mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Allow SASL/EXTERNAL authentication for the root user
This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795
This commit is contained in:
Simo Sorce
@@ -47,6 +47,7 @@ app_DATA = \
|
||||
uuid-ipauniqueid.ldif \
|
||||
modrdn-krbprinc.ldif \
|
||||
entryusn.ldif \
|
||||
root-autobind.ldif \
|
||||
$(NULL)
|
||||
|
||||
EXTRA_DIST = \
|
||||
|
||||
24
install/share/root-autobind.ldif
Normal file
24
install/share/root-autobind.ldif
Normal file
@@ -0,0 +1,24 @@
|
||||
# root-autobind, config
|
||||
dn: cn=root-autobind,cn=config
|
||||
changetype: add
|
||||
objectClass: extensibleObject
|
||||
objectClass: top
|
||||
cn: root-autobind
|
||||
uidNumber: 0
|
||||
gidNumber: 0
|
||||
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-ldapiautobind
|
||||
nsslapd-ldapiautobind: on
|
||||
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-ldapimaptoentries
|
||||
nsslapd-ldapimaptoentries: on
|
||||
|
||||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-ldapientrysearchbase
|
||||
nsslapd-ldapientrysearchbase: cn=config
|
||||
|
||||
@@ -26,6 +26,7 @@ try:
|
||||
from ipalib import api, errors
|
||||
import logging
|
||||
import ldap
|
||||
import ldap.sasl
|
||||
import socket
|
||||
except ImportError:
|
||||
print >> sys.stderr, """\
|
||||
@@ -36,6 +37,8 @@ error was:
|
||||
""" % sys.exc_value
|
||||
sys.exit(1)
|
||||
|
||||
SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
|
||||
|
||||
def parse_options():
|
||||
usage = "%prog start|stop|restart|status\n"
|
||||
parser = config.IPAOptionParser(usage=usage,
|
||||
@@ -60,7 +63,7 @@ def get_config():
|
||||
|
||||
try:
|
||||
con = ldap.initialize(api.env.ldap_uri)
|
||||
con.simple_bind()
|
||||
con.sasl_interactive_bind_s('', SASL_EXTERNAL)
|
||||
res = con.search_st(base,
|
||||
ldap.SCOPE_SUBTREE,
|
||||
filterstr=srcfilter,
|
||||
|
||||
@@ -207,6 +207,7 @@ class DsInstance(service.Service):
|
||||
self.step("creating indices", self.__create_indices)
|
||||
self.step("configuring ssl for ds instance", self.__enable_ssl)
|
||||
self.step("configuring certmap.conf", self.__certmap_conf)
|
||||
self.step("configure autobind for root", self.__root_autobind)
|
||||
self.step("restarting directory server", self.__restart_instance)
|
||||
|
||||
def __common_post_setup(self):
|
||||
@@ -728,3 +729,7 @@ class DsInstance(service.Service):
|
||||
|
||||
def __tuning(self):
|
||||
self.tune_nofile(8192)
|
||||
|
||||
def __root_autobind(self):
|
||||
self._ldap_mod("root-autobind.ldif")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user