IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge from upstream

Browse Source
This commit is contained in:
Simo Sorce
2007-08-01 15:26:08 -04:00
parent adc6632c9a b1831b4593
commit 96d292b735
49 changed files with 2110 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ipa-server/ipa-install/Makefile Normal file
View File

@@ -0,0 +1,12 @@
SBINDIR=$(DESTDIR)/usr/sbin
all: ;
install:
install -m 755 ipa-server-install $(SBINDIR)
install -m 755 ipa-server-setupssl $(SBINDIR)
$(MAKE) -C share $@
clean:
$(MAKE) -C share $@
rm -f *~ *.pyc

23
ipa-server/ipa-install/README Normal file
View File

@@ -0,0 +1,23 @@
Required packages:
krb5-server
fedora-ds-base
openldap-clients
krb5-server-ldap
cyrus-sasl-gssapi
httpd
mod_auth_kerb
Installation example:
TEMPORARY: (until fedora ds scripts are fixed)
please use the fedora-ds.init.patch under share/ to patch your init scripts before
running ipa-server-install
cd ipa-install
make install
cd ..
/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree

288
ipa-server/ipa-install/freeipa-setup-20070713.patch Normal file
View File

@@ -0,0 +1,288 @@
diff -r 5ebd8adc48b8 ipa-install/README
--- a/ipa-install/README Mon Jul 02 15:51:04 2007 -0400
+++ b/ipa-install/README Fri Jul 13 16:25:05 2007 -0400
@@ -5,12 +5,17 @@ fedora-ds-base
fedora-ds-base
openldap-clients
krb5-server-ldap
+cyrus-sasl-gssapi
Installation example:
+
+TEMPORARY: (until fedora ds scripts are fixed)
+please use the fedora-ds.init.patch under share/ to patch your init scripts before
+running ipa-server-install
cd ipa-install
make install
cd ..
-/usr/sbin/ipa-server-install -r FREEIPA.ORG -a rc1.freeipa.org -p freeipa -m ipafree
+/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree
diff -r 5ebd8adc48b8 ipa-install/share/bind.zone.db.template
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-install/share/bind.zone.db.template Fri Jul 13 16:22:12 2007 -0400
@@ -0,0 +1,26 @@
+$$ORIGIN $DOMAIN.
+$$TTL 86400
+@ IN SOA $DOMAIN. root.$DOMAIN. (
+ 01 ; serial (d. adams)
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expiry
+ 1D ) ; minimum
+
+ IN NS $HOST
+$HOST IN A $IP
+;
+; ldap servers
+_ldap._tcp IN SRV 0 100 389 $HOST
+
+;kerberos realm
+_kerberos IN TXT $REALM
+
+; kerberos servers
+_kerberos._tcp IN SRV 0 100 88 $HOST
+_kerberos._udp IN SRV 0 100 88 $HOST
+_kerberos-master._tcp IN SRV 0 100 88 $HOST
+_kerberos-master._udp IN SRV 0 100 88 $HOST
+_kpasswd._tcp IN SRV 0 100 88 $HOST
+_kpasswd._udp IN SRV 0 100 88 $HOST
+
diff -r 5ebd8adc48b8 ipa-install/share/fedora-ds.init.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-install/share/fedora-ds.init.patch Fri Jul 13 14:45:53 2007 -0400
@@ -0,0 +1,12 @@
+--- /etc/init.d/fedora-ds.orig 2007-07-06 18:21:30.000000000 -0400
++++ /etc/init.d/fedora-ds 2007-05-18 19:36:24.000000000 -0400
+@@ -10,6 +10,9 @@
+ # datadir: /var/lib/fedora-ds/slapd-<instance name>
+ #
+
++# Get config.
++[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
++
+ # Source function library.
+ if [ -f /etc/rc.d/init.d/functions ] ; then
+ . /etc/rc.d/init.d/functions
diff -r 5ebd8adc48b8 ipa-install/share/krb5.conf.template
--- a/ipa-install/share/krb5.conf.template Mon Jul 02 15:51:04 2007 -0400
+++ b/ipa-install/share/krb5.conf.template Fri Jul 13 11:01:36 2007 -0400
@@ -9,6 +9,13 @@
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
+
+[realms]
+ $REALM = {
+ kdc = $FQDN:88
+ admin_server = $FQDN:749
+ default_domain = $DOMAIN
+}
[domain_realm]
.$DOMAIN = $REALM
@@ -29,7 +36,7 @@
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
-; ldap_kadmind_dn = cn=Directory Manager
+ ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}
diff -r 5ebd8adc48b8 ipa-install/src/ipa-server-install
--- a/ipa-install/src/ipa-server-install Mon Jul 02 15:51:04 2007 -0400
+++ b/ipa-install/src/ipa-server-install Fri Jul 13 19:43:13 2007 -0400
@@ -26,6 +26,7 @@
VERSION = "%prog .1"
+import socket
import logging
from optparse import OptionParser
import ipa.dsinstance
@@ -37,8 +38,6 @@ def parse_options():
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
- parser.add_option("-a", "--host-address", dest="host_name",
- help="host address (name or IP address)")
parser.add_option("-p", "--password", dest="password",
help="admin password")
parser.add_option("-m", "--master-password", dest="master_password",
@@ -46,8 +45,8 @@ def parse_options():
options, args = parser.parse_args()
- if not options.realm_name or not options.host_name or not options.password:
- parser.error("error: password, realm, and host name required")
+ if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
+ parser.error("error: all options are required")
return options
@@ -56,13 +55,35 @@ def main():
format='%(asctime)s %(levelname)s %(message)s',
filename='ipa-install.log',
filemode='w')
+
options = parse_options()
+
+ # check the hostname is correctly configured, it must be as the kldap
+ # utilities just use the hostname as returned by gethostbyname to set
+ # up some of the standard entries
+
+ host_name = socket.gethostname()
+ if len(host_name.split(".")) < 2:
+ print "Invalid hostname <"+host_name+">"
+ print "Check the /etc/hosts file and make sure to have a valid FQDN"
+ return "-Fatal Error-"
+
+ if socket.gethostbyname(host_name) == "127.0.0.1":
+ print "The hostname resolves to the localhost address (127.0.0.1)"
+ print "Please change your /etc/hosts file or your DNS so that the"
+ print "hostname resolves to the ip address of your network interface."
+ print "The KDC service does not listen on 127.0.0.1"
+ return "-Fatal Error-"
+
+ print "The Final KDC Host Name will be: " + host_name
+
ds = ipa.dsinstance.DsInstance()
- ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
+ ds.create_instance(options.ds_user, options.realm_name, host_name, options.password)
krb = ipa.krbinstance.KrbInstance()
- krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
- #restart ds after the krb instance have add the sasl map
+ krb.create_instance(options.ds_user, options.realm_name, host_name, options.password, options.master_password)
+
+ #restart ds after the krb instance have add the sasl map and the ldap keytab
ds.restart()
return 0
diff -r 5ebd8adc48b8 ipa-install/src/ipa/krbinstance.py
--- a/ipa-install/src/ipa/krbinstance.py Mon Jul 02 15:51:04 2007 -0400
+++ b/ipa-install/src/ipa/krbinstance.py Fri Jul 13 19:20:41 2007 -0400
@@ -25,6 +25,9 @@ import logging
import logging
from random import Random
from time import gmtime
+import os
+import pwd
+import socket
SHARE_DIR = "/usr/share/ipa/"
@@ -32,6 +35,10 @@ def realm_to_suffix(realm_name):
s = realm_name.split(".")
terms = ["dc=" + x.lower() for x in s]
return ",".join(terms)
+
+def host_to_domain(fqdn):
+ s = fqdn.split(".")
+ return ".".join(s[1:])
def generate_kdc_password():
rndpwd = ''
@@ -75,8 +82,10 @@ class KrbInstance:
class KrbInstance:
def __init__(self):
self.ds_user = None
- self.realm_name = None
- self.host_name = None
+ self.fqdn = None
+ self.realm = None
+ self.domain = None
+ self.host = None
self.admin_password = None
self.master_password = None
self.suffix = None
@@ -85,12 +94,15 @@ class KrbInstance:
def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
self.ds_user = ds_user
- self.realm_name = realm_name.upper()
- self.host_name = host_name
+ self.fqdn = host_name
+ self.ip = socket.gethostbyname(host_name)
+ self.realm = realm_name.upper()
+ self.host = host_name.split(".")[0]
+ self.domain = host_to_domain(host_name)
self.admin_password = admin_password
self.master_password = master_password
- self.suffix = realm_to_suffix(self.realm_name)
+ self.suffix = realm_to_suffix(self.realm)
self.kdc_password = generate_kdc_password()
self.__configure_kdc_account_password()
@@ -99,6 +111,10 @@ class KrbInstance:
self.__configure_ldap()
self.__create_instance()
+
+ self.__create_ds_keytab()
+
+ self.__create_sample_bind_zone()
self.start()
@@ -120,12 +136,13 @@ class KrbInstance:
pwd_fd.close()
def __setup_sub_dict(self):
- #FIXME: can DOMAIN be different than REALM ?
- self.sub_dict = dict(FQHN=self.host_name,
+ self.sub_dict = dict(FQDN=self.fqdn,
+ IP=self.ip,
PASSWORD=self.kdc_password,
SUFFIX=self.suffix,
- DOMAIN= self.realm_name.lower(),
- REALM=self.realm_name)
+ DOMAIN=self.domain,
+ HOST=self.host,
+ REALM=self.realm)
def __configure_ldap(self):
@@ -153,7 +170,7 @@ class KrbInstance:
krb5_fd.close()
#populate the directory with the realm structure
- args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+ args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
run(args)
# TODO: NOT called yet, need to find out how to make sure the plugin is available first
@@ -165,5 +182,28 @@ class KrbInstance:
extop_fd.close()
#add an ACL to let the DS user read the master key
- args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
+ args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
run(args)
+
+ def __create_sample_bind_zone(self):
+ bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+ [bind_fd, bind_name] = tempfile.mkstemp(".db","sammple.zone.")
+ os.write(bind_fd, bind_txt)
+ os.close(bind_fd)
+ print "Sample zone file for bind has been created in "+bind_name
+
+ def __create_ds_keytab(self):
+ (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+ kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
+ kwrite.flush()
+ kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
+ kwrite.flush()
+ kwrite.close()
+ kread.close()
+ kerr.close()
+
+ cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
+ cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
+ cfg_fd.close()
+ pent = pwd.getpwnam(self.ds_user)
+ os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)

124
ipa-server/ipa-install/ipa-server-install Normal file
View File

@@ -0,0 +1,124 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools
VERSION = "%prog .1"
import sys
sys.path.append("/usr/share/ipa")
import socket
import logging
from optparse import OptionParser
import ipaserver.dsinstance
import ipaserver.krbinstance
from ipaserver.util import run
def parse_options():
parser = OptionParser(version=VERSION)
parser.add_option("-u", "--user", dest="ds_user",
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
parser.add_option("-p", "--password", dest="password",
help="admin password")
parser.add_option("-m", "--master-password", dest="master_password",
help="kerberos master password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
dest="debug", default=False, help="print debugging information")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
options, args = parser.parse_args()
if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
parser.error("error: all options are required")
return options
def logging_setup(options):
# Always log everything (i.e., DEBUG) to the log
# file.
logging.basicConfig(level=logging.DEBUG,
format='%(asctime)s %(levelname)s %(message)s',
filename='ipaserver-install.log',
filemode='w')
console = logging.StreamHandler()
# If the debug option is set, also log debug messages to the console
if options.debug:
console.setLevel(logging.DEBUG)
else:
# Otherwise, log critical and error messages
console.setLevel(logging.ERROR)
formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
console.setFormatter(formatter)
logging.getLogger('').addHandler(console)
def main():
options = parse_options()
logging_setup(options)
# check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set
# up some of the standard entries
if options.host_name:
host_name = options.host_name
else:
host_name = socket.gethostname()
if len(host_name.split(".")) < 2:
print "Invalid hostname <"+host_name+">"
print "Check the /etc/hosts file and make sure to have a valid FQDN"
return "-Fatal Error-"
if socket.gethostbyname(host_name) == "127.0.0.1":
print "The hostname resolves to the localhost address (127.0.0.1)"
print "Please change your /etc/hosts file or your DNS so that the"
print "hostname resolves to the ip address of your network interface."
print "The KDC service does not listen on 127.0.0.1"
return "-Fatal Error-"
print "The Final KDC Host Name will be: " + host_name
# Create a directory server instance
ds = ipaserver.dsinstance.DsInstance()
ds.create_instance(options.ds_user, options.realm_name, host_name,
options.password)
# Create a kerberos instance
krb = ipaserver.krbinstance.KrbInstance()
krb.create_instance(options.ds_user, options.realm_name, host_name,
options.password, options.master_password)
# Restart ds after the krb instance have add the sasl map
ds.restart()
# Restart apache
run(["/sbin/service", "httpd", "restart"])
return 0
main()

228
ipa-server/ipa-install/ipa-server-setupssl Normal file
View File

@@ -0,0 +1,228 @@
#!/bin/sh
if [ "$1" ] ; then
password=$1
else
echo "password required"
exit 1
fi
if [ "$2" -a -d "$2" ] ; then
secdir="$2"
else
secdir=/etc/fedora-ds/slapd-localhost
fi
if [ "$3" ] ; then
myhost=$3
else
myhost=`hostname --fqdn`
fi
if [ "$4" ] ; then
ldapport=$4
else
ldapport=389
fi
me=`whoami`
if [ "$me" = "root" ] ; then
isroot=1
fi
# see if there are already certs and keys
if [ -f $secdir/cert8.db ] ; then
# look for CA cert
if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
echo "Using existing CA certificate"
else
echo "No CA certificate found - will create new one"
needCA=1
fi
# look for server cert
if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
echo "Using existing directory Server-Cert"
else
echo "No Server Cert found - will create new one"
needServerCert=1
fi
# look for admin server cert
if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then
echo "Using existing admin server-cert"
else
echo "No Admin Server Cert found - will create new one"
needASCert=1
fi
prefix="new-"
prefixarg="-P $prefix"
else
needCA=1
needServerCert=1
needASCert=1
fi
if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then
echo "No certs needed - exiting"
exit 0
fi
# get our user and group
if test -n "$isroot" ; then
uid=`/bin/ls -ald $secdir | awk '{print $3}'`
gid=`/bin/ls -ald $secdir | awk '{print $4}'`
fi
# 2. Create a password file for your security token password:
if [ -f $secdir/pwdfile.txt ] ; then
echo "Using existing $secdir/pwdfile.txt"
else
(ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/pwdfile.txt
fi
chmod 400 $secdir/pwdfile.txt
fi
# 3. Create a "noise" file for your encryption mechanism:
if [ -f $secdir/noise.txt ] ; then
echo "Using existing $secdir/noise.txt file"
else
(w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/noise.txt
fi
chmod 400 $secdir/noise.txt
fi
# 4. Create the key3.db and cert8.db databases:
certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
fi
chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
if test -n "$needCA" ; then
# 5. Generate the encryption key:
certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# 6. Generate the self-signed certificate:
certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# export the CA cert for use with other apps
certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
fi
if test -n "$needServerCert" ; then
# 7. Generate the server certificate:
certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
fi
if test -n "$needASCert" ; then
# Generate the admin server certificate
certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
# export the admin server certificate/private key for import into its key/cert db
pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/adminserver.p12
fi
chmod 400 $secdir/adminserver.p12
fi
# create the pin file
if [ ! -f $secdir/pin.txt ] ; then
pinfile=$secdir/pin.txt
echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
if test -n "$isroot" ; then
chown $uid:$gid $pinfile
fi
chmod 400 $pinfile
else
echo Using existing $secdir/pin.txt
fi
if [ -n "$prefix" ] ; then
# move the old files out of the way
mv $secdir/cert8.db $secdir/orig-cert8.db
mv $secdir/key3.db $secdir/orig-key3.db
# move in the new files - will be used after server restart
mv $secdir/${prefix}cert8.db $secdir/cert8.db
mv $secdir/${prefix}key3.db $secdir/key3.db
fi
# create the admin server key/cert db
asprefix=admin-serv-
if [ ! -f ${asprefix}cert8.db ] ; then
certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt
if test -n "$isroot" ; then
chown $uid:$gid $secdir/admin-serv-*.db
fi
chmod 600 $secdir/admin-serv-*.db
fi
if test -n "$needASCert" ; then
# import the admin server key/cert
pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
# import the CA cert to the admin server cert db
certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
fi
if [ ! -f $secdir/password.conf ] ; then
# create the admin server password file
echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf
if test -n "$isroot" ; then
chown $uid:$gid $secdir/password.conf
fi
chmod 400 $secdir/password.conf
fi
# tell admin server to use the password file
if [ -f ../admin-serv/config/nss.conf ] ; then
sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf
if test -n "$isroot" ; then
chown $uid:$gid ../admin-serv/config/nss.conf
fi
chmod 400 ../admin-serv/config/nss.conf
fi
# enable SSL in the directory server
ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

283
ipa-server/ipa-install/share/60kerberos.ldif Normal file
View File

@@ -0,0 +1,283 @@
dn: cn=schema
# Novell Kerberos Schema Definitions
# Novell Inc.
# 1800 South Novell Place
# Provo, UT 84606
#
# VeRsIoN=1.0
# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved
#
# OIDs:
# joint-iso-ccitt(2)
# country(16)
# us(840)
# organization(1)
# Novell(113719)
# applications(1)
# kerberos(301)
# Kerberos Attribute Type(4) attr# version#
# specific attribute definitions
# Kerberos Attribute Syntax(5)
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
########################################################################
########################################################################
# Attribute Type Definitions #
########################################################################
##### This is the principal name in the RFC 1964 specified format
attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### This flag is used to find whether directory User Password has to be used
##### as kerberos password.
##### TRUE, if User Password is to be used as the kerberos password.
##### FALSE, if User Password and the kerberos password are different.
attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
##### The time at which the principal expires
attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
##### The values (0x00000001 - 0x00800000) are reserved for standards and
##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
##### The flags and values as per RFC 4120 and MIT implementation are,
##### DISALLOW_POSTDATED 0x00000001
##### DISALLOW_FORWARDABLE 0x00000002
##### DISALLOW_TGT_BASED 0x00000004
##### DISALLOW_RENEWABLE 0x00000008
##### DISALLOW_PROXIABLE 0x00000010
##### DISALLOW_DUP_SKEY 0x00000020
##### DISALLOW_ALL_TIX 0x00000040
##### REQUIRES_PRE_AUTH 0x00000080
##### REQUIRES_HW_AUTH 0x00000100
##### REQUIRES_PWCHANGE 0x00000200
##### DISALLOW_SVR 0x00001000
##### PWCHANGE_SERVICE 0x00002000
attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### The maximum ticket lifetime for a principal in seconds
attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Maximum renewable lifetime for a principal's ticket in seconds
attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Forward reference to the Realm object.
##### (FDN of the krbRealmContainer object).
##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### List of LDAP servers that kerberos servers can contact.
##### The attribute holds data in the ldap uri format,
##### Example: ldaps://acme.com:636
#####
##### The values of this attribute need to be updated, when
##### the LDAP servers listed here are renamed, moved or deleted.
attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### A set of forward references to the KDC Service objects.
##### (FDNs of the krbKdcService objects).
##### Example: cn=kdc - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### A set of forward references to the Password Service objects.
##### (FDNs of the krbPwdService objects).
##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute holds the Host Name or the ip address,
##### transport protocol and ports of the kerberos service host
##### The format is host_name-or-ip_address#protocol#port
##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This attribute holds the scope for searching the principals
##### under krbSubTree attribute of krbRealmContainer
##### The value can either be 1 (ONE) or 2 (SUB_TREE).
attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### FDNs pointing to Kerberos principals
attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute specifies which attribute of the user objects
##### be used as the principal name component for Kerberos.
##### The allowed values are cn, sn, uid, givenname, fullname.
attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
##### A set of forward references to the Administration Service objects.
##### (FDNs of the krbAdmService objects).
##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### Maximum lifetime of a principal's password
attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum lifetime of a principal's password
attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum number of character clases allowed in a password
attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum length of the password
attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Number of previous versions of passwords that are stored
attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### FDN pointing to a Kerberos Password Policy object
attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
##### The time at which the principal's password expires
attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
##### the master key (krbMKey).
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### FDN pointing to a Kerberos Ticket Policy object.
attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
##### Forward reference to an entry that starts sub-trees
##### where principals and other kerberos objects in the realm are configured.
##### Example: ou=acme, ou=pq, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### Example: des-cbc-crc:normal
attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### Holds the Supported encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### The supported encryption types are mentioned in RFC 3961
##### The supported salt types are,
##### NORMAL
##### V4
##### NOREALM
##### ONLYREALM
##### SPECIAL
##### AFS3
##### Example: des-cbc-crc:normal
#####
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
##### attributes.
attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
##### the kadmin/history key.
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### The time at which the principal's password last password change happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute holds the kerberos master key.
##### This can be used to encrypt principal keys.
##### This attribute has to be secured in directory.
#####
##### This attribute is ASN.1 encoded.
##### The format of the value for this attribute is explained below,
##### KrbMKey ::= SEQUENCE {
##### kvno [0] UInt32,
##### key [1] MasterKey
##### }
#####
##### MasterKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### This stores the alternate principal names for the principal in the RFC 1961 specified format
attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### The time at which the principal's last successful authentication happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### The time at which the principal's last failed authentication happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute stores the number of failed authentication attempts
##### happened for the principal since the last successful authentication.
attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### This attribute holds the application specific data.
attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### This attributes holds references to the set of directory objects.
##### This stores the DNs of the directory objects to which the
##### principal object belongs to.
attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute holds references to a Container object where
##### the additional principal objects and stand alone principal
##### objects (krbPrincipal) can be created.
attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
########################################################################
########################################################################
# Object Class Definitions #
########################################################################
#### This is a kerberos container for all the realms in a tree.
objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top MUST ( cn ) )
##### The krbRealmContainer is created per realm and holds realm specific data.
objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
##### An instance of a class derived from krbService is created per
##### kerberos authentication or administration server in an realm and holds
##### references to the realm objects. These references is used to further read
##### realm specific data to service AS/TGS requests. Additionally this object
##### contains some server specific data like pathnames and ports that the
##### server uses. This is the identity the kerberos server logs in with. A key
##### pair for the same is created and the kerberos server logs in with the same.
#####
##### krbKdcService, krbAdmService and krbPwdService derive from this class.
objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' ABSTRACT SUP ( top ) MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences ) )
##### Representative object for the KDC server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) )
##### Representative object for the Kerberos Password server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
###### The principal data auxiliary class. Holds principal information
###### and is used to store principal information for Person, Service objects.
objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
###### The principal references auxiliary class. Holds all principals referred
###### from a service
objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
##### Representative object for the Kerberos Administration server to bind into a LDAP directory
##### and have a connection Id to access Kerberos data with the required access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbService ) )
##### The krbPwdPolicy object is a template password policy that
##### can be applied to principals when they are created.
##### These policy attributes will be in effect, when the Kerberos
##### passwords are different from users' passwords (UP).
objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
##### This class can be attached to a principal object or realm object.
objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )

152
ipa-server/ipa-install/share/60samba.ldif Normal file
View File

@@ -0,0 +1,152 @@
## schema file for Fedora DS
##
## Schema for storing Samba user accounts and group maps in LDAP
## OIDs are owned by the Samba Team
##
## Prerequisite schemas - uid (cosine.schema)
## - displayName (inetorgperson.schema)
## - gidNumber (nis.schema)
##
## 1.3.6.1.4.1.7165.2.1.x - attributeTypess
## 1.3.6.1.4.1.7165.2.2.x - objectClasseses
##
## Printer support
## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess
## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses
##
## Samba4
## 1.3.6.1.4.1.7165.4.1.x - attributeTypess
## 1.3.6.1.4.1.7165.4.2.x - objectClasseses
## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
##
dn: cn=schema
##
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )
##
##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "password history"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "user must logon to change password"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "maximum password age"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "minimum password age"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "lockout duration"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "reset count minutes"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "bad lockout attempt"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "disconnect time"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "refuse machine password change"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
#######################################################################
## objectClasses: used by Samba 3.0 schema ##
#######################################################################
##
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectClasses. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectClasses: (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) )
## retired during privilege rewrite
##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
## DESC 'Samba Privilege'
## MUST ( sambaSID )
## MAY ( sambaPrivilegeList ) )

9
ipa-server/ipa-install/share/Makefile Normal file
View File

@@ -0,0 +1,9 @@
SHAREDIR = $(DESTDIR)/usr/share/ipa
install:
-mkdir -p $(SHAREDIR)
install -m 644 *.ldif $(SHAREDIR)
install -m 644 *.template $(SHAREDIR)
clean:
rm -f *~

33
ipa-server/ipa-install/share/bootstrap-template.ldif Normal file
View File

@@ -0,0 +1,33 @@
dn: $SUFFIX
changetype: modify
add: objectClass
objectClass: pilotObject
info: IPA V1.0
# default, $REALM
dn: ou=default,$SUFFIX
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: default
# users, default, $REALM
dn: ou=users,ou=default,$SUFFIX
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, default, $REALM
dn: ou=groups,ou=default,$SUFFIX
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: groups
# computers, default, $REALM
#dn: ou=computers,ou=default,$SUFFIX
#objectClass: organizationalUnit
#objectClass: top
#ou: computers

10
ipa-server/ipa-install/share/default-aci.ldif Normal file
View File

@@ -0,0 +1,10 @@
# $SUFFIX (base entry)
dn: $SUFFIX
changetype: modify
replace: aci
aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)

14
ipa-server/ipa-install/share/kdc.conf.template Normal file
View File

@@ -0,0 +1,14 @@
[kdcdefaults]
v4_mode = nopreauth
[realms]
$REALM = {
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
}

26
ipa-server/ipa-install/share/kerberos.ldif Normal file
View File

@@ -0,0 +1,26 @@
#kerberos base object
dn: cn=kerberos,$SUFFIX
changetype: add
objectClass: krbContainer
objectClass: top
cn: kerberos
aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
#kerberos user
dn: uid=kdc,cn=kerberos,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: kdc
userPassword: $PASSWORD
#sasl mapping
dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
changetype: add
objectclass: top
objectclass: nsSaslMapping
cn: kerberos
nsSaslMapRegexString: \(.*\)@\(.*\)
nsSaslMapBaseDNTemplate: $SUFFIX
nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)

42
ipa-server/ipa-install/share/krb5.conf.template Normal file
View File

@@ -0,0 +1,42 @@
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = $REALM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
$REALM = {
kdc = $FQDN:88
admin_server = $FQDN:749
default_domain = $DOMAIN
}
[domain_realm]
.$DOMAIN = $REALM
$DOMAIN = $REALM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
$REALM = {
db_library = kldap
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}

20
ipa-server/ipa-install/test/test-users.ldif Normal file
View File

@@ -0,0 +1,20 @@
# test, users, default, $REALM
dn: uid=test,ou=users,ou=default,$SUFFIX
uidNumber: 1001
uid: test
gecos: test
homeDirectory: /home/test
loginShell: /bin/bash
shadowMin: 0
shadowWarning: 7
shadowMax: 99999
shadowExpire: -1
shadowInactive: -1
shadowLastChange: 13655
shadowFlag: -1
gidNumber: 100
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: test