- Abstracted client class to work directly or over RPC

- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication
- Update tools to use kerberos
- Add User class

ipa-server/ipa-install/share/bootstrap-template.ldif

@@ -31,3 +31,26 @@ ou: groups
 #objectClass: top
 #ou: computers
 
+dn: ou=special,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: special
+
+dn: uid=webservice,ou=special,$SUFFIX
+changetype: add
+uid: webservice
+objectClass: account
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: Web Service
+sn: Service
+
+dn: cn=admin,ou=groups,ou=default,$SUFFIX
+changetype: add
+description: ou=users administrators
+objectClass: top
+objectClass: groupofuniquenames
+cn: admin

ipa-server/ipa-install/share/certmap.conf.template

@@ -0,0 +1,82 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# This Program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; version 2 of the License.
+# 
+# This Program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License along with
+# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+# Place, Suite 330, Boston, MA 02111-1307 USA.
+# 
+# In addition, as a special exception, Red Hat, Inc. gives You the additional
+# right to link the code of this Program with code not covered under the GNU
+# General Public License ("Non-GPL Code") and to distribute linked combinations
+# including the two, subject to the limitations in this paragraph. Non-GPL Code
+# permitted under this exception must only link to the code of this Program
+# through those well defined interfaces identified in the file named EXCEPTION
+# found in the source code files (the "Approved Interfaces"). The files of
+# Non-GPL Code may instantiate templates or use macros or inline functions from
+# the Approved Interfaces without causing the resulting work to be covered by
+# the GNU General Public License. Only Red Hat, Inc. may make changes or
+# additions to the list of Approved Interfaces. You must obey the GNU General
+# Public License in all respects for all of the Program code and other code used
+# in conjunction with the Program except the Non-GPL Code covered by this
+# exception. If you modify this file, you may extend this exception to your
+# version of the file, but you are not obligated to do so. If you do not wish to
+# provide this exception without modification, you must delete this exception
+# statement from your version and license this file solely under the GPL without
+# exception. 
+# 
+# 
+# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
+# Copyright (C) 2005 Red Hat, Inc.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+#
+# This file configures how a certificate is mapped to an LDAP entry.  See the
+# documentation for more information on this file.
+#
+# The format of this file is as follows:
+#	certmap <name> <issuerDN>
+#	<name>:<prop1> [<val1>]
+#	<name>:<prop2> [<val2>]
+#
+# Notes:
+#
+# 1.  Mapping can be defined per issuer of a certificate.  If mapping doesn't
+#     exists for a particular 'issuerDN' then the server uses the default
+#     mapping. 
+#
+# 2.  There must be an entry for <name>=default and issuerDN "default".
+#     This mapping is the default mapping.
+#
+# 3.  '#' can be used to comment out a line.
+#
+# 4.  DNComps & FilterComps are used to form the base DN and filter resp. for 
+#     performing an LDAP search while mapping the cert to a user entry.
+#
+# 5.  DNComps can be one of the following:
+#	commented out - take the user's DN from the cert as is
+#	empty         - search the entire LDAP tree (DN == suffix)
+#	attr names    - a comma separated list of attributes to form DN
+#
+# 6.  FilterComps can be one of the following:
+#	commented out - set the filter to "objectclass=*"
+#	empty         - set the filter to "objectclass=*"
+#	attr names    - a comma separated list of attributes to form the filter
+#
+
+certmap default		default
+#default:DNComps
+#default:FilterComps	e, uid
+#default:verifycert	on
+#default:CmapLdapAttr	certSubjectDN
+#default:library	<path_to_shared_lib_or_dll>
+#default:InitFn		<Init function's name>
+default:DNComps		
+default:FilterComps	uid

ipa-server/ipa-install/share/default-aci.ldif

@@ -6,3 +6,6 @@ aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTP
 aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
 aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow(read, search,compare)userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
 aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
+aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
+aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
+aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)