install: Remove uid=kdc user

The ipadb DAL driver gets access to the ldap server as Directory Manager now so this user is not needed anymore.
2025-02-25 18:55:28 -06:00 · 2011-07-19 20:04:46 -04:00 · 2011-07-19 20:04:46 -04:00 · 8cb2aee626
commit 8cb2aee626
parent 195a65d5c2
5 changed files with 1 additions and 35 deletions
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@ -9,9 +9,6 @@ aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || samba
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)

@ -39,7 +36,6 @@ aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage service keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)

 # Define which hosts can edit services
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@ -1,20 +1,9 @@
-#kerberos user
-dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
-changetype: add
-objectclass: account
-objectclass: simplesecurityobject
-uid: kdc
-userPassword: $PASSWORD
-passwordExpirationTime: 20380119031407Z
-nsIdleTimeout: 0
-
 #kerberos base object
 dn: cn=kerberos,$SUFFIX
 changetype: add
 objectClass: krbContainer
 objectClass: top
 cn: kerberos
-aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)

 #Realm base object
 dn: cn=$REALM,cn=kerberos,$SUFFIX
--- a/install/ui/test/data/aci_find.json
+++ b/install/ui/test/data/aci_find.json
@ -9,9 +9,6 @@
            "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword\")(version 3.0;acl \"Self can write own password\";allow (write) userdn = \"ldap:///self\";)", 
            "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Admins can write passwords\";allow (add,delete,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
            "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Password change service can read/write passwords\";allow (read,write) userdn = \"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"KDC System Account can access passwords\";allow (all) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"KDC System Account can update some fields\";allow (write) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
-            "(targetattr = \"krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"Only the KDC System Account has access to kerberos material\";allow (read,search,compare) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
            "(targetattr = \"krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength\")(targetfilter = \"(objectClass=krbPwdPolicy)\")(version 3.0;acl \"Admins can write password policies\";allow (read,search,compare,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
            "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou\")(version 3.0;acl \"Self service\";allow (write) userdn = \"ldap:///self\";)", 
            "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate status,cn=virtual operations,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Get Certificates status from the CA\";allow (write) groupdn = \"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", 
--- a/install/ui/test/data/krbtpolicy_show.json
+++ b/install/ui/test/data/krbtpolicy_show.json
@ -3,9 +3,6 @@
    "id": 6,
    "result": {
        "result": {
-            "aci": [
-                "(targetattr = \"krbMKey\")(version 3.0; acl \"No external access\"; deny (read,write,search,compare) userdn != \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ipa14,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)"
-            ],
            "attributelevelrights": {
                "aci": "rscwo",
                "cn": "rscwo",
@ -75,4 +72,4 @@
        "summary": null,
        "value": ""
    }
-}
+}
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -49,8 +49,6 @@ import struct
 import certs
 from distutils import version

-KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)'
-
 def update_key_val_in_file(filename, key, val):
    if os.path.exists(filename):
        pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
@ -162,7 +160,6 @@ class KrbInstance(service.Service):

        self.__common_setup(realm_name, host_name, domain_name, admin_password)

-        self.step("setting KDC account password", self.__configure_kdc_account_password)
        self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
        self.step("adding kerberos container to the directory", self.__add_krb_container)
        self.step("configuring KDC", self.__configure_instance)
@ -226,16 +223,6 @@ class KrbInstance(service.Service):
        os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600)


-    def __configure_kdc_account_password(self):
-        hexpwd = ''
-	for x in self.kdc_password:
-            hexpwd += (hex(ord(x))[2:])
-        self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
-        pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "w")
-        pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
-        pwd_fd.close()
-        os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
-
    def __enable(self):
        self.backup_state("enabled", self.is_enabled())
        # We do not let the system start IPA components on its own,