IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

aci: replace per-server ACIs with ipaserver-based ACIs

Browse Source 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Jan Cholasta
2015-12-01 10:44:59 +01:00
parent a8d7ce5cf1
commit 7b9a97383c
3 changed files with 12 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
install/share/default-aci.ldif
View File

@@ -77,17 +77,6 @@ changetype: modify
add: aci
aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
# Let host add and update CA renewal certificates
dn: cn=ipa,cn=etc,$SUFFIX
changetype: modify
add: aci
aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
dn: cn=ipa,cn=etc,$SUFFIX
changetype: modify
add: aci
aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
# Let users manage their own tokens
dn: $SUFFIX
changetype: modify

18
install/updates/40-delegation.update
View File

@@ -60,8 +60,10 @@ default:cn: SELinux User Map Administrators
default:description: SELinux User Map Administrators
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
# to privilege "Host Administrators"
@@ -72,10 +74,12 @@ dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
add: member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(&(objectClass=ipaCertificate)(ipaConfigString=ipaCA))")(targetattr = "ipaCertIssuerSerial || cACertificate")(version 3.0; acl "Modify CA Certificate Store Entry"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# Automember tasks
dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
@@ -197,8 +201,10 @@ default:cn: IPA Masters Readers
default:description: Read list of IPA masters
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
remove:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
add:aci:(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX";)
# PassSync
dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX

111
ipaserver/install/replication.py
View File

@@ -1266,117 +1266,6 @@ class ReplicationManager(object):
elif not err:
err = e
try:
entry = self.conn.get_entry(
DN(('cn', 'ipa'), ('cn', 'etc'), self.suffix), ['aci'])
sub = {'suffix': self.suffix, 'fqdn': replica}
try:
entry.raw['aci'].remove(
b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,'
b'%(suffix)s")(version 3.0; acl "Add CA Certificates for '
b'renewals"; allow(add) userdn = "ldap:///fqdn=%(fqdn)s,'
b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
except ValueError:
pass
try:
entry.raw['aci'].remove(
b'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,'
b'%(suffix)s")(targetattr = "userCertificate")'
b'(version 3.0; acl "Modify CA Certificates for renewals"; '
b'allow(write) userdn = "ldap:///fqdn=%(fqdn)s,'
b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
except ValueError:
pass
try:
entry.raw['aci'].remove(
b'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,%(suffix)s")'
b'(targetattr = cACertificate)(version 3.0; acl "Modify CA '
b'Certificate"; allow (write) userdn = "ldap:///fqdn='
b'%(fqdn)s,cn=computers,cn=accounts,%(suffix)s";)' % sub)
except ValueError:
pass
try:
self.conn.update_entry(entry)
except errors.EmptyModlist:
pass
except errors.NotFound:
pass
except Exception as e:
if not force:
raise e
elif not err:
err = e
try:
entry = self.conn.get_entry(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.suffix),
['aci'])
sub = {'suffix': self.suffix, 'fqdn': replica}
try:
entry.raw['aci'].remove(
b'(targetfilter = "(objectClass=nsContainer)")'
b'(targetattr = "cn || objectClass || ipaConfigString")'
b'(version 3.0; acl "Read IPA Masters"; allow (read, '
b'search, compare) userdn = "ldap:///fqdn=%(fqdn)s,'
b'cn=computers,cn=accounts,%(suffix)s";)' % sub)
except ValueError:
pass
try:
entry.raw['aci'].remove(
b'(targetfilter = "(objectClass=nsContainer)")'
b'(targetattr = "ipaConfigString")(version 3.0; acl '
b'"Modify IPA Masters"; allow (write) userdn = '
b'"ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,'
b'%(suffix)s";)' % sub)
except ValueError:
pass
try:
self.conn.update_entry(entry)
except errors.EmptyModlist:
pass
except errors.NotFound:
pass
except Exception as e:
if not force:
raise e
elif not err:
err = e
try:
entry = self.conn.get_entry(
DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
self.suffix),
['aci'])
sub = {'suffix': self.suffix, 'fqdn': replica}
try:
entry.raw['aci'].remove(
b'(targetfilter = "(&(objectClass=ipaCertificate)'
b'(ipaConfigString=ipaCA))")(targetattr = '
b'"ipaCertIssuerSerial || cACertificate")(version 3.0; acl '
b'"Modify CA Certificate Store Entry"; allow (write) '
b'userdn = "ldap:///fqdn=%(fqdn)s,cn=computers,cn=accounts,'
b'%(suffix)s";)' % sub)
except ValueError:
pass
try:
self.conn.update_entry(entry)
except errors.EmptyModlist:
pass
except errors.NotFound:
pass
except Exception as e:
if not force:
raise e
elif not err:
err = e
try:
basedn = DN(('cn', 'etc'), self.suffix)
filter = '(dnaHostname=%s)' % replica