->config.authz_data[i]);
free(ipactx->config.authz_data);
}
ipactx->authz_data = authz_data_list;
}
ipactx->config.authz_data = authz_data_list;
} else if (ret != ENOENT)
goto done;
/* Success! */
ipactx->config.last_update = time(NULL);
ret = 0;
done:
@ -289,6 +291,18 @@ done:
return ret;
}
const struct ipadb_global_config *
ipadb_get_global_config(struct ipadb_context *ipactx)
{
time_t now = 0;
if (time(&now) != (time_t)-1
&& now - ipactx->config.last_update > IPADB_GLOBAL_CONFIG_CACHE_TIME)
ipadb_load_global_config(ipactx);
return &ipactx->config;
}
int ipadb_get_connection(struct ipadb_context *ipactx)
{
struct berval **vals = NULL;
@ -390,7 +404,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
ipactx->n_supp_encs = n_kst;
/* get additional options */
ret = ipadb_get_global_configs(ipactx);
ret = ipadb_load_global_config(ipactx);
if (ret) {
goto done;
}

17
daemons/ipa-kdb/ipa_kdb.h
View File

@ -87,6 +87,14 @@ enum ipadb_user_auth {
IPADB_USER_AUTH_OTP = 1 << 3,
};
struct ipadb_global_config {
time_t last_update;
bool disable_last_success;
bool disable_lockout;
char **authz_data;
enum ipadb_user_auth user_auth;
};
struct ipadb_context {
char *uri;
char *base;
@ -99,10 +107,9 @@ struct ipadb_context {
krb5_key_salt_tuple *supp_encs;
int n_supp_encs;
struct ipadb_mspac *mspac;
bool disable_last_success;
bool disable_lockout;
char **authz_data;
enum ipadb_user_auth user_auth;
/* Don't access this directly, use ipadb_get_global_config(). */
struct ipadb_global_config config;
};
#define IPA_E_DATA_MAGIC 0x0eda7a
@ -277,3 +284,5 @@ void ipadb_audit_as_req(krb5_context kcontext,
/* AUTH METHODS */
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
enum ipadb_user_auth *user_auth);
const struct ipadb_global_config *
ipadb_get_global_config(struct ipadb_context *ipactx);

9
daemons/ipa-kdb/ipa_kdb_audit_as.c
View File

@ -30,6 +30,7 @@ void ipadb_audit_as_req(krb5_context kcontext,
krb5_timestamp authtime,
krb5_error_code error_code)
{
const struct ipadb_global_config *gcfg;
struct ipadb_context *ipactx;
struct ipadb_e_data *ied;
krb5_error_code kerr;
@ -63,6 +64,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
client->mask = 0;
gcfg = ipadb_get_global_config(ipactx);
if (gcfg == NULL)
return;
switch (error_code) {
case 0:
/* Check if preauth flag is specified (default), otherwise we have
@ -72,7 +77,7 @@ void ipadb_audit_as_req(krb5_context kcontext,
client->fail_auth_count = 0;
client->mask |= KMASK_FAIL_AUTH_COUNT;
}
if (ipactx->disable_last_success) {
if (gcfg->disable_last_success) {
break;
}
client->last_success = authtime;
@ -83,7 +88,7 @@ void ipadb_audit_as_req(krb5_context kcontext,
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
if (ipactx->disable_lockout) {
if (gcfg->disable_lockout) {
break;
}

10
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@ -1878,6 +1878,9 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
}
if (ied == NULL || ied->authz_data == NULL) {
const struct ipadb_global_config *gcfg = NULL;
char **tmp = NULL;
if (context == NULL) {
krb5_klog_syslog(LOG_ERR, "Missing Kerberos context, no " \
"authorization data will be added.");
@ -1885,14 +1888,17 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
}
ipactx = ipadb_get_context(context);
if (ipactx == NULL || ipactx->authz_data == NULL) {
gcfg = ipadb_get_global_config(ipactx);
if (gcfg != NULL)
tmp = gcfg->authz_data;
if (ipactx == NULL || tmp == NULL) {
krb5_klog_syslog(LOG_ERR, "No default authorization data types " \
"available, no authorization data will " \
"be added.");
goto done;
}
authz_data_list = ipactx->authz_data;
authz_data_list = tmp;
} else {
authz_data_list = ied->authz_data;
}

11
daemons/ipa-kdb/ipa_kdb_principals.c
View File

@ -320,18 +320,25 @@ static void ipadb_validate_password(struct ipadb_context *ipactx,
static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
LDAPMessage *lentry)
{
enum ipadb_user_auth gua = IPADB_USER_AUTH_NONE;
enum ipadb_user_auth ua = IPADB_USER_AUTH_NONE;
const struct ipadb_global_config *gcfg = NULL;
/* Get the user's user_auth settings. */
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
/* Get the global user_auth settings. */
gcfg = ipadb_get_global_config(ipactx);
if (gcfg != NULL)
gua = gcfg->user_auth;
/* If the disabled flag is set, ignore everything else. */
if ((ua | ipactx->user_auth) & IPADB_USER_AUTH_DISABLED)
if ((ua | gua) & IPADB_USER_AUTH_DISABLED)
return IPADB_USER_AUTH_DISABLED;
/* Determine which user_auth policy is active: user or global. */
if (ua == IPADB_USER_AUTH_NONE)
ua = ipactx->user_auth;
ua = gua;
/* Perform flag validation. */
ipadb_validate_otp(ipactx, lentry, &ua);

20
daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
View File

@ -102,8 +102,10 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset)
*pkset = NULL;
}
static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg)
{
krb5_context krbctx;
@ -113,7 +115,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **svals = NULL;
krb5_principal princ = NULL;
krb5_error_code krberr;
krb5_data pwd;
krb5_data pwd = { 0 };
struct ipapwd_keyset *kset = NULL;
krbctx = krbcfg->krbctx;
@ -141,8 +143,10 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
goto enc_error;
}
pwd.data = (char *)data->password;
pwd.length = strlen(data->password);
if (data->password) {
pwd.data = (char *)data->password;
pwd.length = strlen(data->password);
}
kset = malloc(sizeof(struct ipapwd_keyset));
if (!kset) {
@ -160,8 +164,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krberr = ipa_krb5_generate_key_data(krbctx, princ,
pwd, kvno, krbcfg->kmkey,
krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts,
num_encsalts, encsalts,
&kset->num_keys, &kset->keys);
if (krberr != 0) {
LOG_FATAL("generating kerberos keys failed [%s]\n",
@ -212,7 +215,10 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (is_krb) {
*svals = encrypt_encode_key(krbcfg, data, errMesg);
*svals = ipapwd_encrypt_encode_key(krbcfg, data,
krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts,
errMesg);
if (!*svals) {
/* errMesg should have been set in encrypt_encode_key() */

1675
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

File diff suppressed because it is too large Load Diff

6
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
View File

@ -141,6 +141,12 @@ struct ipapwd_keyset {
void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg);
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant,

4
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
View File

@ -1157,8 +1157,8 @@ static bool ipapwd_do_otp_auth(const char *dn, Slapi_Entry *bind_entry,
/* Loop through each token. */
for (int i = 0; tokens[i] && !success; i++) {
/* Attempt authentication. */
success = otptoken_validate_string(tokens[i], OTP_VALIDATE_STEPS,
creds->bv_val, creds->bv_len, true);
success = otptoken_validate_berval(tokens[i], OTP_VALIDATE_STEPS,
creds, true);
/* Truncate the password to remove the OTP code at the end. */
if (success) {

37
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
View File

@ -58,10 +58,11 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
{
struct otptoken **tokens = NULL;
LDAPControl **controls = NULL;
struct berval *second = NULL;
struct berval *first = NULL;
BerElement *ber = NULL;
char *token_dn = NULL;
int second = 0;
int first = 0;
bool success;
if (slapi_pblock_get(pb, SLAPI_REQCONTROLS, &controls) != 0)
return false;
@ -79,32 +80,30 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
return false;
/* Decode the token codes. */
if (ber_scanf(ber, "{ii", &first, &second) == LBER_ERROR) {
if (ber_scanf(ber, "{OO", &first, &second) == LBER_ERROR) {
ber_free(ber, 1);
return false;
}
/* Decode the optional token DN. */
ber_scanf(ber, "a", &token_dn);
if (ber_scanf(ber, "}") == LBER_ERROR) {
ber_free(ber, 1);
return false;
/* Process the synchronization. */
success = false;
if (ber_scanf(ber, "}") != LBER_ERROR) {
tokens = otptoken_find(plugin_id, user_dn, token_dn, true, NULL);
if (tokens != NULL) {
success = otptoken_sync_berval(tokens, OTP_SYNC_MAX_STEPS, first, second);
otptoken_free_array(tokens);
}
}
ber_memfree(token_dn); token_dn = NULL;
ber_bvfree(second);
ber_bvfree(first);
ber_free(ber, 1);
/* Find all the tokens. */
tokens = otptoken_find(plugin_id, user_dn, token_dn, true, NULL);
ber_memfree(token_dn);
if (tokens == NULL)
if (!success)
return false;
/* Synchronize the token. */
if (!otptoken_sync(tokens, OTP_SYNC_MAX_STEPS, first, second)) {
otptoken_free_array(tokens);
return false;
}
otptoken_free_array(tokens);
}
return true;

4
daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h
View File

@ -48,8 +48,8 @@
* The ASN.1 encoding of the request structure:
*
* OTPSyncRequest ::= SEQUENCE {
* firstCode INTEGER,
* secondCode INTEGER,
* firstCode OCTET STRING,
* secondCode OCTET STRING,
* tokenDN OCTET STRING OPTIONAL
* }
*/

76
daemons/ipa-slapi-plugins/libotp/libotp.c
View File

@ -449,7 +449,8 @@ const Slapi_DN *otptoken_get_sdn(struct otptoken *token)
return token->sdn;
}
bool otptoken_validate(struct otptoken *token, size_t steps, uint32_t code)
static bool otptoken_validate(struct otptoken *token, size_t steps,
uint32_t code)
{
time_t now = 0;
@ -477,44 +478,53 @@ bool otptoken_validate(struct otptoken *token, size_t steps, uint32_t code)
return false;
}
bool otptoken_validate_string(struct otptoken *token, size_t steps,
const char *code, ssize_t len, bool tail)
/*
* Convert code berval to decimal.
*
* NOTE: We can't use atol() or strtoul() because:
* 1. If we have leading zeros, atol() fails.
* 2. Neither support limiting conversion by length.
*/
static bool bvtod(const struct berval *code, uint32_t *out)
{
*out = 0;
for (ber_len_t i = 0; i < code->bv_len; i++) {
if (code->bv_val[i] < '0' || code->bv_val[i] > '9')
return false;
*out *= 10;
*out += code->bv_val[i] - '0';
}
return code->bv_len != 0;
}
bool otptoken_validate_berval(struct otptoken *token, size_t steps,
const struct berval *code, bool tail)
{
struct berval tmp;
uint32_t otp;
if (token == NULL || code == NULL)
return false;
tmp = *code;
if (len < 0)
len = strlen(code);
if (len < token->token.digits)
if (tmp.bv_len < token->token.digits)
return false;
if (tail)
code = &code[len - token->token.digits];
len = token->token.digits;
tmp.bv_val = &tmp.bv_val[tmp.bv_len - token->token.digits];
tmp.bv_len = token->token.digits;
/*
* Convert code string to decimal.
*
* NOTE: We can't use atol() or strtoul() because:
* 1. We may have leading zeros (atol() fails here).
* 2. Neither support limiting conversion by length.
*/
otp = 0;
for (ssize_t i = 0; i < len; i++) {
if (code[i] < '0' || code[i] > '9')
return false;
otp *= 10;
otp += code[i] - '0';
}
if (!bvtod(&tmp, &otp))
return false;
return otptoken_validate(token, steps, otp);
}
bool otptoken_sync(struct otptoken * const *tokens, size_t steps,
uint32_t first_code, uint32_t second_code)
static bool otptoken_sync(struct otptoken * const *tokens, size_t steps,
uint32_t first_code, uint32_t second_code)
{
time_t now = 0;
@ -542,3 +552,19 @@ bool otptoken_sync(struct otptoken * const *tokens, size_t steps,
return false;
}
bool otptoken_sync_berval(struct otptoken * const *tokens, size_t steps,
const struct berval *first_code,
const struct berval *second_code)
{
uint32_t second = 0;
uint32_t first = 0;
if (!bvtod(first_code, &first))
return false;
if (!bvtod(second_code, &second))
return false;
return otptoken_sync(tokens, steps, first, second);
}

12
daemons/ipa-slapi-plugins/libotp/libotp.h
View File

@ -80,16 +80,14 @@ int otptoken_get_digits(struct otptoken *token);
/* Get the SDN of the token. */
const Slapi_DN *otptoken_get_sdn(struct otptoken *token);
/* Validate the token code within a range of steps. */
bool otptoken_validate(struct otptoken *token, size_t steps, uint32_t code);
/* Validate the token code within a range of steps. If tail is true,
* it will be assumed that the token is specified at the end of the string. */
bool otptoken_validate_string(struct otptoken *token, size_t steps,
const char *code, ssize_t len, bool tail);
bool otptoken_validate_berval(struct otptoken *token, size_t steps,
const struct berval *code, bool tail);
/* Synchronize the token within a range of steps. */
bool otptoken_sync(struct otptoken * const *tokens, size_t steps,
uint32_t first_code, uint32_t second_code);
bool otptoken_sync_berval(struct otptoken * const *tokens, size_t steps,
const struct berval *first_code,
const struct berval *second_code);
#endif /* LIBOTP_H_ */

14
freeipa.spec.in
View File

@ -299,12 +299,13 @@ Requires: gnupg
Requires: iproute
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss
Requires: python-nss >= 0.15
Requires: python-lxml
Requires: python-netaddr
Requires: libipa_hbac-python
Requires: python-qrcode
Requires: python-pyasn1
Requires: python-dateutil
Obsoletes: ipa-python >= 1.0
@ -506,7 +507,10 @@ fi
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
# NOTE: systemd specific section
if [ $? -eq 0 ]; then
/bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
/bin/systemctl is-enabled ipa.service >/dev/null 2>&1
if [ $? -eq 0 ]; then
/bin/systemctl restart ipa.service >/dev/null 2>&1 || :
fi
fi
# END
@ -635,6 +639,7 @@ fi
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
@ -772,6 +777,7 @@ fi
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
%{_mandir}/man1/ipa-otptoken-import.1.gz
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
@ -832,11 +838,7 @@ fi
%dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/*
%dir %{python_sitelib}/ipaplatform
%dir %{python_sitelib}/ipaplatform/base
%dir %{python_sitelib}/ipaplatform/fedora
%{python_sitelib}/ipaplatform/*
%{python_sitelib}/ipaplatform/base/*.py*
%{python_sitelib}/ipaplatform/fedora/*.py*
%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
%{python_sitelib}/ipapython-*.egg-info
%{python_sitelib}/freeipa-*.egg-info

7
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -35,6 +35,7 @@ import contextlib
from ipapython import ipautil
from ipapython.dn import DN
from ipalib import api, errors, pkcs10, x509
from ipaplatform.paths import paths
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import cainstance, certs
@ -58,7 +59,7 @@ def ldap_connect():
tmpdir = tempfile.mkdtemp(prefix="tmp-")
try:
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir,
ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
principal)
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
@ -77,7 +78,7 @@ def request_cert():
syslog.syslog(syslog.LOG_NOTICE,
"Forwarding request to dogtag-ipa-renew-agent")
path = '/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit'
path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
args = [path] + sys.argv[1:]
stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
sys.stderr.write(stderr)
@ -261,7 +262,7 @@ def export_csr():
if not cert:
return (REJECTED, "New certificate requests not supported")
csr_file = '/var/lib/ipa/ca.csr'
csr_file = paths.IPA_CA_CSR
try:
with open(csr_file, 'wb') as f:
f.write(csr)

4
install/share/60basev3.ldif
View File

@ -46,6 +46,8 @@ attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Locati
attributeTypes: (2.16.840.1.113730.3.8.11.47 NAME 'ipaPermRight' DESC 'IPA permission rights' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA permission target' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName X-ORIGIN 'IPA-v3')
attributeTypes: (2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DESC 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
@ -64,4 +66,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP i
objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.23 NAME 'ipaVirtualOperation' DESC 'IPA Virtual operation objectclass' SUP top AUXILIARY MUST ( cn ) X-ORIGIN 'IPA v3' )
objectclasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v3')

5
install/share/60ipadns.ldif
View File

@ -26,6 +26,8 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signe
attributeTypes: (1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DESC 'RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.2428.20.1.32769 NAME 'DLVRecord' DESC 'DNSSEC Lookaside Validation, RFC 4431' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
@ -50,7 +52,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of
attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' )
attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4' )
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ nSEC3PARAMRecord $ DLVRecord ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning ) )
objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) )

4
install/share/65ipasudo.ldif
View File

@ -31,8 +31,10 @@ attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DES
attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
## Attribute to store sudo command
attributeTypes: (2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity.
attributeTypes: (2.16.840.1.113730.3.8.7.14 NAME 'ipaSudoRunAsExtUserGroup' DESC 'Multivalue string attribute that allows storing groups of users that are not managed by IPA the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4' )
## Object class for SUDO rules
objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ ipaSudoRunAsExtUserGroup ) X-ORIGIN 'IPA v2' )
## Object class for SUDO commands
objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' )
## Object class for groups of the SUDO commands

7
install/share/default-aci.ldif
View File

@ -26,6 +26,13 @@ changetype: modify
add: aci
aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";)
aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)
aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";)
aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";)
aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
dn: cn=services,cn=accounts,$SUFFIX
changetype: modify

386
install/share/delegation.ldif
View File

@ -133,293 +133,10 @@ description: Host Enrollment
# Default permissions.
############################################
# Group administration
dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Groups
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Group membership
member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Host administration
dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Hosts
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Manage Host SSH Public Keys
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
# Hostgroup administration
dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Hostgroups
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Hostgroup membership
member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Service administration
dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Services
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
# Delegation administration
dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Roles
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Role membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify privilege membership
member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
# Automount administration
dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Automount maps
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove Automount keys
member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
# Netgroup administration
dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Add netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Remove netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify netgroups
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Modify netgroup membership
member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
# Keytab access
dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Manage host keytab
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Manage service keytab
member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
# DNS administration
# The permission and aci for this is in install/updates/dns.ldif
dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Enroll a host
member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
# Replica administration
dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
@ -458,109 +175,6 @@ cn: Modify DNA Range
ipapermissiontype: SYSTEM
member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
############################################
# Default permissions (ACIs)
############################################
# Group administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
# set enrolledBy to whoever ran join. enrolledBy is specifically
# not listed here, it is set by the plugin but we don't want an
# admin overriding it using --setattr or ldapmodify.
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
# Create virtual operations entry. This is used to control access to
# operations that don't rely on LDAP directly.
dn: cn=virtual operations,cn=etc,$SUFFIX

61
install/share/dns.ldif
View File

@ -7,15 +7,7 @@ cn: dns
aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
dn: $SUFFIX
changetype: modify
add: aci
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || nsec3paramrecord || dlvrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
@ -32,54 +24,3 @@ objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers
dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: groupofnames
objectClass: top
objectClass: ipapermission
cn: add dns entries
description: Add DNS entries
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: groupofnames
objectClass: top
objectClass: ipapermission
cn: remove dns entries
description: Remove DNS entries
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: groupofnames
objectClass: top
objectClass: ipapermission
cn: update dns entries
description: Update DNS entries
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read DNS Entries
description: Read DNS entries
ipapermissiontype: SYSTEM
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: groupofnames
objectClass: top
objectClass: ipapermission
cn: Write DNS Configuration
description: Write DNS Configuration
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX

11
install/share/schema_compat.uldif
View File

@ -86,15 +86,18 @@ add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")'
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
add:schema-compat-entry-attribute: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
# memberDenyCmds are to be allowed even if cmdCategory is set to ALL
add:schema-compat-entry-attribute: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'
add:schema-compat-entry-attribute: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
add:schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config

1
install/tools/Makefile.am
View File

@ -20,6 +20,7 @@ sbin_SCRIPTS = \
ipa-nis-manage \
ipa-managed-entries \
ipa-ldap-updater \
ipa-otptoken-import \
ipa-upgradeconfig \
ipa-backup \
ipa-restore \

7
install/tools/ipa-adtrust-install
View File

@ -29,10 +29,11 @@ from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
import krbV
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
log_file_name = "/var/log/ipaserver-install.log"
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
@ -222,7 +223,7 @@ def main():
check_server_configuration()
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print "=============================================================================="
print "This program will setup components needed to establish trust to AD domains for"
@ -276,7 +277,7 @@ def main():
allow_empty = False):
sys.exit("Aborting installation.")
elif os.path.exists('/etc/samba/smb.conf'):
elif os.path.exists(paths.SMB_CONF):
print("WARNING: The smb.conf already exists. Running "
"ipa-adtrust-install will break your existing samba "
"configuration.\n\n")

7
install/tools/ipa-ca-install
View File

@ -40,8 +40,9 @@ from ipapython import sysrestore
from ipapython import dogtag
from ipapython.ipa_log_manager import *
from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = "/var/log/ipareplica-ca-install.log"
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
def parse_options():
@ -105,7 +106,7 @@ def main():
sys.exit("Replica file %s does not exist" % filename)
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
@ -194,7 +195,7 @@ def main():
#update dogtag version in config file
try:
fd = open("/etc/ipa/default.conf", "a")
fd = open(paths.IPA_DEFAULT_CONF, "a")
fd.write(
"dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
fd.close()

3
install/tools/ipa-compat-manage
View File

@ -20,6 +20,7 @@
#
import sys
from ipaplatform.paths import paths
try:
from optparse import OptionParser
from ipapython import ipautil, config
@ -80,7 +81,7 @@ def get_entry(dn, conn):
def main():
retval = 0
files = ['/usr/share/ipa/schema_compat.uldif']
files = [paths.SCHEMA_COMPAT_ULDIF]
options, args = parse_options()

5
install/tools/ipa-dns-install
View File

@ -29,10 +29,11 @@ from ipaserver.install import installutils
from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipaplatform.paths import paths
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup, root_logger
log_file_name = "/var/log/ipaserver-install.log"
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
@ -85,7 +86,7 @@ def main():
installutils.check_server_configuration()
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print "=============================================================================="
print "This program will setup DNS for the FreeIPA Server."

3
install/tools/ipa-nis-manage
View File

@ -21,6 +21,7 @@
import sys
import os
from ipaplatform.paths import paths
try:
from optparse import OptionParser
from ipapython import ipautil, config
@ -82,7 +83,7 @@ def get_entry(dn, conn):
def main():
retval = 0
files = ['/usr/share/ipa/nis.uldif']
files = [paths.NIS_ULDIF]
servicemsg = ""
if os.getegid() != 0:

25
install/tools/ipa-otptoken-import Executable file
View File

@ -0,0 +1,25 @@
#! /usr/bin/python2 -E
# Authors: Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install.ipa_otptoken_import import OTPTokenImport
import nss.nss as nss
OTPTokenImport.run_cli()

9
install/tools/ipa-replica-conncheck
View File

@ -37,11 +37,12 @@ import threading
import errno
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
QUIET = False
CCACHE_FILE = "/etc/ipa/.conncheck_ccache"
CCACHE_FILE = paths.CONNCHECK_CCACHE
KRB5_CONFIG = None
class SshExec(object):
@ -168,7 +169,7 @@ def logging_setup(options):
log_file = None
if os.getegid() == 0:
log_file = "/var/log/ipareplica-conncheck.log"
log_file = paths.IPAREPLICA_CONNCHECK_LOG
standard_logging_setup(log_file, debug=options.debug)
@ -372,7 +373,7 @@ def main():
stderr=''
(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal],
(stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False)
if returncode != 0:
@ -380,7 +381,7 @@ def main():
# Verify kinit was actually successful
stderr=''
(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kvno',
(stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False)

21
install/tools/ipa-replica-install
View File

@ -52,8 +52,9 @@ from ipapython.dn import DN
import ipaclient.ntpconf
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = "/var/log/ipareplica-install.log"
log_file_name = paths.IPAREPLICA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
DIRMAN_DN = DN(('cn', 'directory manager'))
@ -236,15 +237,15 @@ def install_http(config, auto_redirect):
try:
if ipautil.file_exists(config.dir + "/preferences.html"):
shutil.copy(config.dir + "/preferences.html",
"/usr/share/ipa/html/preferences.html")
paths.PREFERENCES_HTML)
if ipautil.file_exists(config.dir + "/configure.jar"):
shutil.copy(config.dir + "/configure.jar",
"/usr/share/ipa/html/configure.jar")
paths.CONFIGURE_JAR)
if ipautil.file_exists(config.dir + "/krb.js"):
shutil.copy(config.dir + "/krb.js",
"/usr/share/ipa/html/krb.js")
paths.KRB_JS)
shutil.copy(config.dir + "/kerberosauth.xpi",
"/usr/share/ipa/html/kerberosauth.xpi")
paths.KERBEROSAUTH_XPI)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
@ -461,17 +462,17 @@ def main():
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if client_fstore.has_files():
sys.exit("IPA client is already configured on this system.\n" +
"Please uninstall it first before configuring the replica, " +
"using 'ipa-client-install --uninstall'.")
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
sstore = sysrestore.StateFile(paths.SYSRESTORE)
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
# check the bind is installed
if options.setup_dns:
@ -559,7 +560,7 @@ def main():
# Note: We must do this before bootstraping and finalizing ipalib.api
old_umask = os.umask(022) # must be readable for httpd
try:
fd = open("/etc/ipa/default.conf", "w")
fd = open(paths.IPA_DEFAULT_CONF, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % config.host_name)
fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name)))
@ -728,7 +729,7 @@ def main():
# Call client install script
try:
args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
if not options.create_sshfp:
args.append("--no-dns-sshfp")
if options.trust_sshfp:

3
install/tools/ipa-replica-manage
View File

@ -38,6 +38,7 @@ from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipaclient import ipadiscovery
from xmlrpclib import MAXINT
from ipaplatform.paths import paths
# dict of command name and tuples of min/max num of args needed
commands = {
@ -1144,7 +1145,7 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
def main():
if os.getegid() == 0:
installutils.check_server_configuration()
elif not os.path.exists('/etc/ipa/default.conf'):
elif not os.path.exists(paths.IPA_DEFAULT_CONF):
sys.exit("IPA is not configured on this system.")
options, args = parse_options()

29
install/tools/ipa-server-install
View File

@ -79,6 +79,7 @@ from ipapython.dn import DN
import ipaclient.ntpconf
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
uninstalling = False
installation_cleanup = True
@ -91,7 +92,7 @@ VALID_SUBJECT_ATTRS = ['st', 'o', 'ou', 'dnqualifier', 'c',
'incorporationlocality', 'incorporationstate',
'incorporationcountry', 'businesscategory']
SYSRESTORE_DIR_PATH = '/var/lib/ipa/sysrestore'
SYSRESTORE_DIR_PATH = paths.SYSRESTORE
def subject_callback(option, opt_str, value, parser):
"""
@ -335,7 +336,7 @@ def signal_handler(signum, frame):
dsinstance.erase_ds_instance_data (ds.serverid)
sys.exit(1)
ANSWER_CACHE = "/root/.ipa_cache"
ANSWER_CACHE = paths.ROOT_IPA_CACHE
def read_cache(dm_password):
"""
@ -469,7 +470,7 @@ def uninstall():
print "Shutting down all IPA services"
try:
(stdout, stderr, rc) = run(["/usr/sbin/ipactl", "stop"], raiseonerr=False)
(stdout, stderr, rc) = run([paths.IPACTL, "stop"], raiseonerr=False)
except Exception, e:
pass
@ -478,7 +479,7 @@ def uninstall():
print "Removing IPA client configuration"
try:
(stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
(stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
if rc not in [0,2]:
root_logger.debug("ipa-client-install returned %d" % rc)
raise RuntimeError(stdout)
@ -588,10 +589,10 @@ def main():
if options.uninstall:
uninstalling = True
standard_logging_setup("/var/log/ipaserver-uninstall.log", debug=options.debug)
standard_logging_setup(paths.IPASERVER_UNINSTALL_LOG, debug=options.debug)
installation_cleanup = False
else:
standard_logging_setup("/var/log/ipaserver-install.log", debug=options.debug)
standard_logging_setup(paths.IPASERVER_INSTALL_LOG, debug=options.debug)
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
if not options.external_ca and not options.external_cert_file and is_ipa_configured():
installation_cleanup = False
@ -599,7 +600,7 @@ def main():
"If you want to reinstall the IPA server, please uninstall " +
"it first using 'ipa-server-install --uninstall'.")
client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if client_fstore.has_files():
installation_cleanup = False
sys.exit("IPA client is already configured on this system.\n" +
@ -1001,7 +1002,7 @@ def main():
installation_cleanup = False
# Create the management framework config file and finalize api
target_fname = '/etc/ipa/default.conf'
target_fname = paths.IPA_DEFAULT_CONF
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % host_name)
@ -1093,7 +1094,7 @@ def main():
options.reverse_zone = reverse_zone
write_cache(vars(options))
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file="/root/ipa.csr",
dm_password, csr_file=paths.ROOT_IPA_CSR,
subject_base=options.subject)
else:
# stage 2 of external CA installation
@ -1157,7 +1158,7 @@ def main():
http.create_instance(
realm_name, host_name, domain_name, dm_password,
subject_base=options.subject, auto_redirect=options.ui_redirect)
tasks.restore_context("/var/cache/ipa/sessions")
tasks.restore_context(paths.CACHE_IPA_SESSIONS)
set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject)
@ -1201,7 +1202,7 @@ def main():
# Call client install script
try:
args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
if not options.create_sshfp:
args.append("--no-dns-sshfp")
if options.trust_sshfp:
@ -1267,9 +1268,9 @@ if __name__ == '__main__':
# out from all install scripts
safe_options, options = parse_options()
if options.uninstall:
log_file_name = "/var/log/ipaserver-uninstall.log"
log_file_name = paths.IPASERVER_UNINSTALL_LOG
else:
log_file_name = "/var/log/ipaserver-install.log"
log_file_name = paths.IPASERVER_INSTALL_LOG
# Use private ccache
with private_ccache():
@ -1282,6 +1283,6 @@ if __name__ == '__main__':
# Do a cautious clean up as we don't know what failed and what is
# the state of the environment
try:
fstore.restore_file('/etc/hosts')
fstore.restore_file(paths.HOSTS)
except:
pass

54
install/tools/ipa-upgradeconfig
View File

@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import *
from ipapython import certmonger
from ipapython import dogtag
from ipaplatform.paths import paths
from ipaserver.install import installutils
from ipaserver.install import dsinstance
from ipaserver.install import httpinstance
@ -114,7 +115,7 @@ def update_conf(sub_dict, filename, template_filename):
def find_hostname():
"""Find the hostname currently configured in ipa-rewrite.conf"""
filename="/etc/httpd/conf.d/ipa-rewrite.conf"
filename=paths.HTTPD_IPA_REWRITE_CONF
if not ipautil.file_exists(filename):
return None
@ -137,7 +138,7 @@ def find_autoredirect(fqdn):
Returns True if autoredirect is enabled, False otherwise
"""
filename = '/etc/httpd/conf.d/ipa-rewrite.conf'
filename = paths.HTTPD_IPA_REWRITE_CONF
if os.path.exists(filename):
pattern = "^RewriteRule \^/\$ https://%s/ipa/ui \[L,NC,R=301\]" % fqdn
p = re.compile(pattern)
@ -200,12 +201,12 @@ def upgrade(sub_dict, filename, template, add=False):
def check_certs():
"""Check ca.crt is in the right place, and try to fix if not"""
root_logger.info('[Verifying that root certificate is published]')
if not os.path.exists("/usr/share/ipa/html/ca.crt"):
ca_file = "/etc/httpd/alias/cacert.asc"
if not os.path.exists(paths.CA_CRT):
ca_file = paths.ALIAS_CACERT_ASC
if os.path.exists(ca_file):
old_umask = os.umask(022) # make sure its readable by httpd
try:
shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
shutil.copyfile(ca_file, paths.CA_CRT)
finally:
os.umask(old_umask)
else:
@ -231,14 +232,14 @@ def upgrade_pki(ca, fstore):
http.enable_mod_nss_renegotiate()
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists('/usr/bin/pki-setup-proxy'):
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
os.path.exists(paths.PKI_SETUP_PROXY):
ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
root_logger.debug('Proxy configuration up-to-date')
def update_dbmodules(realm, filename="/etc/krb5.conf"):
def update_dbmodules(realm, filename=paths.KRB5_CONF):
newfile = []
found_dbrealm = False
found_realm = False
@ -287,7 +288,7 @@ def cleanup_kdc(fstore):
"""
root_logger.info('[Checking for deprecated KDC configuration files]')
for file in ['kpasswd.keytab', 'ldappwd']:
filename = '/var/kerberos/krb5kdc/%s' % file
filename = os.path.join(paths.VAR_KERBEROS_KRB5KDC_DIR, file)
installutils.remove_file(filename)
if fstore.has_file(filename):
fstore.untrack_file(filename)
@ -301,7 +302,7 @@ def cleanup_adtrust(fstore):
root_logger.info('[Checking for deprecated backups of Samba '
'configuration files]')
for backed_up_file in ['/etc/samba/smb.conf']:
for backed_up_file in [paths.SMB_CONF]:
if fstore.has_file(backed_up_file):
fstore.untrack_file(backed_up_file)
root_logger.debug('Removing %s from backup', backed_up_file)
@ -330,9 +331,14 @@ def upgrade_ipa_profile(ca, domain, fqdn):
root_logger.debug('Subject Key Identifier updated.')
else:
root_logger.debug('Subject Key Identifier already set.')
san = ca.enable_subject_alternative_name()
if san:
root_logger.debug('Subject Alternative Name updated.')
else:
root_logger.debug('Subject Alternative Name already set.')
audit = ca.set_audit_renewal()
uri = ca.set_crl_ocsp_extensions(domain, fqdn)
if audit or ski or uri:
if audit or ski or san or uri:
return True
else:
root_logger.info('CA is not configured')
@ -535,7 +541,7 @@ def named_update_gssapi_configuration():
bindinstance.NAMED_SECTION_OPTIONS)
bindinstance.named_conf_set_directive('tkey-domain', None,
bindinstance.NAMED_SECTION_OPTIONS)
bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab',
bindinstance.named_conf_set_directive('tkey-gssapi-keytab', paths.NAMED_KEYTAB,
bindinstance.NAMED_SECTION_OPTIONS)
except IOError, e:
root_logger.error('Cannot update GSSAPI configuration in %s: %s',
@ -576,7 +582,7 @@ def named_update_pid_file():
return False
try:
bindinstance.named_conf_set_directive('pid-file', '/run/named/named.pid',
bindinstance.named_conf_set_directive('pid-file', paths.NAMED_PID,
bindinstance.NAMED_SECTION_OPTIONS)
except IOError, e:
root_logger.error('Cannot update pid-file configuration in %s: %s',
@ -620,7 +626,7 @@ def certificate_renewal_update(ca):
'renew_ca_cert',
),
(
'/etc/httpd/alias',
paths.HTTPD_ALIAS_DIR,
'ipaCert',
'dogtag-ipa-ca-renew-agent',
None,
@ -681,7 +687,7 @@ def certificate_renewal_update(ca):
if not sysupgrade.get_upgrade_state('dogtag',
'certificate_renewal_update_1'):
filename = '/var/lib/certmonger/cas/ca_renewal'
filename = paths.CERTMONGER_CAS_CA_RENEWAL
if os.path.exists(filename):
with installutils.stopped_service('certmonger'):
root_logger.info("Removing %s" % filename)
@ -911,10 +917,10 @@ def uninstall_selfsign(ds, http):
root_logger.warning(
'Removing self-signed CA. Certificates will need to managed manually.')
p = ConfigParser.SafeConfigParser()
p.read('/etc/ipa/default.conf')
p.read(paths.IPA_DEFAULT_CONF)
p.set('global', 'enable_ra', 'False')
p.set('global', 'ra_plugin', 'none')
with open('/etc/ipa/default.conf', 'w') as f:
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
p.write(f)
ds.stop_tracking_certificates()
@ -989,7 +995,7 @@ def set_sssd_domain_option(option, value):
domain = sssdconfig.get_domain(str(api.env.domain))
domain.set_option(option, value)
sssdconfig.save_domain(domain)
sssdconfig.write("/etc/sssd/sssd.conf")
sssdconfig.write(paths.SSSD_CONF)
def main():
@ -1013,12 +1019,12 @@ def main():
else:
console_format = '%(message)s'
standard_logging_setup('/var/log/ipaupgrade.log', debug=options.debug,
standard_logging_setup(paths.IPAUPGRADE_LOG, debug=options.debug,
verbose=verbose, console_format=console_format, filemode='a')
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api.bootstrap(context='restart', in_server=True)
api.finalize()
@ -1061,9 +1067,9 @@ def main():
certmap_dir = dsinstance.config_dirname(
dsinstance.realm_to_serverid(api.env.realm))
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
if subject_base:
upgrade(
sub_dict,
@ -1074,7 +1080,7 @@ def main():
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
removed_sysconfig_file = '/etc/sysconfig/httpd'
removed_sysconfig_file = paths.SYSCONFIG_HTTPD
if fstore.has_file(removed_sysconfig_file):
root_logger.info('Restoring %s as it is no longer required',
removed_sysconfig_file)

1
install/tools/man/Makefile.am
View File

@ -22,6 +22,7 @@ man1_MANS = \
ipa-backup.1 \
ipa-restore.1 \
ipa-advise.1 \
ipa-otptoken-import.1 \
$(NULL)
man8_MANS = \

36
install/tools/man/ipa-otptoken-import.1 Normal file
View File

@ -0,0 +1,36 @@
.\" A man page for ipa-otptoken-import
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Nathaniel McCallum <npmccallum@redhat.com>
.\"
.TH "ipa-otptoken-import" "1" "Jun 12 2014" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
.SH "SYNOPSIS"
ipa\-otptoken\-import [options] <infile> <outfile>
.SH "DESCRIPTION"
Running the command will attempt to import all tokens specified in \fBinfile\fR. If the command is unable to import a token, the reason for the failure will be printed to standard error and all failed tokens will be written to the \fBoutfile\fR for further inspection.
If the \fBinfile\fR contains encrypted token data, then the \fIkeyfile\fR (\fB-k\fR) option MUST be specified.
.SH "OPTIONS"
.TP
\fB\-k\fR \fIkeyfile\fR
File containing the key used to decrypt the token data.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

3
install/ui/doc/categories.json
View File

@ -98,10 +98,11 @@
"IPA.serial_associator",
"IPA.bulk_associator",
"IPA.association_config",
"spec_util",
"_base.debug",
"_base.Spec_mod",
"datetime",
"extend",
"spec_util",
"util"
]
}

10
install/ui/reset_password.html
View File

@ -73,6 +73,16 @@
</div>
</div>
</div>
<div class="form-group">
<div class="col-sm-4 control-label">
<label for="otp">OTP</label>
</div>
<div class="col-sm-8 controls">
<div class="widget text-widget">
<input type="password" class="form-control" name="otp" id="otp" accesskey="o">
</div>
</div>
</div>
<div class="form-group">
<div class="col-sm-4 control-label">
<label for="new_password">New Password</label>

10
install/ui/reset_password.js
View File

@ -20,7 +20,7 @@
var RP = {}; //Reset Password Page
RP.reset_password = function(username, old_password, new_password) {
RP.reset_password = function(username, old_password, new_password, otp) {
//possible results: 'ok', 'invalid-password', 'policy-error'
@ -55,6 +55,10 @@ RP.reset_password = function(username, old_password, new_password) {
new_password: new_password
};
if (otp) {
data.otp = otp;
}
request = {
url: '/ipa/session/change_password',
data: data,
@ -89,6 +93,7 @@ RP.on_submit = function() {
var username = $('#user').val();
var current_password = $('#old_password').val();
var otp = $('#otp').val();
var new_password = $('#new_password').val();
var verify_password = $('#verify_password').val();
@ -102,7 +107,7 @@ RP.on_submit = function() {
return;
}
var result = RP.reset_password(username, current_password, new_password);
var result = RP.reset_password(username, current_password, new_password, otp);
if (result.status !== 'ok') {
RP.show_error(result.message);
@ -116,6 +121,7 @@ RP.reset_form = function() {
$('.alert-danger').css('display', 'none');
$('.alert-success').css('display', 'none');
$('#old_password').val('');
$('#otp').val('');
$('#new_password').val('');
$('#verify_password').val('');
};

20
install/ui/src/freeipa/Application_controller.js
View File

@ -35,10 +35,11 @@ define([
'./reg',
'./navigation/Menu',
'./navigation/Router',
'./navigation/routing',
'./navigation/menu_spec'
],
function(declare, lang, array, Deferred, on, topic, query, dom_class, auth,
JSON, App_widget, FacetContainer, IPA, reg, Menu, Router, menu_spec) {
JSON, App_widget, FacetContainer, IPA, reg, Menu, Router, routing, menu_spec) {
/**
* Application controller
@ -78,6 +79,7 @@ define([
init: function() {
this.menu = new Menu();
this.router = new Router();
routing.init(this.router);
var body_node = query('body')[0];
this.app_widget = new App_widget();
@ -181,7 +183,7 @@ define([
if (IPA.is_selfservice) {
this.on_profile();
} else {
this.router.navigate_to_entity_facet('user', 'search');
routing.navigate(routing.default_path);
}
},
@ -219,7 +221,7 @@ define([
},
on_profile: function() {
this.router.navigate_to_entity_facet('user', 'details', [IPA.whoami.uid[0]]);
routing.navigate(['entity', 'user', 'details', [IPA.whoami.uid[0]]]);
},
on_logout: function(event) {
@ -287,8 +289,7 @@ define([
on_facet_state_changed: function(event) {
if (event.facet === this.current_facet) {
var hash = this.router.create_hash(event.facet, event.state);
this.router.update_hash(hash, true);
routing.update_hash(event.facet, event.state);
}
},
@ -323,7 +324,7 @@ define([
if (menu_item) this.menu.select(menu_item);
// show facet
if (!facet.container) {
if (!facet.container_node) {
facet.container_node = container.widget.content_node;
on(facet, 'facet-state-change', lang.hitch(this, this.on_facet_state_changed));
}
@ -405,14 +406,15 @@ define([
if (!child) {
if(menu_item.entity) {
// entity pages
this.router.navigate_to_entity_facet(
routing.navigate([
'entity',
menu_item.entity,
menu_item.facet,
menu_item.pkeys,
menu_item.args);
menu_item.args]);
} else if (menu_item.facet) {
// concrete facets
this.router.navigate_to_facet(menu_item.facet, menu_item.args);
routing.navigate(['generic', menu_item.facet, menu_item.args]);
} else {
// categories, select first posible child, it may be the last
var children = this.menu.query({parent: menu_item.name });

3
install/ui/src/freeipa/aci.js
View File

@ -357,8 +357,7 @@ return {
name: 'memberof_permission',
facet_group: 'permission',
add_method: 'add_permission',
remove_method: 'remove_permission',
search_options: { 'ipapermbindruletype': 'permission' }
remove_method: 'remove_permission'
}
],
standard_association_facets: true,

11
install/ui/src/freeipa/dialogs/password.js
View File

@ -51,6 +51,7 @@ dialogs.password.default_fields_pre_op = function(spec) {
spec.width = spec.width || 400;
spec.sections = spec.sections || [
{
name: 'general',
fields: [
{
name: name,
@ -193,7 +194,7 @@ dialogs.password.dialog = function(spec) {
for (var j=0; j<fields.length; j++) {
var field = fields[j];
var values = field.save();
if (!values || values.length === 0) continue;
if (!values || values.length === 0 || !field.enabled) continue;
if (field.flags.indexOf('no_command') > -1) continue;
if (values.length === 1) {
@ -212,10 +213,12 @@ dialogs.password.dialog = function(spec) {
that.create_command = function() {
var options = that.make_otions();
var entity = null;
if (that.entity) entity = that.entity.name;
var command = rpc.command({
entity: that.entity.name,
entity: entity,
method: that.method,
args: that.pkeys,
args: that.args,
options: options,
on_success: function(data) {
that.on_success();
@ -301,7 +304,7 @@ dialogs.password.action = function(spec) {
ds.$type = 'password';
}
var dialog = builder.build('dialog', ds);
dialog.pkeys = facet.get_pkeys();
dialog.args = facet.get_pkeys();
dialog.succeeded.attach(function() {
if (that.refresh) facet.refresh();
});

98
install/ui/src/freeipa/dns.js
View File

@ -862,18 +862,18 @@ IPA.dns.get_record_metadata = function() {
'ds_part_digest_type']
},
{
name: 'keyrecord',
name: 'dlvrecord',
attributes: [
'key_part_flags',
'key_part_protocol',
'key_part_algorithm',
'dlv_part_key_tag',
'dlv_part_algorithm',
'dlv_part_digest_type',
{
name: 'key_part_public_key',
name: 'dlv_part_digest',
$type: 'textarea'
}
],
columns: ['key_part_flags', 'key_part_protocol',
'key_part_algorithm']
columns: ['dlv_part_key_tag', 'dlv_part_algorithm',
'dlv_part_digest_type']
},
{
name: 'kxrecord',
@ -949,24 +949,18 @@ IPA.dns.get_record_metadata = function() {
columns: ['ns_part_hostname']
},
{
name: 'nsecrecord',
name: 'nsec3paramrecord',
attributes: [
'nsec_part_next',
'nsec_part_types'
// TODO: nsec_part_types is multivalued attribute. New selector
// widget or at least new validator should be created.
// {
// name: 'nsec_part_types',
// options: IPA.create_options(['SOA', 'A', 'AAAA', 'A6', 'AFSDB',
// 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY',
// 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR',
// 'NS', 'NSEC','NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP',
// 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']),
// $type: 'select'
// }
'nsec3param_part_algorithm',
'nsec3param_part_flags',
'nsec3param_part_iterations',
'nsec3param_part_salt'
],
adder_attributes: [],
columns: [ 'nsec_part_next', 'nsec_part_types']
columns: [
'nsec3param_part_algorithm', 'nsec3param_part_flags',
'nsec3param_part_iterations', 'nsec3param_part_salt'
]
},
{
name: 'ptrrecord',
@ -976,62 +970,6 @@ IPA.dns.get_record_metadata = function() {
adder_attributes: [],
columns: [ 'ptr_part_hostname']
},
{
name: 'rrsigrecord',
attributes: [
{
name: 'rrsig_part_type_covered',
$type: 'select',
options: IPA.create_options(['SOA', 'A', 'AAAA', 'A6', 'AFSDB',
'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME',
'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX',
'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3',
'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV',
'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT'])
},
'rrsig_part_algorithm',
'rrsig_part_labels',
'rrsig_part_original_ttl',
'rrsig_part_signature_expiration',
'rrsig_part_signature_inception',
'rrsig_part_key_tag',
'rrsig_part_signers_name',
{
name: 'rrsig_part_signature',
$type: 'textarea'
}
],
adder_attributes: [],
columns: ['dnsdata']
},
{
name: 'sigrecord',
attributes: [
{
name: 'sig_part_type_covered',
$type: 'select',
options: IPA.create_options(['SOA', 'A', 'AAAA', 'A6', 'AFSDB',
'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME',
'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX',
'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3',
'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV',
'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT'])
},
'sig_part_algorithm',
'sig_part_labels',
'sig_part_original_ttl',
'sig_part_signature_expiration',
'sig_part_signature_inception',
'sig_part_key_tag',
'sig_part_signers_name',
{
name: 'sig_part_signature',
$type: 'textarea'
}
],
adder_attributes: [],
columns: ['dnsdata']
},
{
name: 'srvrecord',
attributes: [
@ -1441,8 +1379,8 @@ IPA.dns_record_types = function() {
//only supported
var attrs = ['A', 'AAAA', 'A6', 'AFSDB', 'CERT', 'CNAME', 'DNAME',
'DS','KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC',
'PTR', 'RRSIG', 'SRV', 'SIG', 'SSHFP', 'TXT'];
'DS', 'DLV', 'KX', 'LOC', 'MX', 'NAPTR', 'NS',
'NSEC3PARAM', 'PTR', 'SRV', 'SSHFP', 'TXT'];
var record_types = [];
for (var i=0; i<attrs.length; i++) {
var attr = attrs[i];

60
install/ui/src/freeipa/extend.js Normal file
View File

@ -0,0 +1,60 @@
/* Authors:
* Petr Vobornik <pvoborni@redhat.com>
*
* Copyright (C) 2014 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define([
'dojo/_base/lang',
'./jquery',
'./phases',
'./app_container',
'exports'
],function(lang, $, phases, app, extend) {
/**
* Extension interface
*
* This class provides interface for plugins and tries to hide underlying functionality
*
* @class extend
* @singleton
*/
lang.mixin(extend, {
/**
* Adds element to utility section
*
* This method doesn't do any correction. Expended root node type to add is
* by default `<li>`.
*
* Preferred phase: any after `init`
*
* @param {HTMLElement|jQuery} element Element to add to utility section
* @return {HTMLElement} Utility node
*/
add_menu_utility: function(element) {
// Should we check if we are in good stage or atleast report that app doesn't exist yet?
var $utility = $(app.app.app_widget.nav_util_tool_node);
$utility.prepend(element);
return $utility.eq(0);
}
});
return extend;
});

2
install/ui/src/freeipa/field.js
View File

@ -252,7 +252,7 @@ field.field = IPA.field = function(spec) {
* Default value
* @property {Mixed}
*/
that.default_value = null;
that.default_value = spec.default_value || null;
/**
* Field is dirty (value is modified)

32
install/ui/src/freeipa/ipa.js
View File

@ -516,7 +516,7 @@ IPA.login_password = function(username, password) {
* @return {string} result.status
* @return {string} result.message
*/
IPA.reset_password = function(username, old_password, new_password) {
IPA.reset_password = function(username, old_password, new_password, otp) {
//possible results: 'ok', 'invalid-password', 'policy-error'
@ -553,6 +553,10 @@ IPA.reset_password = function(username, old_password, new_password) {
new_password: new_password
};
if (otp) {
data.otp = otp;
}
request = {
url: '/ipa/session/change_password',
data: data,
@ -615,20 +619,20 @@ IPA.update_password_expiration = function() {
* @member IPA
*/
IPA.password_selfservice = function() {
var reset_dialog = IPA.user_password_dialog({
pkey: IPA.whoami.uid[0],
on_success: function() {
var command = IPA.get_whoami_command();
var orig_on_success = command.on_success;
command.on_success = function(data, text_status, xhr) {
orig_on_success.call(this, data, text_status, xhr);
IPA.update_password_expiration();
};
command.execute();
var reset_dialog = builder.build('dialog', {
$type: 'user_password',
args: [IPA.whoami.uid[0]]
});
reset_dialog.succeeded.attach(function() {
var command = IPA.get_whoami_command();
var orig_on_success = command.on_success;
command.on_success = function(data, text_status, xhr) {
orig_on_success.call(this, data, text_status, xhr);
IPA.update_password_expiration();
};
command.execute();
IPA.notify_success(text.get('@i18n:password.password_change_complete'));
reset_dialog.close();
}
IPA.notify_success(text.get('@i18n:password.password_change_complete'));
});
reset_dialog.open();
};

47
install/ui/src/freeipa/navigation.js
View File

@ -21,16 +21,11 @@
define([
'dojo/_base/lang',
'./app_container',
'./ipa'
'./navigation/routing'
],
function(lang, app_container, IPA) {
function(lang, routing) {
var get_router = function() {
return app_container.app.router;
};
var navigation = {
/**
* Navigation tells application to show certain facet.
@ -77,7 +72,7 @@ define([
* type.
*
* When facet is defined as a string it has to be registered in
* facet register. //FIXME: not yet implemented
* facet register.
*
* When it's an object (Facet) and has an entity set it will be
* dealt as entity facet.
@ -88,7 +83,6 @@ define([
*/
show: function(arg1, arg2, arg3) {
var nav = get_router();
var params = {};
this.set_params(params, arg1);
@ -98,21 +92,20 @@ define([
var facet = params.facet;
if (typeof facet === 'string') {
// FIXME: doesn't work at the moment
throw 'Not yet supported';
//facet = IPA.get_facet(facet);
return routing.navigate(['generic', facet, params.args]);
}
if (!facet) throw 'Argument exception: missing facet';
if (facet && facet.entity) {
return nav.navigate_to_entity_facet(
return routing.navigate([
'entity',
facet.entity.name,
facet.name,
params.pkeys,
params.args);
params.args]);
} else {
return nav.navigate_to_facet(facet.name, params.args);
return routing.navigate(['generic', facet.name, params.args]);
}
},
@ -130,14 +123,27 @@ define([
* @param {Object|facet.facet|string|Function} arg3
*/
show_entity: function(entity_name, arg1, arg2, arg3) {
var nav = get_router();
var params = {};
this.set_params(params, arg1);
this.set_params(params, arg2);
this.set_params(params, arg3);
return nav.navigate_to_entity_facet(entity_name, params.facet,
params.pkeys, params.args);
return routing.navigate(['entity', entity_name, params.facet,
params.pkeys, params.args]);
},
/**
* Uses lower level access
*
* `experimental`
*
* Navigates to generic page by changing hash.
*
* @param {string} hash Hash of the change
* @param {Object} [facet] Facet we are navigating to. Usually used for
* notification purposes
*/
show_generic: function(hash, facet) {
routing.router.navigate_to_hash(hash, facet);
},
/**
@ -145,8 +151,7 @@ define([
* @method show_default
*/
show_default: function() {
// TODO: make configurable
return this.show_entity('user', 'search');
routing.navigate(routing.default_path);
}
};
return navigation;

247
install/ui/src/freeipa/navigation/Router.js
View File

@ -20,14 +20,10 @@
define(['dojo/_base/declare',
'dojo/_base/lang',
'dojo/_base/array',
'dojo/Evented',
'dojo/io-query',
'dojo/router',
'../ipa',
'../reg'
'dojo/router'
],
function(declare, lang, array, Evented, ioquery, router, IPA, reg) {
function(declare, lang, Evented, router) {
/**
* Router
@ -55,27 +51,6 @@ define(['dojo/_base/declare',
*/
route_prefix: '',
/**
* Variations of entity routes
* @property {Array.<string>}
*/
entity_routes: [
'/e/:entity/:facet/:pkeys/*args',
'/e/:entity/:facet//*args',
'/e/:entity/:facet/:pkeys',
'/e/:entity/:facet',
'/e/:entity'
],
/**
* Variations of simple page routes
* @property {Array.<string>}
*/
page_routes: [
'/p/:page/*args',
'/p/:page'
],
/**
* Used during facet changing. Set it to true in 'facet-change'
* event handler to stop the change.
@ -100,145 +75,22 @@ define(['dojo/_base/declare',
* @param {Function} handler to be associated with the route(s)
*/
register_route: function(route, handler) {
// TODO: add multiple routes for one handler
route = this.route_prefix + route;
this.route_handlers.push(router.register(route, lang.hitch(this, handler)));
if (route instanceof Array) {
for (var i=0, l=route.length; i<l; i++) {
this.register_route(route[i], handler);
}
} else {
var r = this.route_prefix + route;
this.route_handlers.push(router.register(r, lang.hitch(this, handler)));
}
},
/**
* Initializates router
* - registers handlers
*/
init_router: function() {
// entity pages
array.forEach(this.entity_routes, function(route) {
this.register_route(route, this.entity_route_handler);
}, this);
// special pages
array.forEach(this.page_routes, function(route) {
this.register_route(route, this.page_route_handler);
}, this);
},
/**
* Handler for entity routes
* Shouldn't be invoked directly.
* @param {Object} event route event args
*/
entity_route_handler: function(event) {
if (this.check_clear_ignore()) return;
var entity_name = event.params.entity;
var facet_name = event.params.facet;
var pkeys, args;
try {
pkeys = this._decode_pkeys(event.params.pkeys || '');
args = ioquery.queryToObject(event.params.args || '');
} catch (e) {
this._error('URI error', 'route', event.params);
return;
}
args.pkeys = pkeys;
// set new facet state
var entity = reg.entity.get(entity_name);
if (!entity) {
this._error('Unknown entity', 'route', event.params);
return;
}
var facet = entity.get_facet(facet_name);
if (!facet) {
this._error('Unknown facet', 'route', event.params);
return;
}
facet.reset_state(args);
this.show_facet(facet);
},
/**
* General facet route handler
* Shouldn't be invoked directly.
* @param {Object} event route event args
*/
page_route_handler: function(event) {
if (this.check_clear_ignore()) return;
var facet_name = event.params.page;
var args;
try {
args = ioquery.queryToObject(event.params.args || '');
} catch (e) {
this._error('URI error', 'route', event.params);
return;
}
// set new facet state
var facet = reg.facet.get(facet_name);
if (!facet) {
this._error('Unknown facet', 'route', event.params);
return;
}
facet.reset_state(args);
this.show_facet(facet);
},
/**
* Used for switching to entitie's facets. Current target facet
* state is used as params (pkeys, args) when none of pkeys and args
* are used (useful for switching to previous page with keeping the context).
*/
navigate_to_entity_facet: function(entity_name, facet_name, pkeys, args) {
var entity = reg.entity.get(entity_name);
if (!entity) {
this._error('Unknown entity', 'navigation', { entity: entity_name});
return false;
}
var facet = entity.get_facet(facet_name);
if (!facet) {
this._error('Unknown facet', 'navigation', { facet: facet_name});
return false;
}
// Use current state if none supplied
if (!pkeys && !args) {
args = facet.get_state();
}
args = args || {};
// Facets may be nested and require more pkeys than supplied.
args.pkeys = facet.get_pkeys(pkeys);
var hash = this._create_entity_facet_hash(facet, args);
return this.navigate_to_hash(hash, facet);
},
/**
* Navigate to other facet.
*/
navigate_to_facet: function(facet_name, args) {
var facet = reg.facet.get(facet_name);
if (!facet) {
this._error('Unknown facet', 'navigation', { facet: facet_name});
return false;
}
if (!args) args = facet.get_state();
var hash = this._create_facet_hash(facet, args);
return this.navigate_to_hash(hash, facet);
},
/**
* Low level function.
* Navigate to given hash
*
* Public usage should be limited reinitializing canceled navigations.
* @fires facet-change
* @fires facet-change-canceled
*/
navigate_to_hash: function(hash, facet) {
@ -272,48 +124,6 @@ define(['dojo/_base/declare',
return ignore;
},
/**
* Creates from facet state appropriate hash.
*/
_create_entity_facet_hash: function(facet, state) {
state = lang.clone(state);
var entity_name = facet.entity.name;
var pkeys = this._encode_pkeys(state.pkeys || []);
delete state.pkeys;
var args = ioquery.objectToQuery(state || {});
var path = [this.route_prefix, 'e', entity_name, facet.name];
if (!IPA.is_empty(args)) path.push(pkeys, args);
else if (!IPA.is_empty(pkeys)) path.push(pkeys);
var hash = path.join('/');
return hash;
},
/**
* Creates hash of general facet.
*/
_create_facet_hash: function(facet, state) {
var args = ioquery.objectToQuery(state.args || {});
var path = [this.route_prefix, 'p', facet.name];
if (!IPA.is_empty(args)) path.push(args);
var hash = path.join('/');
return hash;
},
/**
* Creates hash from supplied facet and state.
*
* @param {facet.facet} facet
* @param {Object} state
*/
create_hash: function(facet, state) {
if (facet.entity) return this._create_entity_facet_hash(facet, state);
else return this._create_facet_hash(facet, state);
},
/**
* Tells other component to show given facet.
*/
@ -324,34 +134,6 @@ define(['dojo/_base/declare',
});
},
/**
* URI Encodes array items and delimits them by '&'
* Example: ['foo ', 'bar'] => 'foo%20&bar'
*/
_encode_pkeys: function(pkeys) {
var ret = [];
array.forEach(pkeys, function(pkey) {
ret.push(encodeURIComponent(pkey));
});
return ret.join('&');
},
/**
* Splits strings by '&' and return an array of URI decoded parts.
* Example: 'foo%20&bar' => ['foo ', 'bar']
*/
_decode_pkeys: function(str) {
if (!str) return [];
var keys = str.split('&');
for (var i=0; i<keys.length; i++) {
keys[i] = decodeURIComponent(keys[i]);
}
return keys;
},
/**
* Raise 'error'
* @protected
@ -375,7 +157,6 @@ define(['dojo/_base/declare',
constructor: function(spec) {
spec = spec || {};
this.init_router();
}
});

505
install/ui/src/freeipa/navigation/routing.js Normal file
View File

@ -0,0 +1,505 @@
/* Authors:
* Petr Vobornik <pvoborni@redhat.com>
*
* Copyright (C) 2014 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define([
'dojo/_base/declare',
'dojo/_base/lang',
'dojo/_base/array',
'dojo/io-query',
'../reg',
'../util'
],
function(declare, lang, array, ioquery, reg, util) {
/**
* Routing mechanism
* @class navigation.routing
* @singleton
*/
var routing = {
/**
* Router instance
* @property {navigation.Router}
*/
router: null,
/**
* Map of router handlers
* @property {Object}
*/
route_handlers: {},
/**
* Map of hash creators
* @property {Object}
*/
hash_creators: {},
/**
* Facet name to hash creator map
*
* - Key: facet name
* - Value: hash creator
*
* @type {Object}
*/
hc_facet_map: {},
/**
* Hash creator priority queue
*
* First item == highest priority
*
* @type {Array}
*/
hc_queue: [],
/**
* Map of navigators
* @type {Object}
*/
navigators: {},
/**
* Add hash creator at the beginning of hash creator queue
* @param {navigation.routing.HashCreator} hash_creator
* @param {Number} [position]
*/
add_hash_creator: function(hash_creator, position) {
if (position !== undefined) {
this.hc_queue.splice(position, 0, hash_creator);
} else {
this.hc_queue.unshift(hash_creator);
}
},
/**
* Add hash creator to hash creator map
* @param {string} facet_name
* @param {navigation.routing.HashCreator} hash_creator
*/
assign_hash_creator: function (facet_name, hash_creator) {
this.hc_facet_map[facet_name] = hash_creator;
},
/**
* Get hash creator for given facet
*
* Lookup priority:
*
* - facet -> hash creator map
* - hash creator queue
*
* @param {facets.Facet} facet [description]
* @return {navigation.routing.HashCreator}
*/
get_hash_creator: function(facet) {
var name = facet.name;
var hc = this.hc_facet_map[name];
if (!hc) {
for (var i=0, l=this.hc_queue.length; i<l; i++) {
if (this.hc_queue[i].handles(facet)) {
hc = this.hc_queue[i];
break;
}
}
}
return hc || null;
},
/**
* Create hash for given facet
*
* @param {facets.Facet} facet
* @param {Object|null} options
* @return {string} hash
*/
create_hash: function(facet, options) {
var hc = this.get_hash_creator(facet);
if (!hc) return '';
return hc.create_hash(this.router, facet, options);
},
/**
* Navigate by a Navigator
*
* Expects path as argument. Path is an array where
* first element is name of the Navigator, rest are
* navigators params.
*
* @param {Array} path
* @return {boolean}
*/
navigate: function(path) {
path = path.slice(0);
var nav_name = path.shift();
var nav = this.get_navigator(nav_name);
return nav.navigate.apply(nav, path);
},
/**
* Navigate to specific facet with give options
* @param {facets.Facet} facet
* @param {Object} options Options for hash creator
* @return {boolean}
*/
navigate_to_facet: function(facet, options) {
var hash = this.create_hash(facet, options);
return this.router.navigate_to_hash(hash);
},
update_hash: function(facet, options) {
var hash = this.create_hash(facet, options);
this.router.update_hash(hash, true);
},
/**
* Add route handler to router
* @param {string|string[]} route Route or routes.
* @param {navigation.routing.RouteHandler} handler Handler
*/
add_route: function(route, handler) {
this.route_handlers[handler.name] = handler;
this.router.register_route(route, handler.get_handler());
},
/**
* Add navigator
* @param {navigation.routing.Navigator} navigator
*/
add_navigator: function(navigator) {
this.navigators[navigator.name] = navigator;
},
/**
* Get navigator by name
* @param {string} name Navigator's name
* @return {navigation.routing.Navigator}
*/
get_navigator: function(name) {
return this.navigators[name];
},
/**
* Path for default facet
* @type {Array}
*/
default_path: ['entity', 'user', 'search'],
/**
* Variations of entity routes
* @property {string[]}
*/
entity_routes: [
'/e/:entity/:facet/:pkeys/*args',
'/e/:entity/:facet//*args',
'/e/:entity/:facet/:pkeys',
'/e/:entity/:facet',
'/e/:entity'
],
/**
* Variations of simple page routes
* @property {string[]}
*/
page_routes: [
'/p/:page/*args',
'/p/:page'
]
};
/**
* General route handler
*
* @class navigation.routing.RouteHandler
*/
routing.RouteHandler = declare([], {
handler: null,
name: 'generic',
/**
* Handle router event
* @param {Object} event
* @param {navigation.Router} router
*/
handle: function (event, router) {
if (router.check_clear_ignore()) return;
var facet_name = event.params.page;
var args;
try {
args = ioquery.queryToObject(event.params.args || '');
} catch (e) {
router._error('URI error', 'route', event.params);
return;
}
// set new facet state
var facet = reg.facet.get(facet_name);
if (!facet) {
router._error('Unknown facet', 'route', event.params);
return;
}
facet.reset_state(args);
router.show_facet(facet);
},
/**
* Create handler callback for router
* @return {Function} callback
*/
get_handler: function() {
if (!this.handler) {
var self = this;
this.handler = function(event) {
self.handle(event, this);
};
}
return this.handler;
}
});
/**
* Entity route handler
*
* @class navigation.routing.EntityRouteHandler
* @extends {navigation.routing.RouteHandler}
*/
routing.EntityRouteHandler = declare([routing.RouteHandler], {
name: 'entity',
/**
* @inheritDoc
*/
handle: function (event, router) {
if (router.check_clear_ignore()) return;
var entity_name = event.params.entity;
var facet_name = event.params.facet;
var pkeys, args;
try {
pkeys = this._decode_pkeys(event.params.pkeys || '');
args = ioquery.queryToObject(event.params.args || '');
} catch (e) {
router._error('URI error', 'route', event.params);
return;
}
args.pkeys = pkeys;
// set new facet state
var entity = reg.entity.get(entity_name);
if (!entity) {
router._error('Unknown entity', 'route', event.params);
return;
}
var facet = entity.get_facet(facet_name);
if (!facet) {
router._error('Unknown facet', 'route', event.params);
return;
}
facet.reset_state(args);
router.show_facet(facet);
},
/**
* Splits strings by '&' and return an array of URI decoded parts.
* Example: 'foo%20&bar' => ['foo ', 'bar']
*/
_decode_pkeys: function(str) {
if (!str) return [];
var keys = str.split('&');
for (var i=0; i<keys.length; i++) {
keys[i] = decodeURIComponent(keys[i]);
}
return keys;
}
});
/**
* Hash creator creates a hash string from given facet and options
*
* This is default hash creator for generic facets.
*
* @class navigation.routing.HashCreator
*/
routing.HashCreator = declare([], {
prefix: 'p',
name: 'generic',
create_hash: function(router, facet, options) {
var path = [router.route_prefix, this.prefix, facet.name];
var args = ioquery.objectToQuery(options || {});
if (!util.is_empty(args)) path.push(args);
var hash = path.join('/');
return hash;
},
handles: function(facet) {
return true;
}
});
/**
* Hash creator for entity facets
* @class navigation.routing.EntityHashCreator
* @extends navigation.routing.HashCreator
*/
routing.EntityHashCreator = declare([routing.HashCreator], {
prefix: 'e',
name: 'entity',
create_hash: function(router, facet, options) {
options = lang.clone(options);
var entity_name = facet.entity.name;
var pkeys = this._encode_pkeys(options.pkeys || []);
delete options.pkeys;
var args = ioquery.objectToQuery(options || {});
var path = [router.route_prefix, this.prefix, entity_name, facet.name];
if (!util.is_empty(args)) path.push(pkeys, args);
else if (!util.is_empty(pkeys)) path.push(pkeys);
var hash = path.join('/');
return hash;
},
handles: function(facet) {
return !!facet.entity;
},
/**
* URI Encodes array items and delimits them by '&'
* Example: ['foo ', 'bar'] => 'foo%20&bar'
*/
_encode_pkeys: function(pkeys) {
var ret = [];
array.forEach(pkeys, function(pkey) {
ret.push(encodeURIComponent(pkey));
});
return ret.join('&');
}
});
/**
* Navigate to other facet.
*
* @class navigation.routing.Navigator
*/
routing.Navigator = declare([], {
name: 'generic',
navigate: function(facet_name, args) {
var facet = reg.facet.get(facet_name);
if (!facet) {
routing.router._error('Unknown facet', 'navigation', { facet: facet_name});
return false;
}
if (!args) args = facet.get_state();
return routing.navigate_to_facet(facet, args);
}
});
/**
* Used for switching to entities' facets. Current target facet
* state is used as params (pkeys, args) when none of pkeys and args
* are used (useful for switching to previous page with keeping the context).
*
* @class navigation.routing.EntityNavigator
* @extends navigation.routing.Navigator
*/
routing.EntityNavigator = declare([routing.Navigator], {
name: 'entity',
navigate: function(entity_name, facet_name, pkeys, args) {
var entity = reg.entity.get(entity_name);
if (!entity) {
routing.router._error('Unknown entity', 'navigation', { entity: entity_name});
return false;
}
var facet = entity.get_facet(facet_name);
if (!facet) {
routing.router._error('Unknown facet', 'navigation', { facet: facet_name});
return false;
}
// Use current state if none supplied
if (!pkeys && !args) {
args = facet.get_state();
}
args = args || {};
// Facets may be nested and require more pkeys than supplied.
args.pkeys = facet.get_pkeys(pkeys);
return routing.navigate_to_facet(facet, args);
}
});
/**
* Init routing
*
* Sets default routes, handlers, hash creators and navigators
*
* @param {navigation.Router} router
*/
routing.init = function(router) {
if (router) this.router = router;
var generic_hc = new routing.HashCreator();
var entity_hc = new routing.EntityHashCreator();
var generic_rh = new routing.RouteHandler();
var entity_rh = new routing.EntityRouteHandler();
var generic_n = new routing.Navigator();
var entity_n = new routing.EntityNavigator();
this.add_hash_creator(generic_hc);
this.add_hash_creator(entity_hc);
this.add_route(this.routes, generic_rh);
this.add_route(this.entity_routes, entity_rh);
this.add_navigator(generic_n);
this.add_navigator(entity_n);
};
return routing;
});

189
install/ui/src/freeipa/user.js
View File

@ -22,18 +22,20 @@
*/
define([
'./builder',
'./ipa',
'./jquery',
'./phases',
'./reg',
'./rpc',
'./text',
'./dialogs/password',
'./details',
'./search',
'./association',
'./entity',
'./certificate'],
function(IPA, $, phases, reg, rpc, text) {
function(builder, IPA, $, phases, reg, rpc, text, password_dialog) {
/**
* User module
@ -509,155 +511,57 @@ IPA.user_password_widget = function(spec) {
return that;
};
IPA.user_password_dialog = function(spec) {
IPA.user.password_dialog_pre_op0 = function(spec) {
spec = spec || {};
spec.password_name = spec.password_name || 'password';
return spec;
};
spec.width = spec.width || 400;
spec.title = spec.title || '@i18n:password.reset_password';
spec.sections = spec.sections || [];
IPA.user.password_dialog_pre_op = function(spec) {
spec.sections.push(
{
name: 'input',
fields: [
{
name: 'current_password',
label: '@i18n:password.current_password',
$type: 'password',
required: true
},
{
name: 'password1',
label: '@i18n:password.new_password',
$type: 'password',
required: true
},
{
name: 'password2',
label: '@i18n:password.verify_password',
$type: 'password',
validators: [{
$type: 'same_password',
other_field: 'password1'
}],
required: true
}
]
});
spec.sections[0].fields.splice(0, 0, {
name: 'current_password',
label: '@i18n:password.current_password',
$type: 'password',
required: true
}, {
name: 'otp',
label: '@i18n:password.otp',
$type: 'password'
});
var that = IPA.dialog(spec);
spec.method = spec.method || 'passwd';
IPA.confirm_mixin().apply(that);
return spec;
};
that.success_handler = spec.on_success;
that.error_handler = spec.on_error;
that.pkey = spec.pkey;
IPA.user.password_dialog = function(spec) {
var that = password_dialog.dialog(spec);
that.is_self_service = function() {
var self_service = that.pkey === IPA.whoami.uid[0];
var self_service = that.args[0] === IPA.whoami.uid[0];
return self_service;
};
that.open = function() {
that.dialog_open();
var self_service = that.is_self_service();
var section = that.widgets.get_widget('input');
var current_password_f = that.fields.get_field('current_password');
var current_pw_f = that.fields.get_field('current_password');
var current_pw_w = that.widgets.get_widget('general.current_password');
var otp_f = that.fields.get_field('otp');
var otp_w = that.widgets.get_widget('general.otp');
current_pw_f.set_required(self_service);
current_pw_f.set_enabled(self_service);
current_pw_w.set_visible(self_service);
otp_f.set_enabled(self_service);
otp_w.set_visible(self_service);
that.dialog_open();
section.set_row_visible('current_password', self_service);
current_password_f.set_required(self_service);
that.focus_first_element();
};
that.create_buttons = function() {
that.create_button({
name: 'reset_password',
label: '@i18n:password.reset_password',
click: that.on_reset_click
});
that.create_button({
name: 'cancel',
label: '@i18n:buttons.cancel',
click: function() {
that.close();
}
});
};
that.on_confirm = function() {
that.on_reset_click();
};
that.on_reset_click = function() {
if (!that.validate()) return;
var self_service = that.is_self_service();
var record = {};
that.save(record);
var current_password = self_service ? record.current_password[0] : undefined;
var new_password = record.password1[0];
var repeat_password = record.password2[0];
that.set_password(
that.pkey,
current_password,
new_password,
that.on_reset_success,
that.on_reset_error);
};
that.set_password = function(pkey, current_password, password, on_success, on_error) {
var command = rpc.command({
method: 'passwd',
args: [ pkey ],
options: {
current_password: current_password,
password: password
},
on_success: on_success,
on_error: on_error
});
command.execute();
};
that.on_reset_success = function(data, text_status, xhr) {
if (that.success_handler) {
that.success_handler.call(this, data, text_status, xhr);
} else {
IPA.notify_success('@i18n:password.password_change_complete');
that.close();
// refresh password expiration field
that.facet.refresh();
if (that.is_self_service()) {
var command = IPA.get_whoami_command();
command.execute();
}
}
};
that.on_reset_error = function(xhr, text_status, error_thrown) {
if (that.error_handler) {
that.error_handler.call(this, xhr, text_status, error_thrown);
} else {
that.close();
}
};
that.create_buttons();
return that;
};
@ -672,10 +576,17 @@ IPA.user.reset_password_action = function(spec) {
that.execute_action = function(facet) {
var dialog = IPA.user_password_dialog({
entity: facet.entity,
facet: facet,
pkey: facet.get_pkey()
var dialog = builder.build('dialog', {
$type: 'user_password',
args: [facet.get_pkey()]
});
dialog.succeeded.attach(function() {
facet.refresh();
if (dialog.is_self_service()) {
var command = IPA.get_whoami_command();
command.execute();
}
});
dialog.open();
@ -688,8 +599,14 @@ exp.entity_spec = make_spec();
exp.register = function() {
var e = reg.entity;
var a = reg.action;
var d = reg.dialog;
e.register({type: 'user', spec: exp.entity_spec});
a.register('reset_password', IPA.user.reset_password_action);
d.copy('password', 'user_password', {
factory: IPA.user.password_dialog,
pre_ops: [IPA.user.password_dialog_pre_op]
});
d.register_pre_op('user_password', IPA.user.password_dialog_pre_op0, true);
};
phases.on('registration', exp.register);

9
install/ui/src/freeipa/widget.js
View File

@ -268,6 +268,12 @@ IPA.input_widget = function(spec) {
var that = IPA.widget(spec);
/**
* Placeholder
* @property {string}
*/
that.placeholder = text.get(spec.placeholder);
/**
* Widget's width.
* @deprecated
@ -709,6 +715,7 @@ IPA.text_widget = function(spec) {
'class': 'form-control',
size: that.size,
title: that.tooltip,
placeholder: that.placeholder,
keyup: function() {
that.on_value_changed();
}
@ -1975,6 +1982,7 @@ IPA.textarea_widget = function (spec) {
'class': 'form-control',
readOnly: !!that.read_only,
title: that.tooltip,
placeholder: that.placeholder,
keyup: function() {
that.on_value_changed();
}
@ -5747,6 +5755,7 @@ exp.activity_widget = IPA.activity_widget = function(spec) {
exp.pre_op = function(spec, context) {
if (context.facet) spec.facet = context.facet;
if (context.parent) spec.parent = context.parent;
if (context.entity) spec.entity = context.entity;
return spec;
};

2
install/ui/src/freeipa/widgets/ContainerMixin.js
View File

@ -147,6 +147,8 @@ define(['dojo/_base/declare',
this.widgets = ordered_map();
var builder_spec = spec.widget_builder || widget_mod.widget_builder;
this.widget_builder = builder.build(null, builder_spec);
this.widget_builder.widget_options = this.widget_builder.widget_options || {};
this.widget_builder.widget_options.parent = this;
}
});

57
install/ui/src/freeipa/widgets/LoginScreen.js
View File

@ -78,6 +78,8 @@ define(['dojo/_base/declare',
password_expired: "Your password has expired. Please enter a new password.",
password_change_complete: "Password change complete",
denied: "Sorry you are not allowed to access this service.",
caps_warning_msg: "Warning: CAPS LOCK key is on",
@ -417,23 +419,36 @@ define(['dojo/_base/declare',
if (!this.validate()) return;
var psw_f = this.get_field('password');
var psw_f2 = this.get_field('current_password');
var otp_f = this.get_field('otp');
var new_f = this.get_field('new_password');
var ver_f = this.get_field('verify_password');
var username_f = this.get_field('username');
var psw = psw_f2.get_value()[0] || psw_f.get_value()[0];
var otp = otp_f.get_value()[0];
var result = IPA.reset_password(
username_f.get_value()[0],
psw_f.get_value()[0],
new_f.get_value()[0]);
psw,
new_f.get_value()[0],
otp);
if (result.status === 'ok') {
psw_f.set_value(new_f.get_value());
this.login();
val_summary.add_success('login', this.password_change_complete);
psw_f.set_value('');
psw_f2.set_value('');
// do not login if otp is used because it will fail (reuse of OTP)
if (!otp) {
psw_f.set_value(new_f.get_value());
this.login();
}
this.set('view', 'login');
} else {
val_summary.add_error('login', result.message);
}
otp_f.set_value('');
new_f.set_value('');
ver_f.set_value('');
},
@ -456,7 +471,12 @@ define(['dojo/_base/declare',
}
if (this.password_enabled()) {
this.use_fields(['username', 'password']);
this.get_widget('username').focus_input();
var username_f = this.get_field('username');
if (username_f.get_value()[0]) {
this.get_widget('password').focus_input();
} else {
this.get_widget('username').focus_input();
}
} else {
this.use_fields([]);
this.login_btn_node.focus();
@ -469,14 +489,14 @@ define(['dojo/_base/declare',
if (this.buttons_node) {
construct.place(this.reset_btn_node, this.buttons_node);
}
this.use_fields(['username_r', 'new_password', 'verify_password']);
this.use_fields(['username_r', 'current_password', 'otp', 'new_password', 'verify_password']);
var val_summary = this.get_widget('validation');
var u_f = this.fields.get('username');
var u_r_f = this.fields.get('username_r');
u_r_f.set_value(u_f.get_value());
this.get_widget('new_password').focus_input();
this.get_widget('current_password').focus_input();
},
use_fields: function(names) {
@ -536,6 +556,9 @@ define(['dojo/_base/declare',
this.kerberos_msg = this.kerberos_msg.replace('${host}', window.location.hostname);
this.password_change_complete = text.get(spec.password_change_complete ||
'@i18n:password.password_change_complete', this.password_change_complete);
this.krb_auth_failed = text.get(spec.krb_auth_failed, this.krb_auth_failed);
}
});
@ -545,6 +568,7 @@ define(['dojo/_base/declare',
$type: 'text',
name: 'username',
label: text.get('@i18n:login.username', "Username"),
placeholder: text.get('@i18n:login.username', "Username"),
show_errors: false,
undo: false
},
@ -552,6 +576,7 @@ define(['dojo/_base/declare',
$type: 'password',
name: 'password',
label: text.get('@i18n:login.password', "Password"),
placeholder: text.get('@i18n:login.password_and_otp', 'Password or Password+One-Time-Password'),
show_errors: false,
undo: false
},
@ -562,11 +587,28 @@ define(['dojo/_base/declare',
show_errors: false,
undo: false
},
{
name: 'current_password',
$type: 'password',
label: text.get('@i18n:login.current_password', "Current Password"),
placeholder: text.get('@i18n:login.current_password', "Current Password"),
show_errors: false,
undo: false
},
{
name: 'otp',
$type: 'password',
label: text.get('@i18n:password.otp', "OTP"),
placeholder: text.get('@i18n:password.otp_long', 'One-Time-Password'),
show_errors: false,
undo: false
},
{
name: 'new_password',
$type: 'password',
required: true,
label: text.get('@i18n:password.new_password)', "New Password"),
placeholder: text.get('@i18n:password.new_password)', "New Password"),
show_errors: false,
undo: false
},
@ -575,6 +617,7 @@ define(['dojo/_base/declare',
$type: 'password',
required: true,
label: text.get('@i18n:password.verify_password', "Verify Password"),
placeholder: text.get('@i18n:password.new_password)', "New Password"),
validators: [{
$type: 'same_password',
other_field: 'new_password'

2
install/ui/src/webui.profile.js
View File

@ -115,7 +115,7 @@ var profile = (function(){
layers: {
"freeipa/app": {
include: ["freeipa/app"]
include: ["freeipa/app", "freeipa/extend"]
}
}
};

3
install/ui/test/data/ipa_init.json
View File

@ -512,7 +512,10 @@
"invalid_password": "The password or username you entered is incorrect.",
"new_password": "New Password",
"new_password_required": "New password is required",
"otp": "OTP",
"otp_long": "One-Time-Password",
"password": "Password",
"password_and_otp": "Password or Password+One-Time-Password",
"password_change_complete": "Password change complete",
"password_must_match": "Passwords must match",
"reset_failure": "Password reset was not successful.",

19
install/updates/10-schema_compat.update
View File

@ -1,6 +1,23 @@
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'
replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")'
add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}'
# Fix for #4324 (regression of #1309)
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
remove:schema-compat-entry-attribute:'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
remove:schema-compat-entry-attribute:'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}'
remove:schema-compat-entry-attribute:'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
# We need to add the value in a separate transaction
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")'
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")'
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.

19
install/updates/20-aci.update
View File

@ -23,11 +23,15 @@ add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc ||
# Read access to containers
dn: $SUFFIX
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'
# Read access to masters (but not their services)
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
# Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
dn: cn=kerberos,$SUFFIX
add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)'
@ -39,7 +43,8 @@ remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword |
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
remove:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
# Write-only
remove:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
@ -65,3 +70,13 @@ remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac";
dn: cn=sudo,$SUFFIX
remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
# Get Keytab operation Access Control
dn: cn=accounts,$SUFFIX
add:aci: '(targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Users allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#USERDN";)'
add:aci: '(targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Groups allowed to retrieve keytab keys"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";)'
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Users allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#USERDN";)'
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Groups allowed to create keytab keys"; allow(write) userattr="ipaAllowedToPerform;write_keys#GROUPDN";)'
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)'
add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
add:aci: '(targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)'

290
install/updates/40-delegation.update
View File

@ -25,80 +25,6 @@ default:objectClass: top
default:cn: HBAC Administrator
default:description: HBAC Administrator
dn: cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add HBAC rule
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete HBAC rule
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify HBAC rule
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Manage HBAC rule membership,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Manage HBAC rule membership
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Add HBAC services,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add HBAC services
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete HBAC services,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete HBAC services
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Add HBAC service groups,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add HBAC service groups
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete HBAC service groups,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete HBAC service groups
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Manage HBAC service group membership,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Manage HBAC service group membership
default:member: cn=HBAC Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,$SUFFIX";)'
# SUDO
dn: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
@ -108,60 +34,6 @@ default:objectClass: top
default:cn: Sudo Administrator
default:description: Sudo Administrator
dn: cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Sudo command
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete Sudo command
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify Sudo command
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Add Sudo command group,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Sudo command group
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete Sudo command group,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete Sudo command group
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Manage Sudo command group membership
default:member: cn=Sudo Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
remove:aci: '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX";)'
# Password Policy
dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
@ -170,83 +42,14 @@ default:objectClass: top
default:cn: Password Policy Administrator
default:description: Password Policy Administrator
dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Group Password Policy costemplate
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete Group Password Policy costemplate
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify Group Password Policy costemplate
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Add Group Password Policy
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Delete Group Password Policy
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: groupofnames
default:objectClass: ipapermission
default:objectClass: top
default:cn: Modify Group Password Policy
default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)'
# Allow an admin to enroll a host that has a one-time password.
# When a host is created with a password no krbPrincipalName is set.
# This will let it be added if the client ends up enrolling with
# an administrator instead.
dn: cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Add krbPrincipalName to a host
default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
default:member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
# Don't allow admins to update enrolledBy
dn: $SUFFIX
replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)'
# The original DNS permissions lacked the tag.
dn: $SUFFIX
replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
remove:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
# SELinux User Mapping
dn: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
@ -256,71 +59,6 @@ default:objectClass: nestedgroup
default:cn: SELinux User Map Administrators
default:description: SELinux User Map Administrators
dn: cn=Add SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Add SELinux User Maps
default:member: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Remove SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Remove SELinux User Maps
default:member: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Modify SELinux User Maps
default:member: cn=SELinux User Map Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
dn: $SUFFIX
add:aci:'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
dn: $SUFFIX
add:aci:'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)'
# Automount maps and keys
dn: cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Modify Automount maps
default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Modify Automount keys
default:member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)'
add:aci:'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Manage Host SSH Public Keys
default:member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'
# Don't allow the default 'manage group membership' to be able to manage the
# admins group
replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)'
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
@ -333,6 +71,7 @@ add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
# Automember tasks
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
default:objectClass: nestedgroup
@ -356,41 +95,50 @@ add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config
# Virtual operations
dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: retrieve certificate
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate different host
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate status
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: revoke certificate
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
add:objectClass: ipaVirtualOperation
default:objectClass: top
default:objectClass: nsContainer
default:cn: certificate remove hold
dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
default:objectClass: top
default:objectClass: nsContainer
default:cn: request certificate with subjectaltname
dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
default:objectClass: top
default:objectClass: groupofnames
default:objectClass: ipapermission
default:cn: Request Certificate with SubjectAltName
default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
add:aci:'(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)'
# Read privileges
dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX

28
install/updates/40-dns.update
View File

@ -1,23 +1,3 @@
# Add missing member values to attach permissions to their respective
# privileges
# Memberof task is already being run in 55-pbacmemberof.update
dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:objectclass: ipapermission
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:objectclass: ipapermission
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
addifexist:objectclass: ipapermission
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
addifexist:objectclass: ipapermission
# update DNS container
dn: cn=dns, $SUFFIX
@ -26,14 +6,10 @@ addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
addifexist: aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)'
addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)'
# update DNS acis with new idnsRecord attributes
dn: $SUFFIX
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || managedby")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
# replace DNS tree deny rule with managedBy enhanced allow rule
dn: cn=dns, $SUFFIX
replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)'
replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)'
# add DNS plugin
dn: cn=IPA DNS,cn=plugins,cn=config

3
install/updates/45-roles.update
View File

@ -15,9 +15,6 @@ default:cn: Modify Group membership
default:description: Modify Group membership
default:member: cn=helpdesk,cn=roles,cn=accounts,$SUFFIX
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'
dn: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup

8
install/updates/60-trusts.update
View File

@ -15,6 +15,14 @@ default: objectClass: GroupOfNames
default: objectClass: top
default: cn: adtrust agents
dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: nestedgroup
default: cn: ADTrust Agents
default: description: System accounts able to access trust information
default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
dn: cn=trusts,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer

629
ipa-client/ipa-getkeytab.c
View File

@ -28,6 +28,7 @@
#include <stdarg.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <time.h>
@ -149,6 +150,174 @@ static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servernam
return rc;
}
const char *ca_cert_file = "/etc/ipa/ca.crt";
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw, LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
int version;
LDAP *ld;
int ssl;
int ret;
/* TODO: support referrals ? */
if (bind_dn) {
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, "ldaps", server_name, 636);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldaps(636) connection\n"));
return ret;
}
ssl = LDAP_OPT_X_TLS_HARD;;
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
goto done;
}
} else {
ret = ipa_ldap_init(&ld, "ldap", server_name, 389);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldap(389) connection\n"));
return ret;
}
}
if (ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
return LDAP_OPERATIONS_ERROR;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
if (bind_dn) {
bv.bv_val = discard_const(bind_pw);
bv.bv_len = strlen(bind_pw);
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET,
ldap_sasl_interact, bind_princ);
if (ret != LDAP_SUCCESS) {
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
ret = LDAP_SUCCESS;
done:
if (ret != LDAP_SUCCESS) {
if (ld) ldap_unbind_ext(ld, NULL, NULL);
} else {
*_ld = ld;
}
return ret;
}
static int ipa_ldap_extended_op(LDAP *ld, const char *reqoid,
struct berval *control,
LDAPControl ***srvctrl)
{
struct berval *retdata = NULL;
LDAPMessage *res = NULL;
char *retoid = NULL;
struct timeval tv;
char *err = NULL;
int msgid;
int ret, rc;
ret = ldap_extended_operation(ld, KEYTAB_GET_OID, control,
NULL, NULL, &msgid);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Operation failed! %s\n"), ldap_err2string(ret));
return ret;
}
/* wait max 10 secs for the answer */
tv.tv_sec = 10;
tv.tv_usec = 0;
ret = ldap_result(ld, msgid, 1, &tv, &res);
if (ret == -1) {
fprintf(stderr, _("Failed to get result! %s\n"), ldap_err2string(ret));
goto done;
}
ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to parse extended result! %s\n"),
ldap_err2string(ret));
goto done;
}
ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, srvctrl, 0);
if (ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to parse result! %s\n"),
err ? err : ldap_err2string(ret));
if (ret == LDAP_SUCCESS) ret = rc;
goto done;
}
done:
if (err) ldap_memfree(err);
if (res) ldap_msgfree(res);
return ret;
}
static BerElement *get_control_data(LDAPControl **list, const char *repoid)
{
LDAPControl *control = NULL;
int i;
if (!list) {
fprintf(stderr, _("Missing reply control list!\n"));
return NULL;
}
for (i = 0; list[i]; i++) {
if (strcmp(list[i]->ldctl_oid, repoid) == 0) {
control = list[i];
}
}
if (!control) {
fprintf(stderr, _("Missing reply control!\n"));
return NULL;
}
return ber_init(&control->ldctl_value);
}
static int ldap_set_keytab(krb5_context krbctx,
const char *servername,
const char *principal_name,
@ -157,19 +326,11 @@ static int ldap_set_keytab(krb5_context krbctx,
const char *bindpw,
struct keys_container *keys)
{
int version;
LDAP *ld = NULL;
BerElement *sctrl = NULL;
struct berval *control = NULL;
char *retoid = NULL;
struct berval *retdata = NULL;
struct timeval tv;
LDAPMessage *res = NULL;
LDAPControl **srvctrl = NULL;
LDAPControl *pprc = NULL;
char *err = NULL;
int msgid;
int ret, rc;
int ret;
int kvno, i;
ber_tag_t rtag;
ber_int_t *encs = NULL;
@ -189,136 +350,23 @@ static int ldap_set_keytab(krb5_context krbctx,
goto error_out;
}
/* TODO: support referrals ? */
if (binddn) {
int ssl = LDAP_OPT_X_TLS_HARD;;
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ipa/ca.crt") != LDAP_OPT_SUCCESS) {
goto error_out;
}
ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to bind to server!\n"));
goto error_out;
}
if ( ipa_ldap_init(&ld, "ldaps",servername, 636) != LDAP_SUCCESS){
goto error_out;
}
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
goto error_out;
}
} else {
if (ipa_ldap_init(&ld, "ldap",servername, 389) != LDAP_SUCCESS){
goto error_out;
}
}
if(ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
goto error_out;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto error_out;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set ldap options!\n"));
goto error_out;
}
if (binddn) {
struct berval bv;
bv.bv_val = discard_const(bindpw);
bv.bv_len = strlen(bindpw);
ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bv,
NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto error_out;
}
} else {
ret = ldap_sasl_interactive_bind_s(ld,
NULL, "GSSAPI",
NULL, NULL,
LDAP_SASL_QUIET,
ldap_sasl_interact, princ);
if (ret != LDAP_SUCCESS) {
char *msg=NULL;
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE,
(void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto error_out;
}
}
/* find base dn */
/* TODO: address the case where we have multiple naming contexts */
tv.tv_sec = 10;
tv.tv_usec = 0;
/* perform password change */
ret = ldap_extended_operation(ld,
KEYTAB_SET_OID,
control, NULL, NULL,
&msgid);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Operation failed! %s\n"),
ldap_err2string(ret));
goto error_out;
}
/* perform password change */
ret = ipa_ldap_extended_op(ld, KEYTAB_SET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to get keytab!\n"));
goto error_out;
}
ber_bvfree(control);
control = NULL;
tv.tv_sec = 10;
tv.tv_usec = 0;
ret = ldap_result(ld, msgid, 1, &tv, &res);
if (ret == -1) {
fprintf(stderr, _("Operation failed! %s\n"),
ldap_err2string(ret));
goto error_out;
}
ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
if(ret != LDAP_SUCCESS) {
fprintf(stderr, _("Operation failed! %s\n"),
ldap_err2string(ret));
goto error_out;
}
ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, &srvctrl, 0);
if(ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) {
fprintf(stderr, _("Operation failed! %s\n"),
err ? err : ldap_err2string(ret));
goto error_out;
}
if (!srvctrl) {
fprintf(stderr, _("Missing reply control!\n"));
goto error_out;
}
for (i = 0; srvctrl[i]; i++) {
if (0 == strcmp(srvctrl[i]->ldctl_oid, KEYTAB_RET_OID)) {
pprc = srvctrl[i];
}
}
if (!pprc) {
fprintf(stderr, _("Missing reply control!\n"));
goto error_out;
}
sctrl = ber_init(&pprc->ldctl_value);
sctrl = get_control_data(srvctrl, KEYTAB_RET_OID);
if (!sctrl) {
fprintf(stderr, _("ber_init() failed, Invalid control ?!\n"));
goto error_out;
@ -372,10 +420,8 @@ static int ldap_set_keytab(krb5_context krbctx,
ret = filter_keys(krbctx, keys, encs);
if (ret == 0) goto error_out;
if (err) ldap_memfree(err);
ber_free(sctrl, 1);
ldap_controls_free(srvctrl);
ldap_msgfree(res);
ldap_unbind_ext(ld, NULL, NULL);
free(encs);
return kvno;
@ -383,12 +429,285 @@ static int ldap_set_keytab(krb5_context krbctx,
error_out:
if (sctrl) ber_free(sctrl, 1);
if (srvctrl) ldap_controls_free(srvctrl);
if (err) ldap_memfree(err);
if (res) ldap_msgfree(res);
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(encs);
return 0;
return -1;
}
/* Format of getkeytab control
*
* KeytabGetRequest ::= CHOICE {
* newkeys [0] Newkeys,
* curkeys [1] CurrentKeys,
* reply [2] Reply
* }
*
* NewKeys ::= SEQUENCE {
* serviceIdentity [0] OCTET STRING,
* enctypes [1] SEQUENCE OF Int16
* password [2] OCTET STRING OPTIONAL,
* }
*
* CurrentKeys ::= SEQUENCE {
* serviceIdentity [0] OCTET STRING,
* }
*
* Reply ::= SEQUENCE {
* new_kvno Int32
* keys SEQUENCE OF KrbKey,
* }
*
* KrbKey ::= SEQUENCE {
* key [0] EncryptionKey,
* salt [1] KrbSalt OPTIONAL,
* s2kparams [2] OCTET STRING OPTIONAL,
* }
*
* EncryptionKey ::= SEQUENCE {
* keytype [0] Int32,
* keyvalue [1] OCTET STRING
* }
*
* KrbSalt ::= SEQUENCE {
* type [0] Int32,
* salt [1] OCTET STRING
* }
*/
#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
const char *password,
struct krb_key_salt *encsalts,
int num_encsalts)
{
struct berval *bval = NULL;
BerElement *be;
ber_tag_t ctag;
ber_int_t e;
int ret, i;
be = ber_alloc_t(LBER_USE_DER);
if (!be) {
return NULL;
}
if (gen) {
ctag = GK_REQUEST_NEWKEYS;
} else {
ctag = GK_REQUEST_CURKEYS;
}
ret = ber_printf(be, "t{t[s]", ctag, GKREQ_SVCNAME_TAG, svc_princ);
if (ret == -1) {
ber_free(be, 1);
goto done;
}
if (gen) {
ret = ber_printf(be, "t{", GKREQ_ENCTYPES_TAG);
if (ret == -1) {
ber_free(be, 1);
goto done;
}
for (i = 0; i < num_encsalts; i++) {
e = encsalts[i].enctype;
ret = ber_printf(be, "i", e);
if (ret == -1) {
ber_free(be, 1);
goto done;
}
}
ret = ber_printf(be, "}");
if (ret == -1) {
ber_free(be, 1);
goto done;
}
if (password) {
ret = ber_printf(be, "t[s]", GKREQ_PASSWORD_TAG, password);
if (ret == -1) {
ber_free(be, 1);
goto done;
}
}
}
ret = ber_printf(be, "}");
if (ret == -1) {
ber_free(be, 1);
goto done;
}
ret = ber_flatten(be, &bval);
if (ret == -1) {
ber_free(be, 1);
goto done;
}
done:
ber_free(be, 1);
return bval;
}
#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
#define GKREP_KEY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
#define GKREP_SALT_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
const char *enctypes, const char *bind_server,
const char *svc_princ, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
struct keys_container *keys, int *kvno,
char **err_msg)
{
struct krb_key_salt *es = NULL;
int num_es = 0;
struct berval *control = NULL;
LDAP *ld;
LDAPControl **srvctrl = NULL;
BerElement *ber = NULL;
ber_tag_t rtag;
ber_tag_t ctag;
ber_len_t tlen;
ber_int_t vno;
ber_int_t tint;
struct berval tbval;
int ret;
*err_msg = NULL;
if (enctypes) {
ret = ipa_string_to_enctypes(enctypes, &es, &num_es, err_msg);
if (ret || num_es == 0) {
return LDAP_OPERATIONS_ERROR;
}
}
control = create_getkeytab_control(svc_princ, generate,
password, es, num_es);
if (!control) {
*err_msg = _("Failed to create control!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
if (ret != LDAP_SUCCESS) {
*err_msg = _("Failed to bind to server!\n");
goto done;
}
/* perform extedned opt to get keytab */
ret = ipa_ldap_extended_op(ld, KEYTAB_GET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
goto done;
}
ber = get_control_data(srvctrl, KEYTAB_GET_OID);
if (!ber) {
*err_msg = _("Failed to find or parse reply control!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
rtag = ber_scanf(ber, "t{i{", &ctag, &vno);
if (rtag == LBER_ERROR || ctag != GK_REPLY_TAG) {
*err_msg = _("Failed to parse control head!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
keys->nkeys = 0;
keys->ksdata = NULL;
rtag = ber_peek_tag(ber, &tlen);
for (int i = 0; rtag == LBER_SEQUENCE; i++) {
if ((i % 5) == 0) {
struct krb_key_salt *ksdata;
ksdata = realloc(keys->ksdata,
(i + 5) * sizeof(struct krb_key_salt));
if (!ksdata) {
*err_msg = _("Out of memory!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
keys->ksdata = ksdata;
}
memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt));
keys->nkeys = i + 1;
rtag = ber_scanf(ber, "{t{[i][o]}]", &ctag, &tint, &tbval);
if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) {
*err_msg = _("Failed to parse enctype in key data!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
keys->ksdata[i].enctype = tint;
keys->ksdata[i].key.enctype = tint;
keys->ksdata[i].key.length = tbval.bv_len;
keys->ksdata[i].key.contents = malloc(tbval.bv_len);
if (!keys->ksdata[i].key.contents) {
*err_msg = _("Out of memory!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
memcpy(keys->ksdata[i].key.contents, tbval.bv_val, tbval.bv_len);
ber_memfree(tbval.bv_val);
rtag = ber_peek_tag(ber, &tlen);
if (rtag == GKREP_SALT_TAG) {
rtag = ber_scanf(ber, "t{[i][o]}", &ctag, &tint, &tbval);
if (rtag == LBER_ERROR) {
*err_msg = _("Failed to parse salt in key data!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
keys->ksdata[i].salttype = tint;
keys->ksdata[i].salt.length = tbval.bv_len;
keys->ksdata[i].salt.data = malloc(tbval.bv_len);
if (!keys->ksdata[i].salt.data) {
*err_msg = _("Out of memory!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
memcpy(keys->ksdata[i].salt.data, tbval.bv_val, tbval.bv_len);
ber_memfree(tbval.bv_val);
}
rtag = ber_scanf(ber, "}");
if (rtag == LBER_ERROR) {
*err_msg = _("Failed to parse ending of key data!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
rtag = ber_peek_tag(ber, &tlen);
}
rtag = ber_scanf(ber, "}}");
if (rtag == LBER_ERROR) {
*err_msg = _("Failed to parse ending of control!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
*kvno = vno;
ret = LDAP_SUCCESS;
done:
if (ber) ber_free(ber, 1);
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(es);
if (ret) {
free_keys_contents(krbctx, keys);
}
return ret;
}
static char *ask_password(krb5_context krbctx)
@ -440,6 +759,7 @@ int main(int argc, const char *argv[])
int quiet = 0;
int askpass = 0;
int permitted_enctypes = 0;
int retrieve = 0;
struct poptOption options[] = {
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
_("Print as little as possible"), _("Output only on errors")},
@ -464,6 +784,8 @@ int main(int argc, const char *argv[])
_("LDAP DN"), _("DN to bind as if not using kerberos") },
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
_("LDAP password"), _("password to use if not using kerberos") },
{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
_("Retrieve current keys without changing them"), NULL },
POPT_AUTOHELP
POPT_TABLEEND
};
@ -475,7 +797,7 @@ int main(int argc, const char *argv[])
krb5_principal uprinc;
krb5_principal sprinc;
krb5_error_code krberr;
struct keys_container keys;
struct keys_container keys = { 0 };
krb5_keytab kt;
int kvno;
int i, ret;
@ -533,6 +855,11 @@ int main(int argc, const char *argv[])
exit(10);
}
if (askpass && retrieve) {
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
exit(2);
}
if (askpass) {
password = ask_password(krbctx);
if (!password) {
@ -580,6 +907,19 @@ int main(int argc, const char *argv[])
exit(7);
}
kvno = -1;
ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
server, principal, uprinc, binddn, bindpw,
&keys, &kvno, &err_msg);
if (ret) {
if (!quiet && err_msg != NULL) {
fprintf(stderr, "%s", err_msg);
}
}
if (password && (retrieve == 0) && (kvno == -1)) {
if (!quiet) fprintf(stderr, _("Retrying with old method\n"));
/* create key material */
ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, &err_msg);
if (!ret) {
@ -591,9 +931,12 @@ int main(int argc, const char *argv[])
}
kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys);
if (!kvno) {
exit(9);
}
}
if (kvno == -1) {
fprintf(stderr, _("Failed to get keytab\n"));
exit(9);
}
for (i = 0; i < keys.nkeys; i++) {
krb5_keytab_entry kt_entry;

25
ipa-client/ipa-install/ipa-client-automount
View File

@ -39,12 +39,13 @@ from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
AUTOFS_CONF = '/etc/sysconfig/autofs'
NSSWITCH_CONF = '/etc/nsswitch.conf'
AUTOFS_LDAP_AUTH = '/etc/autofs_ldap_auth.conf'
NFS_CONF = '/etc/sysconfig/nfs'
IDMAPD_CONF = '/etc/idmapd.conf'
AUTOFS_CONF = paths.SYSCONFIG_AUTOFS
NSSWITCH_CONF = paths.NSSWITCH_CONF
AUTOFS_LDAP_AUTH = paths.AUTOFS_LDAP_AUTH_CONF
NFS_CONF = paths.SYSCONFIG_NFS
IDMAPD_CONF = paths.IDMAPD_CONF
def parse_options():
usage = "%prog [options]\n"
@ -189,7 +190,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
sys.exit('SSSD is not configured.')
sssdconfig.save_domain(domain)
sssdconfig.write("/etc/sssd/sssd.conf")
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
sssd = services.service('sssd')
@ -279,7 +280,7 @@ def uninstall(fstore, statestore):
domain.remove_provider('autofs')
break
sssdconfig.save_domain(domain)
sssdconfig.write("/etc/sssd/sssd.conf")
sssdconfig.write(paths.SSSD_CONF)
sssd = services.service('sssd')
sssd.restart()
wait_for_sssd()
@ -357,15 +358,15 @@ def configure_nfs(fstore, statestore):
def main():
fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore')
if not fstore.has_files() and not os.path.exists('/etc/ipa/default.conf'):
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
if not fstore.has_files() and not os.path.exists(paths.IPA_DEFAULT_CONF):
sys.exit('IPA client is not configured on this system.\n')
options, args = parse_options()
standard_logging_setup(
'/var/log/ipaclient-install.log', verbose=False, debug=options.debug,
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
cfg = dict(
@ -430,7 +431,7 @@ def main():
try:
try:
os.environ['KRB5CCNAME'] = ccache_name
ipautil.run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', 'host/%s@%s' % (api.env.host, api.env.realm)])
ipautil.run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, 'host/%s@%s' % (api.env.host, api.env.realm)])
except ipautil.CalledProcessError, e:
sys.exit("Failed to obtain host TGT.")
# Now we have a TGT, connect to IPA

174
ipa-client/ipa-install/ipa-client-install
View File

@ -69,14 +69,12 @@ CLIENT_NOT_CONFIGURED = 2
CLIENT_ALREADY_CONFIGURED = 3
CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
SSH_AUTHORIZEDKEYSCOMMAND = '/usr/bin/sss_ssh_authorizedkeys'
SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy'
SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts'
SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
client_nss_nickname_format = 'IPA Machine Certificate - %s'
NSSWITCH_CONF = '/etc/nsswitch.conf'
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
if not os.path.exists(value):
@ -214,10 +212,10 @@ def parse_options():
return safe_opts, options
def logging_setup(options):
log_file = "/var/log/ipaclient-install.log"
log_file = paths.IPACLIENT_INSTALL_LOG
if options.uninstall:
log_file = "/var/log/ipaclient-uninstall.log"
log_file = paths.IPACLIENT_UNINSTALL_LOG
standard_logging_setup(
filename=log_file, verbose=True, debug=options.debug,
@ -228,7 +226,7 @@ def log_service_error(name, action, error):
root_logger.error("%s failed to %s: %s", name, action, str(error))
def nickname_exists(nickname):
(sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
(sout, serr, returncode) = run([paths.CERTUTIL, "-L", "-d", paths.NSS_DB_DIR, "-n", nickname], raiseonerr=False)
if returncode == 0:
return True
@ -297,8 +295,8 @@ def restore_state(service):
# Checks whether nss_ldap or nss-pam-ldapd is installed. If anyone of mandatory files was found returns True and list of all files found.
def nssldap_exists():
files_to_check = [{'function':'configure_ldap_conf', 'mandatory':['/etc/ldap.conf','/etc/nss_ldap.conf','/etc/libnss-ldap.conf'], 'optional':['/etc/pam_ldap.conf']},
{'function':'configure_nslcd_conf', 'mandatory':['/etc/nslcd.conf']}]
files_to_check = [{'function':'configure_ldap_conf', 'mandatory':[paths.LDAP_CONF,paths.NSS_LDAP_CONF,paths.LIBNSS_LDAP_CONF], 'optional':[paths.PAM_LDAP_CONF]},
{'function':'configure_nslcd_conf', 'mandatory':[paths.NSLCD_CONF]}]
files_found = {}
retval = False
@ -356,7 +354,7 @@ def is_ipa_client_installed(on_master=False):
"""
installed = fstore.has_files() or \
(not on_master and os.path.exists('/etc/ipa/default.conf'))
(not on_master and os.path.exists(paths.IPA_DEFAULT_CONF))
return installed
@ -380,15 +378,15 @@ def configure_nsswitch_database(fstore, database, services, preserve=True,
"""
# Backup the original version of nsswitch.conf, we're going to edit it now
if not fstore.has_file(NSSWITCH_CONF):
fstore.backup_file(NSSWITCH_CONF)
if not fstore.has_file(paths.NSSWITCH_CONF):
fstore.backup_file(paths.NSSWITCH_CONF)
conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
conf.setOptionAssignment(':')
if preserve:
# Read the existing configuration
with open('/etc/nsswitch.conf', 'r') as f:
with open(paths.NSSWITCH_CONF, 'r') as f:
opts = conf.parse(f)
raw_database_entry = conf.findOpts(opts, 'option', database)[1]
@ -419,8 +417,8 @@ def configure_nsswitch_database(fstore, database, services, preserve=True,
'type':'empty'
}]
conf.changeConf(NSSWITCH_CONF, opts)
root_logger.info("Configured %s in %s" % (database, NSSWITCH_CONF))
conf.changeConf(paths.NSSWITCH_CONF, opts)
root_logger.info("Configured %s in %s" % (database, paths.NSSWITCH_CONF))
def uninstall(options, env):
@ -429,7 +427,7 @@ def uninstall(options, env):
root_logger.error("IPA client is not configured on this system.")
return CLIENT_NOT_CONFIGURED
server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
if server_fstore.has_files() and not options.on_master:
root_logger.error(
"IPA client is configured as a part of IPA server on this system.")
@ -487,7 +485,7 @@ def uninstall(options, env):
# Remove our host cert and CA cert
if nickname_exists("IPA CA"):
try:
run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", "IPA CA"])
except Exception, e:
root_logger.error(
"Failed to remove IPA CA from /etc/pki/nssdb: %s", str(e))
@ -507,14 +505,14 @@ def uninstall(options, env):
log_service_error(cmonger.service_name, 'start', e)
try:
certmonger.stop_tracking('/etc/pki/nssdb', nickname=client_nss_nickname)
certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
except (CalledProcessError, RuntimeError), e:
root_logger.error("%s failed to stop tracking certificate: %s",
cmonger.service_name, str(e))
if nickname_exists(client_nss_nickname):
try:
run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", client_nss_nickname])
run([paths.CERTUTIL, "-D", "-d", paths.NSS_DB_DIR, "-n", client_nss_nickname])
except Exception, e:
root_logger.error("Failed to remove %s from /etc/pki/nssdb: %s",
client_nss_nickname, str(e))
@ -534,9 +532,9 @@ def uninstall(options, env):
"Failed to disable automatic startup of the %s service: %s",
cmonger.service_name, str(e))
if not options.on_master and os.path.exists('/etc/ipa/default.conf'):
if not options.on_master and os.path.exists(paths.IPA_DEFAULT_CONF):
root_logger.info("Unenrolling client from IPA server")
join_args = ["/usr/sbin/ipa-join", "--unenroll", "-h", hostname]
join_args = [paths.SBIN_IPA_JOIN, "--unenroll", "-h", hostname]
if options.debug:
join_args.append("-d")
env['XMLRPC_TRACE_CURL'] = 'yes'
@ -544,16 +542,16 @@ def uninstall(options, env):
if returncode != 0:
root_logger.error("Unenrolling host failed: %s", stderr)
if os.path.exists('/etc/ipa/default.conf'):
if os.path.exists(paths.IPA_DEFAULT_CONF):
root_logger.info(
"Removing Kerberos service principals from /etc/krb5.keytab")
try:
parser = RawConfigParser()
fp = open('/etc/ipa/default.conf', 'r')
fp = open(paths.IPA_DEFAULT_CONF, 'r')
parser.readfp(fp)
fp.close()
realm = parser.get('global', 'realm')
run(["/usr/sbin/ipa-rmkeytab", "-k", "/etc/krb5.keytab", "-r", realm])
run([paths.IPA_RMKEYTAB, "-k", paths.KRB5_KEYTAB, "-r", realm])
except Exception, e:
root_logger.error(
"Failed to remove Kerberos service principals: %s", str(e))
@ -562,7 +560,7 @@ def uninstall(options, env):
was_sssd_installed = False
was_sshd_configured = False
if fstore.has_files():
was_sssd_installed = fstore.has_file("/etc/sssd/sssd.conf")
was_sssd_installed = fstore.has_file(paths.SSSD_CONF)
sshd_config = os.path.join(services.knownservices.sshd.get_config_dir(), "sshd_config")
was_sshd_configured = fstore.has_file(sshd_config)
@ -595,7 +593,7 @@ def uninstall(options, env):
restored = False
try:
restored = fstore.restore_file("/etc/sssd/sssd.conf","/etc/sssd/sssd.conf.bkp")
restored = fstore.restore_file(paths.SSSD_CONF,paths.SSSD_CONF_BKP)
except OSError:
root_logger.debug("Error while restoring pre-IPA /etc/sssd/sssd.conf.")
@ -628,10 +626,10 @@ def uninstall(options, env):
# than IPA are configured in sssd.conf - make sure config file is removed
elif not was_sssd_installed and not was_sssd_configured:
try:
os.rename("/etc/sssd/sssd.conf","/etc/sssd/sssd.conf.deleted")
os.rename(paths.SSSD_CONF,paths.SSSD_CONF_DELETED)
except OSError:
root_logger.debug("Error while moving /etc/sssd/sssd.conf to "
"/etc/sssd/sssd.conf.deleted")
root_logger.debug("Error while moving /etc/sssd/sssd.conf to %s" %
paths.SSSD_CONF_DELETED)
root_logger.info("Redundant SSSD configuration file " +
"/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted")
@ -680,10 +678,10 @@ def uninstall(options, env):
# the reason for it might be that freeipa-client was updated
# to this version but not unenrolled/enrolled again
# In such case it is OK to fail
restored = fstore.restore_file("/etc/ntp.conf")
restored |= fstore.restore_file("/etc/sysconfig/ntpd")
restored = fstore.restore_file(paths.NTP_CONF)
restored |= fstore.restore_file(paths.SYSCONFIG_NTPD)
if ntp_step_tickers:
restored |= fstore.restore_file("/etc/ntp/step-tickers")
restored |= fstore.restore_file(paths.NTP_STEP_TICKERS)
except Exception:
pass
@ -714,8 +712,8 @@ def uninstall(options, env):
rv = 0
if fstore.has_files():
root_logger.error('Some files have not been restored, see '
'/var/lib/ipa-client/sysrestore/sysrestore.index')
root_logger.error('Some files have not been restored, see %s' %
paths.SYSRESTORE_INDEX)
has_state = False
for module in statestore.modules.keys():
root_logger.error('Some installation state for %s has not been '
@ -734,7 +732,7 @@ def uninstall(options, env):
# Remove the IPA configuration file
try:
os.remove("/etc/ipa/default.conf")
os.remove(paths.IPA_DEFAULT_CONF)
except OSError, e:
root_logger.warning('/etc/ipa/default.conf could not be removed: %s',
str(e))
@ -766,7 +764,7 @@ def uninstall(options, env):
if not options.on_master:
if user_input("Do you want to reboot the machine?", False):
try:
run(["/sbin/reboot"])
run([paths.SBIN_REBOOT])
except Exception, e:
root_logger.error(
"Reboot command failed to exceute: %s", str(e))
@ -795,7 +793,7 @@ def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server):
opts.append({'name':'global', 'type':'section', 'value':defopts})
opts.append({'name':'empty', 'type':'empty'})
target_fname = '/etc/ipa/default.conf'
target_fname = paths.IPA_DEFAULT_CONF
fstore.backup_file(target_fname)
ipaconf.newConf(target_fname, opts)
os.chmod(target_fname, 0644)
@ -809,9 +807,9 @@ def disable_ra():
Note that api.env will retain the old value (it is readonly).
"""
parser = RawConfigParser()
parser.read('/etc/ipa/default.conf')
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_ra', 'False')
fp = open('/etc/ipa/default.conf', 'w')
fp = open(paths.IPA_DEFAULT_CONF, 'w')
parser.write(fp)
fp.close()
@ -948,7 +946,7 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server):
{'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option',
'value':CACERT},]
target_fname = '/etc/openldap/ldap.conf'
target_fname = paths.OPENLDAP_LDAP_CONF
fstore.backup_file(target_fname)
error_msg = "Configuring {path} failed with: {err}"
@ -975,7 +973,7 @@ def hardcode_ldap_server(cli_server):
DNS Discovery didn't return a valid IPA server, hardcode a value into
the file instead.
"""
if not file_exists('/etc/ldap.conf'):
if not file_exists(paths.LDAP_CONF):
return
ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
@ -985,7 +983,7 @@ def hardcode_ldap_server(cli_server):
{'name':'empty', 'type':'empty'}]
# Errors raised by this should be caught by the caller
ldapconf.changeConf("/etc/ldap.conf", opts)
ldapconf.changeConf(paths.LDAP_CONF, opts)
root_logger.info("Changed configuration of /etc/ldap.conf to use " +
"hardcoded server name: %s", cli_server[0])
@ -1005,7 +1003,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
# SSSD include dir
if options.sssd:
opts.append({'name':'includedir', 'type':'option', 'value':'/var/lib/sss/pubconf/krb5.include.d/', 'delim':' '})
opts.append({'name':'includedir', 'type':'option', 'value':paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, 'delim':' '})
opts.append({'name':'empty', 'type':'empty'})
#[libdefaults]
@ -1116,7 +1114,7 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
client_nss_nickname = client_nss_nickname_format % hostname
subject = DN(('CN', hostname), subject_base)
try:
run(["ipa-getcert", "request", "-d", "/etc/pki/nssdb",
run(["ipa-getcert", "request", "-d", paths.NSS_DB_DIR,
"-n", client_nss_nickname, "-N", str(subject),
"-K", principal])
except Exception:
@ -1132,7 +1130,7 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
except Exception, e:
if os.path.exists("/etc/sssd/sssd.conf") and options.preserve_sssd:
if os.path.exists(paths.SSSD_CONF) and options.preserve_sssd:
# SSSD config is in place but we are unable to read it
# In addition, we are instructed to preserve it
# This all means we can't use it and have to bail out
@ -1254,12 +1252,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
domain.set_active(True)
sssdconfig.save_domain(domain)
sssdconfig.write("/etc/sssd/sssd.conf")
sssdconfig.write(paths.SSSD_CONF)
return 0
def change_ssh_config(filename, changes, sections):
if len(changes) == 0:
if not changes:
return True
try:
@ -1268,38 +1266,30 @@ def change_ssh_config(filename, changes, sections):
root_logger.error("Failed to open '%s': %s", filename, str(e))
return False
change_keys = tuple(key.lower() for key in changes)
section_keys = tuple(key.lower() for key in sections)
lines = []
in_section = False
for line in f:
if in_section:
lines.append(line)
continue
line = line.rstrip('\n')
pline = line.strip()
if len(pline) == 0 or pline.startswith('#'):
if not pline or pline.startswith('#'):
lines.append(line)
continue
parts = pline.split()
option = parts[0].lower()
for key in sections:
if key.lower() == option:
in_section = True
break
if in_section:
break
for opt in changes:
if opt.lower() == option:
line = None
break
if line is not None:
option = pline.split()[0].lower()
if option in section_keys:
lines.append(line)
for opt in changes:
if changes[opt] is not None:
lines.append('%s %s\n' % (opt, changes[opt]))
lines.append('\n')
if in_section:
break
if option in change_keys:
line = '#' + line
lines.append(line)
for option, value in changes.items():
if value is not None:
lines.append('%s %s' % (option, value))
for line in f:
line = line.rstrip('\n')
lines.append(line)
lines.append('')
f.close()
@ -1309,7 +1299,7 @@ def change_ssh_config(filename, changes, sections):
root_logger.error("Failed to open '%s': %s", filename, str(e))
return False
f.write(''.join(lines))
f.write('\n'.join(lines))
f.close()
@ -1376,7 +1366,7 @@ def configure_sshd_config(fstore, options):
)
for candidate in candidates:
args = ['sshd', '-t', '-f', '/dev/null']
args = ['sshd', '-t', '-f', paths.DEV_NULL]
for item in candidate.iteritems():
args.append('-o')
args.append('%s=%s' % item)
@ -1432,9 +1422,9 @@ def configure_nisdomain(options, domain):
nis_domain_name = ''
# First backup the old NIS domain name
if os.path.exists('/usr/bin/nisdomainname'):
if os.path.exists(paths.BIN_NISDOMAINNAME):
try:
nis_domain_name, _, _ = ipautil.run(['/usr/bin/nisdomainname'])
nis_domain_name, _, _ = ipautil.run([paths.BIN_NISDOMAINNAME])
except CalledProcessError, e:
pass
@ -1515,7 +1505,7 @@ def do_nsupdate(update_txt):
result = False
try:
ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE])
ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
result = True
except CalledProcessError, e:
root_logger.debug('nsupdate failed: %s', str(e))
@ -1549,8 +1539,8 @@ show
send
"""
UPDATE_FILE = "/etc/ipa/.dns_update.txt"
CCACHE_FILE = "/etc/ipa/.dns_ccache"
UPDATE_FILE = paths.IPA_DNS_UPDATE_TXT
CCACHE_FILE = paths.IPA_DNS_CCACHE
def update_dns(server, hostname):
@ -1723,7 +1713,7 @@ def get_ca_cert_from_http(url, ca_file, warn=True):
root_logger.debug("trying to retrieve CA cert via HTTP from %s", url)
try:
run(["/usr/bin/wget", "-O", ca_file, url])
run([paths.BIN_WGET, "-O", ca_file, url])
except CalledProcessError, e:
raise errors.NoCertificateError(entry=url)
@ -2306,8 +2296,8 @@ def install(options, env, fstore, statestore):
if not options.on_master:
# Try removing old principals from the keytab
try:
ipautil.run(['/usr/sbin/ipa-rmkeytab',
'-k', '/etc/krb5.keytab', '-r', cli_realm])
ipautil.run([paths.IPA_RMKEYTAB,
'-k', paths.KRB5_KEYTAB, '-r', cli_realm])
except CalledProcessError, e:
if e.returncode not in (3, 5):
# 3 - Unable to open keytab
@ -2316,7 +2306,7 @@ def install(options, env, fstore, statestore):
"/usr/sbin/ipa-rmkeytab returned %s" % e.returncode)
else:
root_logger.info("Removed old keys for realm %s from %s" % (
cli_realm, '/etc/krb5.keytab'))
cli_realm, paths.KRB5_KEYTAB))
if options.hostname and not options.on_master:
# configure /etc/sysconfig/network to contain the hostname we set.
@ -2372,7 +2362,7 @@ def install(options, env, fstore, statestore):
(ccache_fd, ccache_name) = tempfile.mkstemp()
os.close(ccache_fd)
env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
join_args = ["/usr/sbin/ipa-join",
join_args = [paths.SBIN_IPA_JOIN,
"-s", cli_server[0],
"-b", str(realm_to_suffix(cli_realm)),
"-h", hostname]
@ -2422,7 +2412,7 @@ def install(options, env, fstore, statestore):
join_args.append("-f")
if os.path.exists(options.keytab):
(stderr, stdout, returncode) = run(
['/usr/bin/kinit','-k', '-t', options.keytab,
[paths.KINIT,'-k', '-t', options.keytab,
'host/%s@%s' % (hostname, cli_realm)],
env=env,
raiseonerr=False)
@ -2502,7 +2492,7 @@ def install(options, env, fstore, statestore):
# Once we have the TGT, it's usable on any server.
env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
try:
run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB,
'host/%s@%s' % (hostname, cli_realm)], env=env)
except CalledProcessError, e:
root_logger.error("Failed to obtain host TGT.")
@ -2536,7 +2526,7 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
# Always back up sssd.conf. It gets updated by authconfig --enablekrb5.
fstore.backup_file("/etc/sssd/sssd.conf")
fstore.backup_file(paths.SSSD_CONF)
if options.sssd:
if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname):
return CLIENT_INSTALL_ERROR
@ -2549,7 +2539,7 @@ def install(options, env, fstore, statestore):
try:
root_logger.debug("Attempting to add CA directly to the "
"default NSS database.")
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
run([paths.CERTUTIL, "-A", "-d", paths.NSS_DB_DIR,
"-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
except CalledProcessError, e:
root_logger.info("Failed to add CA to the default NSS database.")
@ -2563,14 +2553,14 @@ def install(options, env, fstore, statestore):
# Get the host TGT.
os.environ['KRB5CCNAME'] = CCACHE_FILE
try:
run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB,
host_principal])
except CalledProcessError, e:
root_logger.error("Failed to obtain host TGT.")
return CLIENT_INSTALL_ERROR
else:
# Configure krb5.conf
fstore.backup_file("/etc/krb5.conf")
fstore.backup_file(paths.KRB5_CONF)
if configure_krb5_conf(
cli_realm=cli_realm,
cli_domain=cli_domain,
@ -2578,7 +2568,7 @@ def install(options, env, fstore, statestore):
cli_kdc=cli_kdc,
dnsok=dnsok,
options=options,
filename="/etc/krb5.conf",
filename=paths.KRB5_CONF,
client_domain=client_domain):
return CLIENT_INSTALL_ERROR
@ -2816,10 +2806,10 @@ def main():
env={"PATH":"/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"}
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
global statestore
statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore')
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
if options.uninstall:
return uninstall(options, env)

8
ipa-client/man/ipa-getkeytab.1
View File

@ -21,7 +21,7 @@
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ]
ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
.SH "DESCRIPTION"
Retrieves a Kerberos \fIkeytab\fR.
@ -95,6 +95,12 @@ The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Ge
.TP
\fB\-w, \-\-bindpw\fR
The LDAP password to use when not binding with Kerberos.
.TP
\fB\-r\fR
Retrieve mode. Retrieve an existing key from the server instead of generating a
new one. This is incompatibile with the \-\-password option, and will work only
against a FreeIPA server more recent than version 3.3. The user requesting the
keytab must have access to the keys for this operation to succeed.
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.

6
ipalib/config.py
View File

@ -105,15 +105,11 @@ class Env(object):
u'false'
If an ``str`` value looks like an integer, it's automatically converted to
the ``int`` type. Likewise, if an ``str`` value looks like a floating-point
number, it's automatically converted to the ``float`` type. For example:
the ``int`` type.
>>> env.lucky = '7'
>>> env.lucky
7
>>> env.three_halves = '1.5'
>>> env.three_halves
1.5
Leading and trailing white-space is automatically stripped from ``str``
values. For example:

116
ipalib/pkcs10.py
View File

@ -21,7 +21,7 @@ import os
import sys
import base64
import nss.nss as nss
from pyasn1.type import univ, namedtype, tag
from pyasn1.type import univ, char, namedtype, tag
from pyasn1.codec.der import decoder
from ipapython import ipautil
from ipalib import api
@ -29,6 +29,10 @@ from ipalib import api
PEM = 0
DER = 1
SAN_DNSNAME = 'DNS name'
SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)'
SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)'
def get_subject(csr, datatype=PEM):
"""
Given a CSR return the subject value.
@ -41,6 +45,89 @@ def get_subject(csr, datatype=PEM):
finally:
del request
def get_extensions(csr, datatype=PEM):
"""
Given a CSR return OIDs of certificate extensions.
The return value is a tuple of strings
"""
request = load_certificate_request(csr, datatype)
return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:]
for ext in request.extensions)
class _PrincipalName(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('name-type', univ.Integer().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
),
namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))
),
)
class _KRB5PrincipalName(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('realm', char.GeneralString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
),
namedtype.NamedType('principalName', _PrincipalName().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))
),
)
def _decode_krb5principalname(data):
principal = decoder.decode(data, asn1Spec=_KRB5PrincipalName())[0]
realm = (str(principal['realm']).replace('\\', '\\\\')
.replace('@', '\\@'))
name = principal['principalName']['name-string']
name = '/'.join(str(n).replace('\\', '\\\\')
.replace('/', '\\/')
.replace('@', '\\@') for n in name)
name = '%s@%s' % (name, realm)
return name
class _AnotherName(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('type-id', univ.ObjectIdentifier()),
namedtype.NamedType('value', univ.Any().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
),
)
class _GeneralName(univ.Choice):
componentType = namedtype.NamedTypes(
namedtype.NamedType('otherName', _AnotherName().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
),
namedtype.NamedType('rfc822Name', char.IA5String().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))
),
namedtype.NamedType('dNSName', char.IA5String().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))
),
namedtype.NamedType('x400Address', univ.Sequence().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
),
namedtype.NamedType('directoryName', univ.Choice().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
),
namedtype.NamedType('ediPartyName', univ.Sequence().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))
),
namedtype.NamedType('uniformResourceIdentifier', char.IA5String().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))
),
namedtype.NamedType('iPAddress', univ.OctetString().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))
),
namedtype.NamedType('registeredID', univ.ObjectIdentifier().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))
),
)
class _SubjectAltName(univ.SequenceOf):
componentType = _GeneralName()
def get_subjectaltname(csr, datatype=PEM):
"""
Given a CSR return the subjectaltname value, if any.
@ -48,13 +135,26 @@ def get_subjectaltname(csr, datatype=PEM):
The return value is a tuple of strings or None
"""
request = load_certificate_request(csr, datatype)
try:
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)
finally:
del request
return None
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
break
else:
return None
del request
nss_names = nss.x509_alt_name(extension.value, nss.AsObject)
asn1_names = decoder.decode(extension.value.data,
asn1Spec=_SubjectAltName())[0]
names = []
for nss_name, asn1_name in zip(nss_names, asn1_names):
name_type = nss_name.type_string
if name_type == SAN_OTHERNAME_KRB5PRINCIPALNAME:
name = _decode_krb5principalname(asn1_name['otherName']['value'])
else:
name = nss_name.name
names.append((name_type, name))
return tuple(names)
# Unfortunately, NSS can only parse the extension request attribute, so
# we have to parse friendly name ourselves (see RFC 2986)

65
ipalib/plugins/automount.py
View File

@ -212,6 +212,7 @@ class automountlocation(LDAPObject):
default_attributes = ['cn']
label = _('Automount Locations')
label_singular = _('Automount Location')
permission_filter_objectclasses = ['nscontainer']
managed_permissions = {
'System: Read Automount Configuration': {
# Single permission for all automount-related entries
@ -226,6 +227,14 @@ class automountlocation(LDAPObject):
'automountmapname', 'description',
},
},
'System: Add Automount Locations': {
'ipapermright': {'add'},
'default_privileges': {'Automount Administrators'},
},
'System: Remove Automount Locations': {
'ipapermright': {'delete'},
'default_privileges': {'Automount Administrators'},
},
}
takes_params = (
@ -576,6 +585,7 @@ class automountmap(LDAPObject):
object_name = _('automount map')
object_name_plural = _('automount maps')
object_class = ['automountmap']
permission_filter_objectclasses = ['automountmap']
default_attributes = ['automountmapname', 'description']
takes_params = (
@ -591,6 +601,31 @@ class automountmap(LDAPObject):
),
)
managed_permissions = {
'System: Add Automount Maps': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
'System: Modify Automount Maps': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'automountmapname', 'description'},
'replaces': [
'(targetattr = "automountmapname || description")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount maps";allow (write) groupdn = "ldap:///cn=Modify Automount maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
'System: Remove Automount Maps': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
}
label = _('Automount Maps')
label_singular = _('Automount Map')
@ -653,6 +688,7 @@ class automountkey(LDAPObject):
object_name = _('automount key')
object_name_plural = _('automount keys')
object_class = ['automount']
permission_filter_objectclasses = ['automount']
default_attributes = [
'automountkey', 'automountinformation', 'description'
]
@ -679,6 +715,35 @@ class automountkey(LDAPObject):
),
)
managed_permissions = {
'System: Add Automount Keys': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
'System: Modify Automount Keys': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'automountinformation', 'automountkey', 'description',
},
'replaces': [
'(targetattr = "automountkey || automountinformation || description")(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Modify Automount keys";allow (write) groupdn = "ldap:///cn=Modify Automount keys,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
'System: Remove Automount Keys': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(objectclass=automount)")(target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Automount Administrators'},
},
}
num_parents = 2
label = _('Automount Keys')
label_singular = _('Automount Key')

54
ipalib/plugins/baseldap.py
View File

@ -322,6 +322,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options):
membertype is the type of member
"""
assert isinstance(dn, DN)
# validate hostname with allowed underscore characters, non-fqdn
# hostnames are allowed
def validate_host(hostname):
@ -341,19 +342,30 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options):
raise errors.ValidationError(name=membertype, error=e)
return dn
def add_external_post_callback(memberattr, membertype, externalattr, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def add_external_post_callback(ldap, dn, entry_attrs, failed, completed,
memberattr, membertype, externalattr,
normalize=True):
"""
Post callback to add failed members as external members.
Takes the following arguments:
failed - the list of failed entries, these are candidates for possible
external entries to add
completed - the number of successfully added entries so far
memberattr - the attribute name that IPA uses for membership natively
(e.g. memberhost)
membertype - the object type of the member (e.g. host)
externalattr - the attribute name that IPA uses to store the membership
of the entries that are not managed by IPA
(e.g externalhost)
This should be called by a commands post callback directly.
memberattr is one of memberuser,
membertype is the type of member: user,
externalattr is one of externaluser,
Returns the number of completed entries so far (the number of entries
handled by IPA incremented by the number of handled external entries) and
dn.
"""
assert isinstance(dn, DN)
completed_external = 0
normalize = options.get('external_callback_normalize', True)
# Sift through the failures. We assume that these are all
# entries that aren't stored in IPA, aka external entries.
if memberattr in failed and membertype in failed[memberattr]:
@ -362,11 +374,13 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl
members = entry_attrs.get(memberattr, [])
external_entries = entry_attrs_.get(externalattr, [])
lc_external_entries = set(e.lower() for e in external_entries)
failed_entries = []
for entry in failed[memberattr][membertype]:
membername = entry[0].lower()
member_dn = api.Object[membertype].get_dn(membername)
assert isinstance(member_dn, DN)
if (membername not in lc_external_entries and
member_dn not in members):
# Not an IPA entry, assume external
@ -399,8 +413,28 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl
return (completed + completed_external, dn)
def remove_external_post_callback(memberattr, membertype, externalattr, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def remove_external_post_callback(ldap, dn, entry_attrs, failed, completed,
memberattr, membertype, externalattr):
"""
Takes the following arguments:
failed - the list of failed entries, these are candidates for possible
external entries to remove
completed - the number of successfully removed entries so far
memberattr - the attribute name that IPA uses for membership natively
(e.g. memberhost)
membertype - the object type of the member (e.g. host)
externalattr - the attribute name that IPA uses to store the membership
of the entries that are not managed by IPA
(e.g externalhost)
Returns the number of completed entries so far (the number of entries
handled by IPA incremented by the number of handled external entries) and
dn.
"""
assert isinstance(dn, DN)
# Run through the failures and gracefully remove any member defined
# as an external member.
if memberattr in failed and membertype in failed[memberattr]:
@ -409,6 +443,7 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co
external_entries = entry_attrs_.get(externalattr, [])
failed_entries = []
completed_external = 0
for entry in failed[memberattr][membertype]:
membername = entry[0].lower()
if membername in external_entries or entry[0] in external_entries:
@ -435,6 +470,7 @@ def remove_external_post_callback(memberattr, membertype, externalattr, ldap, co
return (completed + completed_external, dn)
def host_is_master(ldap, fqdn):
"""
Check to see if this host is a master.

103
ipalib/plugins/cert.py
View File

@ -42,6 +42,7 @@ from ipalib import output
from ipalib.plugins.service import validate_principal
import nss.nss as nss
from nss.error import NSPRError
from pyasn1.error import PyAsn1Error
__doc__ = _("""
IPA certificate operations
@ -136,17 +137,6 @@ def validate_pkidate(ugettext, value):
return None
def get_csr_hostname(csr):
"""
Return the value of CN in the subject of the request or None
"""
try:
subject = pkcs10.get_subject(csr)
return subject.common_name #pylint: disable=E1101
except NSPRError, nsprerr:
raise errors.CertificateOperationError(
error=_('Failure decoding Certificate Signing Request: %s') % nsprerr)
def validate_csr(ugettext, csr):
"""
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
@ -290,6 +280,14 @@ class cert_request(VirtualCommand):
),
)
_allowed_extensions = {
'2.5.29.14': None, # Subject Key Identifier
'2.5.29.15': None, # Key Usage
'2.5.29.17': 'request certificate with subjectaltname',
'2.5.29.19': None, # Basic Constraints
'2.5.29.37': None, # Extended Key Usage
}
def execute(self, csr, **kw):
ldap = self.api.Backend.ldap2
principal = kw.get('principal')
@ -313,10 +311,22 @@ class cert_request(VirtualCommand):
if not bind_principal.startswith('host/'):
self.check_access()
# FIXME: add support for subject alt name
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error), e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") % e)
if not bind_principal.startswith('host/'):
for ext in extensions:
operation = self._allowed_extensions.get(ext)
if operation:
self.check_access(operation)
# Ensure that the hostname in the CSR matches the principal
subject_host = get_csr_hostname(csr)
subject_host = subject.common_name #pylint: disable=E1101
if not subject_host:
raise errors.ValidationError(name='csr',
error=_("No hostname was found in subject of request."))
@ -328,28 +338,40 @@ class cert_request(VirtualCommand):
"does not match principal hostname '%(hostname)s'") % dict(
subject_host=subject_host, hostname=hostname))
for ext in extensions:
if ext not in self._allowed_extensions:
raise errors.ValidationError(
name='csr', error=_("extension %s is forbidden") % ext)
for name_type, name in subjectaltname:
if name_type not in (pkcs10.SAN_DNSNAME,
pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden") %
name_type)
dn = None
service = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if not principal.startswith('host/'):
service = api.Command['service_show'](principal, all=True)['result']
dn = service['dn']
if servicename != 'host':
service = api.Command['service_show'](principal, all=True)
else:
hostname = get_host_from_principal(principal)
service = api.Command['host_show'](hostname, all=True)['result']
dn = service['dn']
service = api.Command['host_show'](hostname, all=True)
except errors.NotFound, e:
if not add:
raise errors.NotFound(reason=_("The service principal for "
"this request doesn't exist."))
try:
service = api.Command['service_add'](principal, **{'force': True})['result']
dn = service['dn']
service = api.Command['service_add'](principal, force=True)
except errors.ACIError:
raise errors.ACIError(info=_('You need to be a member of '
'the serviceadmin role to add services'))
service = service['result']
dn = service['dn']
# We got this far so the service entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
@ -357,25 +379,38 @@ class cert_request(VirtualCommand):
"to the 'userCertificate' attribute of entry '%s'.") % dn)
# Validate the subject alt name, if any
subjectaltname = pkcs10.get_subjectaltname(csr)
if subjectaltname is not None:
for name in subjectaltname:
for name_type, name in subjectaltname:
if name_type == pkcs10.SAN_DNSNAME:
name = unicode(name)
try:
hostentry = api.Command['host_show'](name, all=True)['result']
hostdn = hostentry['dn']
if servicename == 'host':
altservice = api.Command['host_show'](name, all=True)
else:
altprincipal = '%s/%s@%s' % (servicename, name, realm)
altservice = api.Command['service_show'](
altprincipal, all=True)
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_('no host record for '
'subject alt name %s in certificate request') % name)
authprincipal = getattr(context, 'principal')
if authprincipal.startswith("host/"):
if not hostdn in service.get('managedby_host', []):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
raise errors.NotFound(reason=_('The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
altdn = altservice['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate with "
"subject alt name '%s'.") % name)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
if name != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested service principal") % name)
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
name_type)
if 'usercertificate' in service:
serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER)

1010
ipalib/plugins/dns.py
View File

File diff suppressed because it is too large Load Diff

76
ipalib/plugins/group.py
View File

@ -115,6 +115,7 @@ register = Registry()
PROTECTED_GROUPS = (u'admins', u'trust admins', u'default smb group')
@register()
class group(LDAPObject):
"""
@ -126,7 +127,7 @@ class group(LDAPObject):
object_class = ['ipausergroup']
object_class_config = 'ipagroupobjectclasses'
possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup']
permission_filter_objectclasses = ['ipausergroup']
permission_filter_objectclasses = ['posixgroup', 'ipausergroup']
search_attributes_config = 'ipagroupsearchfields'
default_attributes = [
'cn', 'description', 'gidnumber', 'member', 'memberof',
@ -150,6 +151,7 @@ class group(LDAPObject):
'businesscategory', 'cn', 'description', 'gidnumber',
'ipaexternalmember', 'ipauniqueid', 'mepmanagedby', 'o',
'objectclass', 'ou', 'owner', 'seealso',
'ipantsecurityidentifier'
},
},
'System: Read Group Membership': {
@ -160,6 +162,46 @@ class group(LDAPObject):
'member', 'memberof', 'memberuid', 'memberuser', 'memberhost',
},
},
'System: Add Groups': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Group Administrators'},
},
'System: Modify Group Membership': {
'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=ipausergroup)',
'(!(cn=admins))',
],
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {
'Group Administrators', 'Modify Group membership'
},
},
'System: Modify Groups': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'cn', 'description', 'gidnumber', 'ipauniqueid',
'mepmanagedby', 'objectclass'
},
'replaces': [
'(targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Group Administrators'},
},
'System: Remove Groups': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Group Administrators'},
},
}
label = _('User Groups')
@ -197,6 +239,7 @@ ipaexternalmember_param = Str('ipaexternalmember*',
flags=['no_create', 'no_update', 'no_search'],
)
@register()
class group_add(LDAPCreate):
__doc__ = _('Create a new group.')
@ -232,8 +275,6 @@ class group_add(LDAPCreate):
return dn
@register()
class group_del(LDAPDelete):
__doc__ = _('Delete group.')
@ -267,7 +308,6 @@ class group_del(LDAPDelete):
return True
@register()
class group_mod(LDAPUpdate):
__doc__ = _('Modify a group.')
@ -339,7 +379,6 @@ class group_mod(LDAPUpdate):
raise exc
@register()
class group_find(LDAPSearch):
__doc__ = _('Search for groups.')
@ -409,7 +448,6 @@ class group_find(LDAPSearch):
return (filter, base_dn, scope)
@register()
class group_show(LDAPRetrieve):
__doc__ = _('Display information about a named group.')
@ -464,15 +502,18 @@ class group_add_member(LDAPAddMember):
restore = []
if 'member' in failed and 'group' in failed['member']:
restore = failed['member']['group']
failed['member']['group'] = list((id,id) for id in sids)
result = add_external_post_callback('member', 'group', 'ipaexternalmember',
ldap, completed, failed, dn, entry_attrs,
keys, options, external_callback_normalize=False)
failed['member']['group'] = list((id, id) for id in sids)
result = add_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='member',
membertype='group',
externalattr='ipaexternalmember',
normalize=False)
failed['member']['group'] += restore + failed_sids
return result
@register()
class group_remove_member(LDAPRemoveMember):
__doc__ = _('Remove members from a group.')
@ -518,15 +559,18 @@ class group_remove_member(LDAPRemoveMember):
restore = []
if 'member' in failed and 'group' in failed['member']:
restore = failed['member']['group']
failed['member']['group'] = list((id,id) for id in sids)
result = remove_external_post_callback('member', 'group', 'ipaexternalmember',
ldap, completed, failed, dn, entry_attrs,
keys, options)
failed['member']['group'] = list((id, id) for id in sids)
result = remove_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='member',
membertype='group',
externalattr='ipaexternalmember',
)
failed['member']['group'] += restore + failed_sids
return result
@register()
class group_detach(LDAPQuery):
__doc__ = _('Detach a managed group from a user.')

36
ipalib/plugins/hbacrule.py
View File

@ -147,6 +147,42 @@ class hbacrule(LDAPObject):
'usercategory', 'objectclass', 'member',
},
},
'System: Add HBAC Rule': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC rule";allow (add) groupdn = "ldap:///cn=Add HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Delete HBAC Rule': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC rule";allow (delete) groupdn = "ldap:///cn=Delete HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Manage HBAC Rule Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'externalhost', 'memberhost', 'memberservice', 'memberuser'
},
'replaces': [
'(targetattr = "memberuser || externalhost || memberservice || memberhost")(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Manage HBAC rule membership";allow (write) groupdn = "ldap:///cn=Manage HBAC rule membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Modify HBAC Rule': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'accessruletype', 'accesstime', 'cn', 'description',
'hostcategory', 'ipaenabledflag', 'servicecategory',
'sourcehost', 'sourcehostcategory', 'usercategory'
},
'replaces': [
'(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target = "ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn = "ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
}
label = _('HBAC Rules')

14
ipalib/plugins/hbacsvc.py
View File

@ -76,6 +76,20 @@ class hbacsvc(LDAPObject):
'cn', 'description', 'ipauniqueid', 'memberof', 'objectclass',
},
},
'System: Add HBAC Services': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC services";allow (add) groupdn = "ldap:///cn=Add HBAC services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Delete HBAC Services': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=hbacservices,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC services";allow (delete) groupdn = "ldap:///cn=Delete HBAC services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
}
label = _('HBAC Services')

22
ipalib/plugins/hbacsvcgroup.py
View File

@ -73,6 +73,28 @@ class hbacsvcgroup(LDAPObject):
'memberuser', 'memberhost',
},
},
'System: Add HBAC Service Groups': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Add HBAC service groups";allow (add) groupdn = "ldap:///cn=Add HBAC service groups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Delete HBAC Service Groups': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Delete HBAC service groups";allow (delete) groupdn = "ldap:///cn=Delete HBAC service groups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
'System: Manage HBAC Service Group Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=hbacservicegroups,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Manage HBAC service group membership";allow (write) groupdn = "ldap:///cn=Manage HBAC service group membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'HBAC Administrator'},
},
}
label = _('HBAC Service Groups')

78
ipalib/plugins/host.py
View File

@ -290,6 +290,84 @@ class host(LDAPObject):
'memberof',
},
},
'System: Add Hosts': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
'System: Add krbPrincipalName to a Host': {
# Allow an admin to enroll a host that has a one-time password.
# When a host is created with a password no krbPrincipalName is set.
# This will let it be added if the client ends up enrolling with
# an administrator instead.
'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=ipahost)',
'(!(krbprincipalname=*))',
],
'ipapermdefaultattr': {'krbprincipalname'},
'replaces': [
'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators', 'Host Enrollment'},
},
'System: Enroll a Host': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'objectclass', 'enrolledby'},
'replaces': [
'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators', 'Host Enrollment'},
},
'System: Manage Host SSH Public Keys': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'ipasshpubkey'},
'replaces': [
'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
'System: Manage Host Keytab': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
'replaces': [
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators', 'Host Enrollment'},
},
'System: Modify Hosts': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'description', 'l', 'nshardwareplatform', 'nshostlocation',
'nsosversion', 'macaddress', 'userclass',
},
'replaces': [
'(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
'System: Remove Hosts': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
'System: Manage Host Certificates': {
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {'usercertificate'},
'default_privileges': {'Host Administrators', 'Host Enrollment'},
},
'System: Manage Host Enrollment Password': {
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {'userpassword'},
'default_privileges': {'Host Administrators', 'Host Enrollment'},
},
}
label = _('Hosts')

30
ipalib/plugins/hostgroup.py
View File

@ -94,6 +94,36 @@ class hostgroup(LDAPObject):
'member', 'memberof', 'memberuser', 'memberhost',
},
},
'System: Add Hostgroups': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Group Administrators'},
},
'System: Modify Hostgroup Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Group Administrators'},
},
'System: Modify Hostgroups': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'cn', 'description'},
'replaces': [
'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Group Administrators'},
},
'System: Remove Hostgroups': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Group Administrators'},
},
}
label = _('Host Groups')

3
ipalib/plugins/internal.py
View File

@ -652,7 +652,10 @@ class i18n_messages(Command):
"invalid_password": _("The password or username you entered is incorrect."),
"new_password": _("New Password"),
"new_password_required": _("New password is required"),
"otp": _("OTP"),
"otp_long": _("One-Time-Password"),
"password": _("Password"),
"password_and_otp": _("Password or Password+One-Time-Password"),
"password_change_complete": _("Password change complete"),
"password_must_match": _("Passwords must match"),
"reset_failure": _("Password reset was not successful."),

66
ipalib/plugins/netgroup.py
View File

@ -75,6 +75,7 @@ output_params = (
),
)
@register()
class netgroup(LDAPObject):
"""
@ -115,7 +116,7 @@ class netgroup(LDAPObject):
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'description', 'hostcategory', 'ipaenabledflag',
'ipauniqueid', 'nisdomainname', 'usercategory'
'ipauniqueid', 'nisdomainname', 'usercategory', 'objectclass',
},
},
'System: Read Netgroup Membership': {
@ -124,9 +125,41 @@ class netgroup(LDAPObject):
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'externalhost', 'member', 'memberof', 'memberuser',
'memberhost',
'memberhost', 'objectclass',
},
},
'System: Add Netgroups': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Netgroups Administrators'},
},
'System: Modify Netgroup Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'externalhost', 'member', 'memberhost', 'memberuser'
},
'replaces': [
'(targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Netgroups Administrators'},
},
'System: Modify Netgroups': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'description'},
'replaces': [
'(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Netgroups Administrators'},
},
'System: Remove Netgroups': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Netgroups Administrators'},
},
}
label = _('Netgroups')
@ -174,7 +207,6 @@ class netgroup(LDAPObject):
)
@register()
class netgroup_add(LDAPCreate):
__doc__ = _('Add a new netgroup.')
@ -211,7 +243,6 @@ class netgroup_add(LDAPCreate):
return dn
@register()
class netgroup_del(LDAPDelete):
__doc__ = _('Delete a netgroup.')
@ -241,7 +272,6 @@ class netgroup_mod(LDAPUpdate):
return dn
@register()
class netgroup_find(LDAPSearch):
__doc__ = _('Search for a netgroup.')
@ -279,7 +309,6 @@ class netgroup_find(LDAPSearch):
return (filter, base_dn, scope)
@register()
class netgroup_show(LDAPRetrieve):
__doc__ = _('Display information about a netgroup.')
@ -287,21 +316,26 @@ class netgroup_show(LDAPRetrieve):
has_output_params = LDAPRetrieve.has_output_params + output_params
@register()
class netgroup_add_member(LDAPAddMember):
__doc__ = _('Add members to a netgroup.')
member_attributes = ['memberuser', 'memberhost', 'member']
has_output_params = LDAPAddMember.has_output_params + output_params
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
return add_external_pre_callback('host', ldap, dn, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
return add_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberhost',
membertype='host',
externalattr='externalhost')
@register()
@ -310,7 +344,13 @@ class netgroup_remove_member(LDAPRemoveMember):
member_attributes = ['memberuser', 'memberhost', 'member']
has_output_params = LDAPRemoveMember.has_output_params + output_params
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberhost',
membertype='host',
externalattr='externalhost')

4
ipalib/plugins/otptoken.py
View File

@ -25,9 +25,9 @@ from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, No
from ipalib.request import context
import base64
import uuid
import random
import urllib
import qrcode
import os
__doc__ = _("""
OTP Tokens
@ -182,7 +182,7 @@ class otptoken(LDAPObject):
OTPTokenKey('ipatokenotpkey?',
cli_name='key',
label=_('Key'),
default_from=lambda: "".join(random.SystemRandom().sample(map(chr, range(256)), 10)),
default_from=lambda: os.urandom(KEY_LENGTH),
autofill=True,
flags=('no_display', 'no_update', 'no_search'),
),

11
ipalib/plugins/passwd.py
View File

@ -89,6 +89,14 @@ class passwd(Command):
),
)
takes_options = (
Password('otp?',
label=_('OTP'),
doc=_('One Time Password'),
confirm=False,
),
)
has_output = output.standard_value
msg_summary = _('Changed password for "%(value)s"')
@ -121,7 +129,8 @@ class passwd(Command):
if current_password == MAGIC_VALUE:
ldap.modify_password(entry_attrs.dn, password)
else:
ldap.modify_password(entry_attrs.dn, password, current_password)
otp = options.get('otp')
ldap.modify_password(entry_attrs.dn, password, current_password, otp)
return dict(
result=True,

48
ipalib/plugins/permission.py
View File

@ -205,6 +205,14 @@ class permission(baseldap.LDAPObject):
'ipapermdefaultattr': {'aci'},
'default_privileges': {'RBAC Readers'},
},
'System: Modify Privilege Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Delegation Administrator'},
},
}
label = _('Permissions')
@ -363,26 +371,17 @@ class permission(baseldap.LDAPObject):
# type
if ipapermtargetfilter and ipapermlocation:
for obj in self.api.Object():
filter_objectclasses = getattr(
obj, 'permission_filter_objectclasses', None)
if not filter_objectclasses:
filt = self.make_type_filter(obj)
if not filt:
continue
wantdn = DN(obj.container_dn, self.api.env.basedn)
if DN(ipapermlocation) != wantdn:
continue
objectclass_targetfilters = set()
for objclass in filter_objectclasses:
filter_re = '\(objectclass=%s\)' % re.escape(objclass)
for tf in ipapermtargetfilter:
if re.match(filter_re, tf, re.I):
objectclass_targetfilters.add(tf)
break
else:
break
else:
if filt in ipapermtargetfilter:
result['type'] = [unicode(obj.name)]
implicit_targetfilters |= objectclass_targetfilters
implicit_targetfilters.add(filt)
break
return result
@ -717,6 +716,17 @@ class permission(baseldap.LDAPObject):
raise ValueError('Cannot convert ACI, %r != %r' % (new_acistring,
acistring))
def make_type_filter(self, obj):
"""Make a filter for a --type based permission from an Object"""
objectclasses = getattr(obj, 'permission_filter_objectclasses', None)
if not objectclasses:
return None
filters = [u'(objectclass=%s)' % o for o in objectclasses]
if len(filters) == 1:
return filters[0]
else:
return '(|%s)' % ''.join(sorted(filters))
def preprocess_options(self, options,
return_filter_ops=False,
merge_targetfilter=False):
@ -808,15 +818,19 @@ class permission(baseldap.LDAPObject):
if 'type' in options:
objtype = options.pop('type')
filter_ops['remove'].append(re.compile(r'\(objectclass=.*\)', re.I))
filter_ops['remove'].append(re.compile(
r'\(\|(\(objectclass=[^(]*\))+\)', re.I))
if objtype:
if 'ipapermlocation' in options:
raise errors.ValidationError(
name='ipapermlocation',
error=_('subtree and type are mutually exclusive'))
obj = self.api.Object[objtype.lower()]
new_values = [u'(objectclass=%s)' % o
for o in obj.permission_filter_objectclasses]
filter_ops['add'].extend(new_values)
filt = self.make_type_filter(obj)
if not filt:
raise errors.ValidationError(
_('"%s" is not a valid permission type') % objtype)
filter_ops['add'].append(filt)
container_dn = DN(obj.container_dn, self.api.env.basedn)
options['ipapermlocation'] = container_dn
else:

16
ipalib/plugins/privilege.py
View File

@ -75,6 +75,22 @@ class privilege(LDAPObject):
},
'default_privileges': {'RBAC Readers'},
},
'System: Add Privileges': {
'ipapermright': {'add'},
'default_privileges': {'Delegation Administrator'},
},
'System: Modify Privileges': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'businesscategory', 'cn', 'description', 'o', 'ou', 'owner',
'seealso',
},
'default_privileges': {'Delegation Administrator'},
},
'System: Remove Privileges': {
'ipapermright': {'delete'},
'default_privileges': {'Delegation Administrator'},
},
}
label = _('Privileges')

48
ipalib/plugins/pwpolicy.py
View File

@ -96,6 +96,28 @@ class cosentry(LDAPObject):
'Password Policy Administrator',
},
},
'System: Add Group Password Policy costemplate': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
'System: Delete Group Password Policy costemplate': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
'System: Modify Group Password Policy costemplate': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'cospriority'},
'replaces': [
'(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
}
takes_params = (
@ -215,6 +237,32 @@ class pwpolicy(LDAPObject):
'Password Policy Administrator',
},
},
'System: Add Group Password Policy': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
'System: Delete Group Password Policy': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
'System: Modify Group Password Policy': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'krbmaxpwdlife', 'krbminpwdlife', 'krbpwdfailurecountinterval',
'krbpwdhistorylength', 'krbpwdlockoutduration',
'krbpwdmaxfailure', 'krbpwdmindiffchars', 'krbpwdminlength'
},
'replaces': [
'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX")(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Password Policy Administrator'},
},
}
MIN_KRB5KDC_WITH_LOCKOUT = "1.8"

30
ipalib/plugins/role.py
View File

@ -93,6 +93,36 @@ class role(LDAPObject):
},
'default_privileges': {'RBAC Readers'},
},
'System: Add Roles': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Delegation Administrator'},
},
'System: Modify Role Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Delegation Administrator'},
},
'System: Modify Roles': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'cn', 'description'},
'replaces': [
'(targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Delegation Administrator'},
},
'System: Remove Roles': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Delegation Administrator'},
},
}
label = _('Roles')

25
ipalib/plugins/selinuxusermap.py
View File

@ -163,6 +163,31 @@ class selinuxusermap(LDAPObject):
'objectclass', 'member',
},
},
'System: Add SELinux User Maps': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Add SELinux User Maps";allow (add) groupdn = "ldap:///cn=Add SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'SELinux User Map Administrators'},
},
'System: Modify SELinux User Maps': {
'ipapermright': {'write'},
'ipapermdefaultattr': {
'cn', 'ipaenabledflag', 'ipaselinuxuser', 'memberhost',
'memberuser', 'seealso'
},
'replaces': [
'(targetattr = "cn || memberuser || memberhost || seealso || ipaselinuxuser || ipaenabledflag")(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Modify SELinux User Maps";allow (write) groupdn = "ldap:///cn=Modify SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'SELinux User Map Administrators'},
},
'System: Remove SELinux User Maps': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///ipauniqueid=*,cn=usermap,cn=selinux,$SUFFIX")(version 3.0;acl "permission:Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=Remove SELinux User Maps,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'SELinux User Map Administrators'},
},
}
# These maps will not show as members of other entries

30
ipalib/plugins/service.py
View File

@ -330,6 +330,36 @@ class service(LDAPObject):
'krbobjectreferences',
},
},
'System: Add Services': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
'System: Manage Service Keytab': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
'replaces': [
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
'System: Modify Services': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'usercertificate'},
'replaces': [
'(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
'System: Remove Services': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
}
label = _('Services')

25
ipalib/plugins/sudocmd.py
View File

@ -78,6 +78,31 @@ class sudocmd(LDAPObject):
'sudocmd',
},
},
'System: Add Sudo Command': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
'System: Delete Sudo Command': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
'System: Modify Sudo Command': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'description'},
'replaces': [
'(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
}
label = _('Sudo Commands')

27
ipalib/plugins/sudocmdgroup.py
View File

@ -78,6 +78,33 @@ class sudocmdgroup(LDAPObject):
'memberuser', 'memberhost',
},
},
'System: Add Sudo Command Group': {
'ipapermright': {'add'},
'replaces': [
'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command group";allow (add) groupdn = "ldap:///cn=Add Sudo command group,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
'System: Delete Sudo Command Group': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command group";allow (delete) groupdn = "ldap:///cn=Delete Sudo command group,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
'System: Modify Sudo Command Group': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'description'},
'default_privileges': {'Sudo Administrator'},
},
'System: Manage Sudo Command Group Membership': {
'ipapermright': {'write'},
'ipapermdefaultattr': {'member'},
'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=sudocmdgroups,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Manage Sudo command group membership";allow (write) groupdn = "ldap:///cn=Manage Sudo command group membership,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Sudo Administrator'},
},
}
label = _('Sudo Command Groups')

394
ipalib/plugins/sudorule.py
View File

@ -1,7 +1,7 @@
# Authors:
# Jr Aquino <jr.aquino@citrixonline.com>
#
# Copyright (C) 2010 Red Hat
# Copyright (C) 2010-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@ -17,12 +17,23 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import netaddr
from ipalib import api, errors
from ipalib import Str, StrEnum, Bool
from ipalib import Str, StrEnum, Bool, Int
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import *
from ipalib.plugins.baseldap import (LDAPObject, LDAPCreate, LDAPDelete,
LDAPUpdate, LDAPSearch, LDAPRetrieve,
LDAPQuery, LDAPAddMember, LDAPRemoveMember,
add_external_pre_callback,
add_external_post_callback,
remove_external_post_callback,
output, entry_to_dict, pkey_to_value,
external_host_param)
from ipalib.plugins.hbacrule import is_all
from ipalib import _, ngettext
from ipalib.util import validate_hostmask
from ipapython.dn import DN
__doc__ = _("""
Sudo Rules
@ -79,18 +90,31 @@ register = Registry()
topic = ('sudo', _('Commands for controlling sudo configuration'))
def deprecated(attribute):
raise errors.ValidationError(name=attribute, error=_('this option has been deprecated.'))
raise errors.ValidationError(
name=attribute,
error=_('this option has been deprecated.'))
hostmask_membership_param = Str('hostmask?', validate_hostmask,
label=_('host masks of allowed hosts'),
flags=['no_create', 'no_update', 'no_search'],
multivalue=True,
)
def validate_externaluser(ugettext, value):
deprecated('externaluser')
def validate_runasextuser(ugettext, value):
deprecated('runasexternaluser')
def validate_runasextgroup(ugettext, value):
deprecated('runasexternalgroup')
@register()
class sudorule(LDAPObject):
"""
@ -108,7 +132,8 @@ class sudorule(LDAPObject):
'memberallowcmd', 'memberdenycmd', 'ipasudoopt',
'ipasudorunas', 'ipasudorunasgroup',
'ipasudorunasusercategory', 'ipasudorunasgroupcategory',
'sudoorder',
'sudoorder', 'hostmask', 'externalhost', 'ipasudorunasextusergroup',
'ipasudorunasextgroup', 'ipasudorunasextuser'
]
uuid_attribute = 'ipauniqueid'
rdn_attribute = 'ipauniqueid'
@ -129,7 +154,8 @@ class sudorule(LDAPObject):
'cmdcategory', 'cn', 'description', 'externalhost',
'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
'ipasudorunasextuser', 'ipasudorunasgroup',
'ipasudorunasextuser', 'ipasudorunasextusergroup',
'ipasudorunasgroup',
'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
@ -169,6 +195,7 @@ class sudorule(LDAPObject):
'description', 'ipaenabledflag', 'usercategory',
'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
'ipasudorunasgroupcategory', 'externaluser',
'ipasudorunasextusergroup',
'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
'memberallowcmd', 'memberuser', 'memberhost', 'externalhost',
'sudonotafter', 'hostmask', 'sudoorder', 'sudonotbefore',
@ -244,6 +271,11 @@ class sudorule(LDAPObject):
label=_('User Groups'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('externaluser?', validate_externaluser,
cli_name='externaluser',
label=_('External User'),
doc=_('External User the rule applies to (sudorule-find only)'),
),
Str('memberhost_host?',
label=_('Hosts'),
flags=['no_create', 'no_update', 'no_search'],
@ -252,6 +284,13 @@ class sudorule(LDAPObject):
label=_('Host Groups'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('hostmask', validate_hostmask,
normalizer=lambda x: unicode(netaddr.IPNetwork(x).cidr),
label=_('Host Masks'),
flags=['no_create', 'no_update', 'no_search'],
multivalue=True,
),
external_host_param,
Str('memberallowcmd_sudocmd?',
label=_('Sudo Allow Commands'),
flags=['no_create', 'no_update', 'no_search'],
@ -278,16 +317,22 @@ class sudorule(LDAPObject):
doc=_('Run as any user within a specified group'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('externaluser?', validate_externaluser,
cli_name='externaluser',
label=_('External User'),
doc=_('External User the rule applies to (sudorule-find only)'),
),
Str('ipasudorunasextuser?', validate_runasextuser,
cli_name='runasexternaluser',
label=_('RunAs External User'),
doc=_('External User the commands can run as (sudorule-find only)'),
),
Str('ipasudorunasextusergroup?',
cli_name='runasexternalusergroup',
label=_('External Groups of RunAs Users'),
doc=_('External Groups of users that the command can run as'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('ipasudorunasgroup_group?',
label=_('RunAs Groups'),
doc=_('Run with the gid of a specified POSIX group'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('ipasudorunasextgroup?', validate_runasextgroup,
cli_name='runasexternalgroup',
label=_('RunAs External Group'),
@ -297,12 +342,6 @@ class sudorule(LDAPObject):
label=_('Sudo Option'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('ipasudorunasgroup_group?',
label=_('RunAs Groups'),
doc=_('Run with the gid of a specified POSIX group'),
flags=['no_create', 'no_update', 'no_search'],
),
external_host_param,
)
order_not_unique_msg = _(
@ -310,10 +349,11 @@ class sudorule(LDAPObject):
)
def check_order_uniqueness(self, *keys, **options):
if 'sudoorder' in options:
if options.get('sudoorder') is not None:
entries = self.methods.find(
sudoorder=options['sudoorder']
)['result']
if len(entries) > 0:
rule_name = entries[0]['cn'][0]
raise errors.ValidationError(
@ -325,7 +365,6 @@ class sudorule(LDAPObject):
)
@register()
class sudorule_add(LDAPCreate):
__doc__ = _('Create new Sudo Rule.')
@ -340,7 +379,6 @@ class sudorule_add(LDAPCreate):
msg_summary = _('Added Sudo Rule "%(value)s"')
@register()
class sudorule_del(LDAPDelete):
__doc__ = _('Delete Sudo Rule.')
@ -348,14 +386,15 @@ class sudorule_del(LDAPDelete):
msg_summary = _('Deleted Sudo Rule "%(value)s"')
@register()
class sudorule_mod(LDAPUpdate):
__doc__ = _('Modify Sudo Rule.')
msg_summary = _('Modified Sudo Rule "%(value)s"')
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if 'sudoorder' in options:
new_order = options.get('sudoorder')
old_entry = self.api.Command.sudorule_show(keys[-1])['result']
@ -365,27 +404,55 @@ class sudorule_mod(LDAPUpdate):
self.obj.check_order_uniqueness(*keys, **options)
else:
self.obj.check_order_uniqueness(*keys, **options)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users"))
if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts"))
if is_all(options, 'cmdcategory') and ('memberallowcmd' or
'memberdenywcmd') in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("command category cannot be set to 'all' while there are allow or deny commands"))
if is_all(options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("user runAs category cannot be set to 'all' while there are users"))
if is_all(options, 'ipasudorunasgroupcategory') and 'ipasudorunasgroup' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("group runAs category cannot be set to 'all' while there are groups"))
error = _("%(type)s category cannot be set to 'all' "
"while there are allowed %(objects)s")
category_info = [(
'usercategory',
['memberuser', 'externaluser'],
error % {'type': _('user'), 'objects': _('users')}
),
(
'hostcategory',
['memberhost', 'externalhost', 'hostmask'],
error % {'type': _('host'), 'objects': _('hosts')}
),
(
'cmdcategory',
['memberallowcmd'],
error % {'type': _('command'), 'objects': _('commands')}
),
(
'ipasudorunasusercategory',
['ipasudorunas', 'ipasudorunasextuser',
'ipasudorunasextusergroup'],
error % {'type': _('runAs user'), 'objects': _('runAs users')}
),
(
'ipasudorunasgroupcategory',
['ipasudorunasgroup', 'ipasudorunasextgroup'],
error % {'type': _('group runAs'), 'objects': _('runAs groups')}
),
]
# Enforce the checks for all the categories
for category, member_attrs, error in category_info:
any_member_attrs_set = any(attr in _entry_attrs
for attr in member_attrs)
if is_all(options, category) and any_member_attrs_set:
raise errors.MutuallyExclusiveError(reason=error)
return dn
@register()
class sudorule_find(LDAPSearch):
__doc__ = _('Search for Sudo Rule.')
@ -395,13 +462,11 @@ class sudorule_find(LDAPSearch):
)
@register()
class sudorule_show(LDAPRetrieve):
__doc__ = _('Display Sudo Rule.')
@register()
class sudorule_enable(LDAPQuery):
__doc__ = _('Enable a Sudo Rule.')
@ -428,7 +493,6 @@ class sudorule_enable(LDAPQuery):
textui.print_dashed(_('Enabled Sudo Rule "%s"') % cn)
@register()
class sudorule_disable(LDAPQuery):
__doc__ = _('Disable a Sudo Rule.')
@ -455,7 +519,6 @@ class sudorule_disable(LDAPQuery):
textui.print_dashed(_('Disabled Sudo Rule "%s"') % cn)
@register()
class sudorule_add_allow_command(LDAPAddMember):
__doc__ = _('Add commands and sudo command groups affected by Sudo Rule.')
@ -465,17 +528,20 @@ class sudorule_add_allow_command(LDAPAddMember):
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'cmdcategory'):
raise errors.MutuallyExclusiveError(reason=_("commands cannot be added when command category='all'"))
raise errors.MutuallyExclusiveError(
reason=_("commands cannot be added when command "
"category='all'"))
return dn
@register()
class sudorule_remove_allow_command(LDAPRemoveMember):
__doc__ = _('Remove commands and sudo command groups affected by Sudo Rule.')
@ -484,7 +550,6 @@ class sudorule_remove_allow_command(LDAPRemoveMember):
member_count_out = ('%i object removed.', '%i objects removed.')
@register()
class sudorule_add_deny_command(LDAPAddMember):
__doc__ = _('Add commands and sudo command groups affected by Sudo Rule.')
@ -494,16 +559,9 @@ class sudorule_add_deny_command(LDAPAddMember):
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'cmdcategory'):
raise errors.MutuallyExclusiveError(reason=_("commands cannot be added when command category='all'"))
return dn
@register()
class sudorule_remove_deny_command(LDAPRemoveMember):
__doc__ = _('Remove commands and sudo command groups affected by Sudo Rule.')
@ -512,7 +570,6 @@ class sudorule_remove_deny_command(LDAPRemoveMember):
member_count_out = ('%i object removed.', '%i objects removed.')
@register()
class sudorule_add_user(LDAPAddMember):
__doc__ = _('Add users and groups affected by Sudo Rule.')
@ -522,18 +579,27 @@ class sudorule_add_user(LDAPAddMember):
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'usercategory'):
raise errors.MutuallyExclusiveError(reason=_("users cannot be added when user category='all'"))
raise errors.MutuallyExclusiveError(
reason=_("users cannot be added when user category='all'"))
return add_external_pre_callback('user', ldap, dn, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return add_external_post_callback('memberuser', 'user', 'externaluser', ldap, completed, failed, dn, entry_attrs, keys, options)
return add_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberuser',
membertype='user',
externalattr='externaluser')
@register()
@ -543,10 +609,15 @@ class sudorule_remove_user(LDAPRemoveMember):
member_attributes = ['memberuser']
member_count_out = ('%i object removed.', '%i objects removed.')
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback('memberuser', 'user', 'externaluser', ldap, completed, failed, dn, entry_attrs, keys, options)
return remove_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberuser',
membertype='user',
externalattr='externaluser')
@register()
@ -556,20 +627,54 @@ class sudorule_add_host(LDAPAddMember):
member_attributes = ['memberhost']
member_count_out = ('%i object added.', '%i objects added.')
def get_options(self):
for option in super(sudorule_add_host, self).get_options():
yield option
yield hostmask_membership_param
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'hostcategory'):
raise errors.MutuallyExclusiveError(reason=_("hosts cannot be added when host category='all'"))
raise errors.MutuallyExclusiveError(
reason=_("hosts cannot be added when host category='all'"))
return add_external_pre_callback('host', ldap, dn, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if 'hostmask' in options:
norm = lambda x: unicode(netaddr.IPNetwork(x).cidr)
old_masks = set(map(norm, _entry_attrs.get('hostmask', [])))
new_masks = set(map(norm, options['hostmask']))
num_added = len(new_masks - old_masks)
if num_added:
entry_attrs['hostmask'] = list(old_masks | new_masks)
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
completed = completed + num_added
return add_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberhost',
membertype='host',
externalattr='externalhost')
@register()
@ -579,9 +684,42 @@ class sudorule_remove_host(LDAPRemoveMember):
member_attributes = ['memberhost']
member_count_out = ('%i object removed.', '%i objects removed.')
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def get_options(self):
for option in super(sudorule_remove_host, self).get_options():
yield option
yield hostmask_membership_param
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if 'hostmask' in options:
norm = lambda x: unicode(netaddr.IPNetwork(x).cidr)
old_masks = set(map(norm, _entry_attrs.get('hostmask', [])))
removed_masks = set(map(norm, options['hostmask']))
num_added = len(removed_masks & old_masks)
if num_added:
entry_attrs['hostmask'] = list(old_masks - removed_masks)
try:
ldap.update_entry(entry_attrs)
except errors.EmptyModlist:
pass
completed = completed + num_added
return remove_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='memberhost',
membertype='host',
externalattr='externalhost')
@register()
@ -593,6 +731,7 @@ class sudorule_add_runasuser(LDAPAddMember):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
def check_validity(runas):
v = unicode(runas)
if v.upper() == u'ALL':
@ -603,29 +742,61 @@ class sudorule_add_runasuser(LDAPAddMember):
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'ipasudorunasusercategory') or \
is_all(_entry_attrs, 'ipasudorunasgroupcategory'):
raise errors.MutuallyExclusiveError(reason=_("users cannot be added when runAs user or runAs group category='all'"))
if any((is_all(_entry_attrs, 'ipasudorunasusercategory'),
is_all(_entry_attrs, 'ipasudorunasgroupcategory'))):
raise errors.MutuallyExclusiveError(
reason=_("users cannot be added when runAs user or runAs "
"group category='all'"))
if 'user' in options:
for name in options['user']:
if not check_validity(name):
raise errors.ValidationError(name='runas-user',
error=unicode(_("RunAsUser does not accept '%(name)s' as a user name")) %
dict(name=name))
error=unicode(_("RunAsUser does not accept "
"'%(name)s' as a user name")) %
dict(name=name))
if 'group' in options:
for name in options['group']:
if not check_validity(name):
raise errors.ValidationError(name='runas-user',
error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) %
dict(name=name))
error=unicode(_("RunAsUser does not accept "
"'%(name)s' as a group name")) %
dict(name=name))
return add_external_pre_callback('user', ldap, dn, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return add_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options)
# Since external_post_callback returns the total number of completed
# entries yet (that is, any external users it added plus the value of
# passed variable 'completed', we need to pass 0 as completed,
# so that the entries added by the framework are not counted twice
# (once in each call of add_external_post_callback)
(completed_ex_users, dn) = add_external_post_callback(ldap, dn,
entry_attrs,
failed=failed,
completed=0,
memberattr='ipasudorunas',
membertype='user',
externalattr='ipasudorunasextuser',
)
(completed_ex_groups, dn) = add_external_post_callback(ldap, dn,
entry_attrs=entry_attrs,
failed=failed,
completed=0,
memberattr='ipasudorunas',
membertype='user',
externalattr='ipasudorunasextuser',
)
return (completed + completed_ex_users + completed_ex_groups, dn)
@register()
@ -635,10 +806,35 @@ class sudorule_remove_runasuser(LDAPRemoveMember):
member_attributes = ['ipasudorunas']
member_count_out = ('%i object removed.', '%i objects removed.')
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options)
# Since external_post_callback returns the total number of completed
# entries yet (that is, any external users it added plus the value of
# passed variable 'completed', we need to pass 0 as completed,
# so that the entries added by the framework are not counted twice
# (once in each call of remove_external_post_callback)
(completed_ex_users, dn) = remove_external_post_callback(ldap, dn,
entry_attrs=entry_attrs,
failed=failed,
completed=0,
memberattr='ipasudorunas',
membertype='user',
externalattr='ipasudorunasextuser',
)
(completed_ex_groups, dn) = remove_external_post_callback(ldap, dn,
entry_attrs=entry_attrs,
failed=failed,
completed=0,
memberattr='ipasudorunas',
membertype='group',
externalattr='ipasudorunasextusergroup',
)
return (completed + completed_ex_users + completed_ex_groups, dn)
@register()
@ -650,6 +846,7 @@ class sudorule_add_runasgroup(LDAPAddMember):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
def check_validity(runas):
v = unicode(runas)
if v.upper() == u'ALL':
@ -662,21 +859,30 @@ class sudorule_add_runasgroup(LDAPAddMember):
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'ipasudorunasusercategory') or \
is_all(_entry_attrs, 'ipasudorunasgroupcategory'):
raise errors.MutuallyExclusiveError(reason=_("users cannot be added when runAs user or runAs group category='all'"))
raise errors.MutuallyExclusiveError(
reason=_("users cannot be added when runAs user or runAs "
"group category='all'"))
if 'group' in options:
for name in options['group']:
if not check_validity(name):
raise errors.ValidationError(name='runas-group',
error=unicode(_("RunAsGroup does not accept '%(name)s' as a group name")) %
dict(name=name))
error=unicode(_("RunAsGroup does not accept "
"'%(name)s' as a group name")) %
dict(name=name))
return add_external_pre_callback('group', ldap, dn, keys, options)
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return add_external_post_callback('ipasudorunasgroup', 'group', 'ipasudorunasextgroup', ldap, completed, failed, dn, entry_attrs, keys, options)
return add_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='ipasudorunasgroup',
membertype='group',
externalattr='ipasudorunasextgroup',
)
@register()
@ -686,10 +892,16 @@ class sudorule_remove_runasgroup(LDAPRemoveMember):
member_attributes = ['ipasudorunasgroup']
member_count_out = ('%i object removed.', '%i objects removed.')
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
def post_callback(self, ldap, completed, failed, dn, entry_attrs,
*keys, **options):
assert isinstance(dn, DN)
return remove_external_post_callback('ipasudorunasgroup', 'group', 'ipasudorunasextgroup', ldap, completed, failed, dn, entry_attrs, keys, options)
return remove_external_post_callback(ldap, dn, entry_attrs,
failed=failed,
completed=completed,
memberattr='ipasudorunasgroup',
membertype='group',
externalattr='ipasudorunasextgroup',
)
@register()
@ -737,12 +949,12 @@ class sudorule_add_option(LDAPQuery):
return dict(result=entry_attrs, value=pkey_to_value(cn, options))
def output_for_cli(self, textui, result, cn, **options):
textui.print_dashed(_('Added option "%(option)s" to Sudo Rule "%(rule)s"') % \
dict(option=options['ipasudoopt'], rule=cn))
super(sudorule_add_option, self).output_for_cli(textui, result, cn, **options)
textui.print_dashed(
_('Added option "%(option)s" to Sudo Rule "%(rule)s"')
% dict(option=options['ipasudoopt'], rule=cn))
super(sudorule_add_option, self).output_for_cli(textui, result, cn,
**options)
@register()
@ -764,7 +976,9 @@ class sudorule_remove_option(LDAPQuery):
if not options['ipasudoopt'].strip():
raise errors.EmptyModlist()
entry_attrs = ldap.get_entry(dn, ['ipasudoopt'])
try:
if options['ipasudoopt'] in entry_attrs['ipasudoopt']:
entry_attrs.setdefault('ipasudoopt', []).remove(
@ -775,7 +989,7 @@ class sudorule_remove_option(LDAPQuery):
attr='ipasudoopt',
value=options['ipasudoopt']
)
except ValueError, e:
except ValueError:
pass
except KeyError:
raise errors.AttrValueNotFound(
@ -793,7 +1007,9 @@ class sudorule_remove_option(LDAPQuery):
return dict(result=entry_attrs, value=pkey_to_value(cn, options))
def output_for_cli(self, textui, result, cn, **options):
textui.print_dashed(_('Removed option "%(option)s" from Sudo Rule "%(rule)s"') % \
dict(option=options['ipasudoopt'], rule=cn))
super(sudorule_remove_option, self).output_for_cli(textui, result, cn, **options)
textui.print_dashed(
_('Removed option "%(option)s" from Sudo Rule "%(rule)s"')
% dict(option=options['ipasudoopt'], rule=cn))
super(sudorule_remove_option, self).output_for_cli(textui, result, cn,
**options)

14
ipalib/plugins/trust.py
View File

@ -326,9 +326,21 @@ class trust(LDAPObject):
'ipapermdefaultattr': {
'cn', 'objectclass',
'ipantflatname', 'ipantsecurityidentifier',
'ipanttrusteddomainsid',
'ipanttrusteddomainsid', 'ipanttrustpartner',
'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'
},
},
'System: Read system trust accounts': {
'non_object': True,
'ipapermlocation': DN(container_dn, api.env.basedn),
'replaces_global_anonymous_aci': True,
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'uidnumber', 'gidnumber', 'krbprincipalname'
},
'default_privileges': {'ADTrust Agents'},
},
}
label = _('Trusts')

3
ipalib/plugins/user.py
View File

@ -266,7 +266,8 @@ class user(LDAPObject):
'ipapermdefaultattr': {
'objectclass', 'cn', 'sn', 'description', 'title', 'uid',
'displayname', 'givenname', 'initials', 'manager', 'gecos',
'gidnumber', 'homedirectory', 'loginshell', 'uidnumber'
'gidnumber', 'homedirectory', 'loginshell', 'uidnumber',
'ipantsecurityidentifier'
},
},
'System: Read User Addressbook Attributes': {

7
ipalib/util.py
View File

@ -32,6 +32,7 @@ from types import NoneType
from weakref import WeakKeyDictionary
from dns import resolver, rdatatype
from dns.exception import DNSException
from netaddr.core import AddrFormatError
from ipalib import errors
from ipalib.text import _
@ -544,3 +545,9 @@ def validate_rdn_param(ugettext, value):
except Exception, e:
return str(e)
return None
def validate_hostmask(ugettext, hostmask):
try:
netaddr.IPNetwork(hostmask)
except (ValueError, AddrFormatError):
return _('invalid hostmask')

102
ipaplatform/base/authconfig.py
View File

@ -1,102 +0,0 @@
# Authors:
# Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2011-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
class AuthConfig(object):
"""
AuthConfig class implements system-independent interface to configure
system authentication resources. In Red Hat systems this is done with
authconfig(8) utility.
AuthConfig class is nothing more than a tool to gather configuration
options and execute their processing. These options then converted by
an actual implementation to series of a system calls to appropriate
utilities performing real configuration.
IPA *expects* names of AuthConfig's options to follow authconfig(8)
naming scheme!
Actual implementation should be done in ipapython/platform/<platform>.py
by inheriting from platform.AuthConfig and redefining build_args()
and execute() methods.
from ipapython.platform import platform
class PlatformAuthConfig(platform.AuthConfig):
def build_args():
...
def execute():
...
authconfig = PlatformAuthConfig
....
See ipapython/platform/redhat.py for a sample implementation that uses
authconfig(8) as its backend.
From IPA code perspective, the authentication configuration should be
done with use of ipapython.services.authconfig:
from ipapython import services as ipaservices
auth_config = ipaservices.authconfig()
auth_config.disable("ldap")
auth_config.disable("krb5")
auth_config.disable("sssd")
auth_config.disable("sssdauth")
auth_config.disable("mkhomedir")
auth_config.add_option("update")
auth_config.enable("nis")
auth_config.add_parameter("nisdomain","foobar")
auth_config.execute()
If you need to re-use existing AuthConfig instance for multiple runs,
make sure to call 'AuthConfig.reset()' between the runs.
"""
def __init__(self):
self.parameters = {}
def enable(self, option):
self.parameters[option] = True
return self
def disable(self, option):
self.parameters[option] = False
return self
def add_option(self, option):
self.parameters[option] = None
return self
def add_parameter(self, option, value):
self.parameters[option] = [value]
return self
def build_args(self):
# do nothing
return None
def execute(self):
# do nothing
return None
def reset(self):
self.parameters = {}
return self

47
ipaplatform/base/paths.py
View File

@ -21,6 +21,7 @@
This base platform module exports default filesystem paths.
'''
class BasePathNamespace(object):
BASH = "/bin/bash"
BIN_FALSE = "/bin/false"
@ -34,6 +35,7 @@ class BasePathNamespace(object):
BIN_TRUE = "/bin/true"
DEV_NULL = "/dev/null"
DEV_STDIN = "/dev/stdin"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_DIRSRV = "/etc/dirsrv"
DS_KEYTAB = "/etc/dirsrv/ds.keytab"
ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
@ -44,6 +46,7 @@ class BasePathNamespace(object):
HOSTS = "/etc/hosts"
ETC_HTTPD_DIR = "/etc/httpd"
HTTPD_ALIAS_DIR = "/etc/httpd/alias"
ALIAS_CACERT_ASC = "/etc/httpd/alias/cacert.asc"
ALIAS_PWDFILE_TXT = "/etc/httpd/alias/pwdfile.txt"
HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf"
@ -53,19 +56,28 @@ class BasePathNamespace(object):
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
IDMAPD_CONF = "/etc/idmapd.conf"
ETC_IPA = "/etc/ipa"
CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache"
IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache"
IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
IPA_CA_CRT = "/etc/ipa/ca.crt"
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_SMARTPROXY_CONF = "/etc/ipa/ipa-smartproxy.conf"
KRB5_CONF = "/etc/krb5.conf"
KRB5_KEYTAB = "/etc/krb5.keytab"
LDAP_CONF = "/etc/ldap.conf"
LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
NAMED_CONF = "/etc/named.conf"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
NSSWITCH_CONF = "/etc/nsswitch.conf"
NTP_CONF = "/etc/ntp.conf"
NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
PAM_LDAP_CONF = "/etc/pam_ldap.conf"
PASSWD = "/etc/passwd"
ETC_PKI_CA_DIR = "/etc/pki-ca"
SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
@ -84,14 +96,19 @@ class BasePathNamespace(object):
SSH_CONFIG = "/etc/ssh/ssh_config"
SSHD_CONFIG = "/etc/ssh/sshd_config"
SSSD_CONF = "/etc/sssd/sssd.conf"
SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc"
SYSCONFIG_NETWORK = "/etc/sysconfig/network"
SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp"
SYSCONFIG_NFS = "/etc/sysconfig/nfs"
SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
SYSCONFIG_PKI = "/etc/sysconfig/pki"
SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca"
@ -104,12 +121,16 @@ class BasePathNamespace(object):
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
HOME_DIR = "/home"
ROOT_IPA_CACHE = "/root/.ipa_cache"
ROOT_PKI = "/root/.pki"
CA_AGENT_P12 = "/root/ca-agent.p12"
CACERT_P12 = "/root/cacert.p12"
ROOT_IPA_CSR = "/root/ipa.csr"
ROOT_TMP_CA_P12 = "/root/tmp-ca.p12"
NAMED_PID = "/run/named/named.pid"
IP = "/sbin/ip"
NOLOGIN = "/sbin/nologin"
SBIN_REBOOT = "/sbin/reboot"
SBIN_RESTORECON = "/sbin/restorecon"
SBIN_SERVICE = "/sbin/service"
TMP = "/tmp"
@ -128,36 +149,48 @@ class BasePathNamespace(object):
IPA_GETCERT = "/usr/bin/ipa-getcert"
KDESTROY = "/usr/bin/kdestroy"
KINIT = "/usr/bin/kinit"
BIN_KVNO = "/usr/bin/kvno"
LDAPMODIFY = "/usr/bin/ldapmodify"
LDAPPASSWD = "/usr/bin/ldappasswd"
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
OPENSSL = "/usr/bin/openssl"
PERL = "/usr/bin/perl"
PK12UTIL = "/usr/bin/pk12util"
PKI_SETUP_PROXY = "/usr/bin/pki-setup-proxy"
PKICREATE = "/usr/bin/pkicreate"
PKIREMOVE = "/usr/bin/pkiremove"
PKISILENT = "/usr/bin/pkisilent"
SETPASSWD = "/usr/bin/setpasswd"
SIGNTOOL = "/usr/bin/signtool"
SSLGET = "/usr/bin/sslget"
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
BIN_WGET = "/usr/bin/wget"
ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA"
LIB_FIREFOX = "/usr/lib/firefox"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE = "/usr/lib64/dirsrv/slapd-%s"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA"
LIB64_FIREFOX = "/usr/lib64/firefox"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
HTTPD = "/usr/sbin/httpd"
IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
NTPD = "/usr/sbin/ntpd"
PKIDESTROY = "/usr/sbin/pkidestroy"
PKISPAWN = "/usr/sbin/pkispawn"
@ -178,11 +211,14 @@ class BasePathNamespace(object):
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
PREFERENCES_HTML = "/usr/share/ipa/html/preferences.html"
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
IPA_PLUGINS = "/usr/share/ipa/plugins"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
PKI_CONF_SERVER_XML = "/usr/share/pki/ca/conf/server.xml"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5."
CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem"
KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf"
@ -191,6 +227,7 @@ class BasePathNamespace(object):
AUTHCONFIG_LAST = "/var/lib/authconfig/last"
VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal"
CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
VAR_LIB_DIRSRV = "/var/lib/dirsrv"
DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
@ -202,7 +239,9 @@ class BasePathNamespace(object):
VAR_LIB_SLAPD_PKI_IPA_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-PKI-IPA"
VAR_LIB_IPA = "/var/lib/ipa"
IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
IPA_BACKUP_DIR = "/var/lib/ipa/backup"
IPA_CA_CSR = "/var/lib/ipa/ca.csr"
PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
@ -216,7 +255,8 @@ class BasePathNamespace(object):
SAMBA_DIR = "/var/lib/samba/"
SSSD_MC_GROUP = "/var/lib/sss/mc/group"
SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
SSS_KRB5_INCLUDE_D = "/var/lib/sss/pubconf/krb5.include.d"
SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
SLAPD_INSTANCE_LOCK_TEMPLATE = "/var/lock/dirsrv/slapd-%s"
VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
@ -227,6 +267,7 @@ class BasePathNamespace(object):
IPABACKUP_LOG = "/var/log/ipabackup.log"
IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
IPARESTORE_LOG = "/var/log/iparestore.log"

76
ipaplatform/base/tasks.py
View File

@ -26,44 +26,110 @@ from ipaplatform.paths import paths
class BaseTaskNamespace(object):
# restore context default implementation that does nothing
def restore_context(self, filepath):
"""
Restore SELinux security context on the given filepath.
No return value expected.
"""
return
# Default implementation of backup and replace hostname that does nothing
def backup_and_replace_hostname(self, fstore, statestore, hostname):
"""
Backs up the current hostname in the statestore (so that it can be
restored by the restore_network_configuration platform task).
Makes sure that new hostname (passed via hostname argument) is set
as a new pemanent hostname for this host.
No return value expected.
"""
return
def insert_ca_cert_into_systemwide_ca_store(self, path):
"""
Adds the CA certificate located at 'path' to the systemwide CA store
(if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
return True
def remove_ca_cert_from_systemwide_ca_store(self, path):
"""
Removes the CA certificate located at 'path' from the systemwide CA
store (if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
return True
def get_svc_list_file(self):
"""
Returns the path to the IPA service list file.
"""
return paths.SVC_LIST_FILE
# See if SELinux is enabled and /usr/sbin/restorecon is installed.
# Default to a no-op. Those platforms that support SELinux should
# implement this function.
def check_selinux_status(self):
"""
Checks if SELinux is available on the platform. If it is, this task
also makes sure that restorecon tool is available.
If SELinux is available, but restorcon tool is not installed, raises
an RuntimeError, which suggest installing the package containing
restorecon and rerunning the installation.
"""
return
def restore_network_configuration(self, fstore, statestore):
"""
Restores the original hostname as backed up in the
backup_and_replace_hostname platform task.
"""
return
def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed,
was_sssd_configured):
"""
Restores the pre-ipa-client configuration that was modified by the
following platform tasks:
modify_nsswitch_pam_stack
modify_pam_to_use_krb5
"""
return
def set_nisdomain(self, nisdomain):
"""
Sets the NIS domain name to 'nisdomain'.
"""
return
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
"""
If sssd flag is true, configure pam and nsswtich so that SSSD is used
for retrieving user information and authentication.
Otherwise, configure pam and nsswitch to leverage pure LDAP.
"""
return
def modify_pam_to_use_krb5(self, statestore):
"""
Configure pam stack to allow kerberos authentication.
"""
return
task_namespace = BaseTaskNamespace()

38
ipaplatform/fedora/authconfig.py
View File

@ -19,16 +19,46 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipapython import ipautil
from ipaplatform.base.authconfig import AuthConfig
class FedoraAuthConfig(AuthConfig):
class FedoraAuthConfig(object):
"""
AuthConfig class implements system-independent interface to configure
system authentication resources. In Red Hat-produced systems this is done
with authconfig(8) utility.
system authentication resources. In Red Hat systems this is done with
authconfig(8) utility.
AuthConfig class is nothing more than a tool to gather configuration
options and execute their processing. These options then converted by
an actual implementation to series of a system calls to appropriate
utilities performing real configuration.
If you need to re-use existing AuthConfig instance for multiple runs,
make sure to call 'AuthConfig.reset()' between the runs.
"""
def __init__(self):
self.parameters = {}
def enable(self, option):
self.parameters[option] = True
return self
def disable(self, option):
self.parameters[option] = False
return self
def add_option(self, option):
self.parameters[option] = None
return self
def add_parameter(self, option, value):
self.parameters[option] = [value]
return self
def reset(self):
self.parameters = {}
return self
def build_args(self):
args = []

Some files were not shown because too many files have changed in this diff Show More