From 52af18ec03b7a5dc00764d4f33fe8d62811b8ca6 Mon Sep 17 00:00:00 2001 From: Dmitri Pal Date: Wed, 8 Sep 2010 22:44:42 -0400 Subject: [PATCH] Enabling SUDO support * Adding a new SUDO schema file * Adding this new file to the list of targets in make file * Create SUDO container for sudo rules * Add default sudo services to HBAC services * Add default SUDO HBAC service group with two services sudo & sudo-i * Installing schema No SUDO rules are created by default by this patch. --- install/share/60sudo.ldif | 35 +++++++++++++++++++++++++++ install/share/Makefile.am | 1 + install/share/bootstrap-template.ldif | 7 +++++- install/updates/30-hbacsvc.update | 33 +++++++++++++++++++------ ipaserver/install/dsinstance.py | 2 ++ 5 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 install/share/60sudo.ldif diff --git a/install/share/60sudo.ldif b/install/share/60sudo.ldif new file mode 100644 index 000000000..d8db306f2 --- /dev/null +++ b/install/share/60sudo.ldif @@ -0,0 +1,35 @@ +dn: cn=schema +## +## IPA SUDO schema (added in IPA v2) +## +## Attributes: 2.16.840.1.113730.3.8.7.x +## ObjectClasses: 2.16.840.1.113730.3.8.8.x +## +## Attribute to store DN of a SUDO command or a group of SUDO commands +attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberCmd' DESC 'Reference to a command or group of the commands.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) +## Attribute to store command category +attributeTypes: (2.16.840.1.113730.3.8.7.2 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to store user not managed by the central server +attributetypes: (2.16.840.1.113730.3.8.7.3 NAME 'externalUser' DESC 'Multivalue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to store sudo options +attributetypes: (2.16.840.1.113730.3.8.7.4 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v2' ) +## Attribute to store the reference identity under which the command should be run +attributeTypes: (2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoRunAs' DESC 'Reference to a user or group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity. +attributeTypes: (2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAsExtUser' DESC 'Multivalue string attribute that allows storing user name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to express category of identities that the command can be run under +attributeTypes: (2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsUserCategory' DESC 'Additional classification for users' SUP userCategory X-ORIGIN 'IPA v2' ) +## Attribute to store a reference to the "run as group" identitity +attributeTypes: (2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsGroup' DESC 'Reference to group that the commands can be run as.' SUP memberUser X-ORIGIN 'IPA v2' ) +## Attribute to store a name of the "run as group" identitity if this group is not directly managed by IPA +attributeTypes: (2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to express category of group identities that the command can be run under +attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' ) +## Attribute to store host mask +attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Object class for SUDO rules +objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) +## Object class for SUDO commands +objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY ( description ) X-ORIGIN 'IPA v2' ) +## Object class for groups of the SUDO commands +objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfUniqueNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 5ff62baf6..9efb75a09 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -8,6 +8,7 @@ app_DATA = \ 60radius.ldif \ 60ipaconfig.ldif \ 60basev2.ldif \ + 60sudo.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f1f36a64d..e2864858b 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -52,6 +52,12 @@ objectClass: top objectClass: nsContainer cn: hbac +dn: cn=SUDOers,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: SUDOers + dn: cn=etc,$SUFFIX changetype: add objectClass: nsContainer @@ -245,4 +251,3 @@ objectClass: cosClassicDefinition cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX cosAttribute: krbPwdPolicyReference cosSpecifier: memberOf - diff --git a/install/updates/30-hbacsvc.update b/install/updates/30-hbacsvc.update index dc36950d5..229c0f143 100644 --- a/install/updates/30-hbacsvc.update +++ b/install/updates/30-hbacsvc.update @@ -12,13 +12,6 @@ default:cn: ftp default:description: ftp default:ipauniqueid:$UUID -dn: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX -default:objectclass: ipahbacservice -default:objectclass: ipaobject -default:cn: sudo -default:description: sudo -default:ipauniqueid:$UUID - dn: cn=su,cn=hbacservices,cn=accounts,$SUFFIX default:objectclass: ipahbacservice default:objectclass: ipaobject @@ -39,3 +32,29 @@ default:objectclass: ipaobject default:cn: su-l default:description: su with login shell default:ipauniqueid:$UUID + +dn: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX +default:objectclass: ipahbacservice +default:objectclass: ipaobject +default:cn: sudo +default:description: sudo +default:ipauniqueid:$UUID + +dn: cn=sudo-i,cn=hbacservices,cn=accounts,$SUFFIX +default:objectclass: ipahbacservice +default:objectclass: ipaobject +default:cn: sudo-i +default:description: sudo-i +default:ipauniqueid:$UUID + +dn: cn=SUDO,cn=hbacservicegroups,cn=accounts,$SUFFIX +default:objectClass: ipaobject +default:objectClass: ipahbacservicegroup +default:objectClass: nestedGroup +default:objectClass: groupOfNames +default:objectClass: top +default:cn: SUDO +default:ipauniqueid:$UUID +default:description: Default group of SUDO related services +default:member: cn=sudo,cn=hbacservices,cn=accounts,$SUFFIX +default:member: cn=sudo-i,cn=hbacservices,cn=accounts,$SUFFIX diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 4a36f1b98..c72220c84 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -316,6 +316,8 @@ class DsInstance(service.Service): schema_dirname(self.serverid) + "60ipaconfig.ldif") shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif", schema_dirname(self.serverid) + "60basev2.ldif") + shutil.copyfile(ipautil.SHARE_DIR + "60sudo.ldif", + schema_dirname(self.serverid) + "60sudo.ldif") try: shutil.move(schema_dirname(self.serverid) + "05rfc2247.ldif", schema_dirname(self.serverid) + "05rfc2247.ldif.old")