Basic changes to get a default principal for DNS

Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>
This commit is contained in:
Simo Sorce 2009-06-04 15:33:49 -04:00
parent 24089821fb
commit 9fe707a3f2
7 changed files with 432 additions and 2 deletions

View File

@ -5,7 +5,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis
attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'enrollmentPwd' DESC 'Password used to bulk enroll machines' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.43 NAME 'fqdn' DESC 'FQDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )

View File

@ -13,6 +13,7 @@ app_DATA = \
caJarSigningCert.cfg.template \
default-aci.ldif \
default-keytypes.ldif \
delegation.ldif \
dns.ldif \
kerberos.ldif \
indices.ldif \

View File

@ -0,0 +1,348 @@
dn: cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: rolegroups
dn: cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: taskgroups
# Add the default roles
dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: helpdesk
description: Helpdesk
dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: useradmin
description: User Administrators
dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: groupadmin
description: Group Administrators
dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: hostadmin
description: Host Administrators
dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: hostgroupadmin
description: Host Group Administrators
dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: delegationadmin
description: Role administration
dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: serviceadmin
description: Service Administrators
dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: automountadmin
description: Automount Administrators
dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: netgroupadmin
description: Netgroups Administrators
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: dnsadmin
description: DNS Administrators
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: dnsserver
description: DNS Servers
dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addusers
description: Add Users
member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: change_password
description: Change a user password
member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: add_user_to_default_group
description: Add user to default group
member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeusers
description: Remove Users
member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyusers
description: Modify Users
member: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for group administration
dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addgroups
description: Add Groups
member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removegroups
description: Remove Groups
member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroups
description: Modify Groups
member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifygroupmembership
description: Modify Group membership
member: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for host administration
dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhosts
description: Add Hosts
member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehosts
description: Remove Hosts
member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhosts
description: Modify Hosts
member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for hostgroup administration
dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhostgroups
description: Add Host Groups
member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removehostgroups
description: Remove Host Groups
member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroups
description: Modify Host Groups
member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyhostgroupmembership
description: Modify Host Group membership
member: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for service administration
dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addservices
description: Add Services
member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeservices
description: Remove Services
member: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for delegation administration
# This just lets one manage taskgroup membership and create and delete roles
dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addhrole
description: Add Roles
member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeroles
description: Remove Roles
member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyroles
description: Modify Roles
member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifyrolegroupmembership
description: Modify Role Group membership
member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifytaskgroupmembership
description: Modify Task Group membership
member: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for automount administration
dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addautomount
description: Add Automount maps/keys
member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removeautomount
description: Remove Automount maps/keys
member: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Add the taskgroups referenced by the ACIs for netgroup administration
dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: addnetgroups
description: Add netgroups
member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: removenetgroups
description: Remove netgroups
member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroups
description: Modify netgroups
member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: modifynetgroupmembership
description: Modify netgroup membership
member: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Taskgroup for retrieving host keytabs
dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Manage host keytab
member: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
# Taskgroup for updating the DNS entries
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
cn: manage_host_keytab
description: Updates DNS
member: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
member: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX

View File

@ -3,6 +3,7 @@ changetype: add
objectClass: nsContainer
objectClass: top
cn: dns
aci: (targetfilter = "(objectClass=idnsRecord)")(targetattr != "aci")(version 3.0; acl "DNS Servers Updates"; allow (add,write,delete) groupdn = "ldap:///cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX";)
dn: idnsName=$DOMAIN,cn=dns,$SUFFIX
changetype: add

View File

@ -54,6 +54,18 @@ add:objectClass: groupofnames
add:cn: netgroupadmin
add:description: Netgroups Administrators
dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: dnsadmin
add:description: DNS Administrators
dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: dnsserver
add:description: DNS Servers
# Add the taskgroups referenced by the ACIs for user administration
dn: cn=taskgroups,cn=accounts,$SUFFIX
@ -436,3 +448,11 @@ add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,$SUFFIX";)'
# Taskgroup for updating the DNS entries
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:description: Updates DNS
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'

View File

@ -21,10 +21,14 @@ import string
import tempfile
import shutil
import os
import pwd
import socket
import logging
import installutils
import ldap
import service
from ipaserver import ipaldap
from ipapython import sysrestore
from ipapython import ipautil
from ipalib import util
@ -45,6 +49,7 @@ def check_inst():
class BindInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "named", dm_password=dm_password)
self.named_user = None
self.fqdn = None
self.domain = None
self.host = None
@ -57,7 +62,8 @@ class BindInstance(service.Service):
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
def setup(self, fqdn, ip_address, realm_name, domain_name):
def setup(self, fqdn, ip_address, realm_name, domain_name, named_user="named"):
self.named_user = named_user
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
@ -81,7 +87,11 @@ class BindInstance(service.Service):
except:
pass
# FIXME: this need to be split off, as only the first server can do
# this operation
self.step("Setting up our zone", self.__setup_zone)
self.step("Setting up kerberos principal", self.__setup_principal)
self.step("Setting up named.conf", self.__setup_named_conf)
self.step("restarting named", self.__start)
@ -113,6 +123,52 @@ class BindInstance(service.Service):
self.backup_state("domain", self.domain)
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_principal(self):
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_principal)
# Store the keytab on disk
self.fstore.backup_file("/etc/named.keytab")
installutils.create_keytab("/etc/named.keytab", dns_principal)
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
os.chmod("/etc/named.keytab", 0400)
# modify the principal so that it is marked as an ipa service so that
# it can host the memberof attribute, then also add it to the
# dnsserver role group, this way the DNS is allowed to perform
# DNS Updates
conn = None
try:
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", self.dm_password)
except Exception, e:
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e
dns_princ_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (dns_principal, self.realm, self.suffix)
mod = [(ldap.MOD_ADD, 'objectClass', 'ipaService')]
try:
conn.modify_s(dns_princ_dn, mod)
except Exception, e:
logging.critical("Could not modify principal's %s entry" % dns_principal)
raise e
dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
mod = [(ldap.MOD_ADD, 'member', dns_princ_dn)]
try:
conn.modify_s(dns_group, mod)
except Exception, e:
logging.critical("Could not modify principal's %s entry" % dns_principal)
raise e
conn.unbind()
def __setup_named_conf(self):
self.fstore.backup_file('/etc/named.conf')
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)

View File

@ -176,6 +176,7 @@ class DsInstance(service.Service):
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("restarting directory server", self.__restart_instance)
self.step("adding default layout", self.__add_default_layout)
self.step("adding delegation layout", self.__add_delegation_layout)
self.step("configuring Posix uid/gid generation as first master",
self.__config_uidgid_gen_first_master)
self.step("adding master entry as first master",
@ -364,6 +365,9 @@ class DsInstance(service.Service):
def __add_default_layout(self):
self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
def __add_delegation_layout(self):
self._ldap_mod("delegation.ldif", self.sub_dict)
def __create_indices(self):
self._ldap_mod("indices.ldif")