Basic changes to get a default principal for DNS

Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>

install/share/60basev2.ldif

@@ -5,7 +5,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis
 attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'enrollmentPwd' DESC 'Password used to bulk enroll machines' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.43 NAME 'fqdn' DESC 'FQDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )

install/share/Makefile.am

@@ -13,6 +13,7 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
 	default-keytypes.ldif		\
+	delegation.ldif		\
 	dns.ldif			\
 	kerberos.ldif			\
 	indices.ldif			\

install/share/delegation.ldif

@@ -0,0 +1,348 @@
+dn: cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: rolegroups
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: taskgroups
+
+# Add the default roles
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: helpdesk
+description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: useradmin
+description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: groupadmin
+description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: hostadmin
+description: Host Administrators
+
+dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: hostgroupadmin
+description: Host Group Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: delegationadmin
+description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: serviceadmin
+description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: automountadmin
+description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: netgroupadmin
+description: Netgroups Administrators
+
+dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: dnsadmin
+description: DNS Administrators
+
+dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: dnsserver
+description: DNS Servers
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addusers
+description: Add Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: change_password
+description: Change a user password
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: add_user_to_default_group
+description: Add user to default group
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeusers
+description: Remove Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyusers
+description: Modify Users
+member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for group administration
+dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addgroups
+description: Add Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removegroups
+description: Remove Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifygroups
+description: Modify Groups
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifygroupmembership
+description: Modify Group membership
+member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for host administration
+dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhosts
+description: Add Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removehosts
+description: Remove Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhosts
+description: Modify Hosts
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for hostgroup administration
+dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhostgroups
+description: Add Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removehostgroups
+description: Remove Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhostgroups
+description: Modify Host Groups
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyhostgroupmembership
+description: Modify Host Group membership
+member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for service administration
+dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addservices
+description: Add Services
+member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeservices
+description: Remove Services
+member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for delegation administration
+# This just lets one manage taskgroup membership and create and delete roles
+dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addhrole
+description: Add Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeroles
+description: Remove Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyroles
+description: Modify Roles
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifyrolegroupmembership
+description: Modify Role Group membership
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifytaskgroupmembership
+description: Modify Task Group membership
+member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for automount administration
+dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addautomount
+description: Add Automount maps/keys
+member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removeautomount
+description: Remove Automount maps/keys
+member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Add the taskgroups referenced by the ACIs for netgroup administration
+dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: addnetgroups
+description: Add netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: removenetgroups
+description: Remove netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifynetgroups
+description: Modify netgroups
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: modifynetgroupmembership
+description: Modify netgroup membership
+member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Taskgroup for retrieving host keytabs
+dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: manage_host_keytab
+description: Manage host keytab
+member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+
+# Taskgroup for updating the DNS entries
+dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+cn: manage_host_keytab
+description: Updates DNS
+member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX

install/share/dns.ldif

@@ -3,6 +3,7 @@ changetype: add
 objectClass: nsContainer
 objectClass: top
 cn: dns
+aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";)
 
 dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
 changetype: add

install/updates/40-delegation.update

@@ -54,6 +54,18 @@ add:objectClass: groupofnames
 add:cn: netgroupadmin
 add:description: Netgroups Administrators
 
+dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: dnsadmin
+add:description: DNS Administrators
+
+dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: dnsserver
+add:description: DNS Servers
+
 # Add the taskgroups referenced by the ACIs for user administration
 
 dn: cn=taskgroups,cn=accounts,$SUFFIX
@@ -436,3 +448,11 @@ add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
   allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
   cn=accounts,$SUFFIX";)'
 
+# Taskgroup for updating the DNS entries
+dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: manage_host_keytab
+add:description: Updates DNS
+add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'

ipaserver/install/bindinstance.py

@@ -21,10 +21,14 @@ import string
 import tempfile
 import shutil
 import os
+import pwd
 import socket
 import logging
 
+import installutils
+import ldap
 import service
+from ipaserver import ipaldap
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipalib import util
@@ -45,6 +49,7 @@ def check_inst():
 class BindInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None):
         service.Service.__init__(self, "named", dm_password=dm_password)
+        self.named_user = None
         self.fqdn = None
         self.domain = None
         self.host = None
@@ -57,7 +62,8 @@ class BindInstance(service.Service):
         else:
             self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    def setup(self, fqdn, ip_address, realm_name, domain_name):
+    def setup(self, fqdn, ip_address, realm_name, domain_name, named_user="named"):
+        self.named_user = named_user
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -81,7 +87,11 @@ class BindInstance(service.Service):
         except:
             pass
 
+        # FIXME: this need to be split off, as only the first server can do
+        # this operation
         self.step("Setting up our zone", self.__setup_zone)
+
+        self.step("Setting up kerberos principal", self.__setup_principal)
         self.step("Setting up named.conf", self.__setup_named_conf)
 
         self.step("restarting named", self.__start)
@@ -113,6 +123,52 @@ class BindInstance(service.Service):
         self.backup_state("domain", self.domain)
         self._ldap_mod("dns.ldif", self.sub_dict)
 
+    def __setup_principal(self):
+        dns_principal = "DNS/" + self.fqdn + "@" + self.realm
+        installutils.kadmin_addprinc(dns_principal)
+
+        # Store the keytab on disk
+        self.fstore.backup_file("/etc/named.keytab")
+        installutils.create_keytab("/etc/named.keytab", dns_principal)
+
+        # Make sure access is strictly reserved to the named user
+        pent = pwd.getpwnam(self.named_user)
+        os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
+        os.chmod("/etc/named.keytab", 0400)
+
+        # modify the principal so that it is marked as an ipa service so that
+        # it can host the memberof attribute, then also add it to the
+        # dnsserver role group, this way the DNS is allowed to perform
+        # DNS Updates
+        conn = None
+
+        try:
+            conn = ipaldap.IPAdmin("127.0.0.1")
+            conn.simple_bind_s("cn=directory manager", self.dm_password)
+        except Exception, e:
+            logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
+            raise e
+
+        dns_princ_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (dns_principal, self.realm, self.suffix)
+        mod = [(ldap.MOD_ADD, 'objectClass', 'ipaService')]
+
+        try:
+            conn.modify_s(dns_princ_dn, mod)
+        except Exception, e:
+            logging.critical("Could not modify principal's %s entry" % dns_principal)
+            raise e
+
+        dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
+        mod = [(ldap.MOD_ADD, 'member', dns_princ_dn)]
+
+        try:
+            conn.modify_s(dns_group, mod)
+        except Exception, e:
+            logging.critical("Could not modify principal's %s entry" % dns_principal)
+            raise e
+
+        conn.unbind()
+
     def __setup_named_conf(self):
         self.fstore.backup_file('/etc/named.conf')
         named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)

ipaserver/install/dsinstance.py

@@ -176,6 +176,7 @@ class DsInstance(service.Service):
         self.step("configuring certmap.conf", self.__certmap_conf)
         self.step("restarting directory server", self.__restart_instance)
         self.step("adding default layout", self.__add_default_layout)
+        self.step("adding delegation layout", self.__add_delegation_layout)
         self.step("configuring Posix uid/gid generation as first master",
                   self.__config_uidgid_gen_first_master)
         self.step("adding master entry as first master",
@@ -364,6 +365,9 @@ class DsInstance(service.Service):
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
 
+    def __add_delegation_layout(self):
+        self._ldap_mod("delegation.ldif", self.sub_dict)
+
     def __create_indices(self):
         self._ldap_mod("indices.ldif")