mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
CVE 2008 3274 related fixes
This commit is contained in:
parent
89ed5a0277
commit
8e7c98eb7f
@ -3,8 +3,8 @@
|
|||||||
dn: $SUFFIX
|
dn: $SUFFIX
|
||||||
changetype: modify
|
changetype: modify
|
||||||
add: aci
|
add: aci
|
||||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
|
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
|
||||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
|
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
|
||||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||||
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
|
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
|
||||||
|
@ -339,6 +339,10 @@ class KrbInstance(service.Service):
|
|||||||
def __add_pwd_extop_module(self):
|
def __add_pwd_extop_module(self):
|
||||||
self.__ldap_mod("pwd-extop-conf.ldif")
|
self.__ldap_mod("pwd-extop-conf.ldif")
|
||||||
|
|
||||||
|
KRBMKEY_DENY_ACI = """
|
||||||
|
(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||||
|
"""
|
||||||
|
|
||||||
def __add_master_key(self):
|
def __add_master_key(self):
|
||||||
#get the Master Key from the stash file
|
#get the Master Key from the stash file
|
||||||
try:
|
try:
|
||||||
@ -358,7 +362,9 @@ class KrbInstance(service.Service):
|
|||||||
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
|
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
|
||||||
|
|
||||||
dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
|
dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
|
||||||
mod = [(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
|
#protect the master key by adding an appropriate deny rule along with the key
|
||||||
|
mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)),
|
||||||
|
(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
|
||||||
try:
|
try:
|
||||||
self.conn.modify_s(dn, mod)
|
self.conn.modify_s(dn, mod)
|
||||||
except ldap.TYPE_OR_VALUE_EXISTS, e:
|
except ldap.TYPE_OR_VALUE_EXISTS, e:
|
||||||
|
Loading…
Reference in New Issue
Block a user