merge in changes from upstream

ipa-server/ipa-install/Makefile

@@ -6,7 +6,8 @@ install:
 	install -m 755 ipa-server-install $(SBINDIR)
 	install -m 755 ipa-server-setupssl $(SBINDIR)
 	$(MAKE) -C share $@
+	$(MAKE) -C test $@
 
 clean:
 	$(MAKE) -C share $@
-	rm -f *~ *.pyc
+	rm -f *~ *.pyc

ipa-server/ipa-install/ipa-server-install

@@ -75,7 +75,7 @@ def logging_setup(options):
     formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
     console.setFormatter(formatter)
     logging.getLogger('').addHandler(console)
-        
+
 def main():
     options = parse_options()
     logging_setup(options)
@@ -119,6 +119,16 @@ def main():
     # Restart apache
     run(["/sbin/service", "httpd", "restart"])
 
+    # Set apache to be on at boot
+    run(["/sbin/chkconfig", "httpd", "on"])
+
+    # Create the config file
+    fd = open("/etc/ipa/ipa.conf", "w")
+    fd.write("[defaults]\n")
+    fd.write("server=" + host_name + "\n")
+    fd.write("realm=" + options.realm_name + "\n")
+    fd.close()
+
     return 0
 
 main()

ipa-server/ipa-install/ipa-server-setupssl

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 if [ "$1" ] ; then
     password=$1
@@ -49,22 +49,14 @@ if [ -f $secdir/cert8.db ] ; then
         needServerCert=1
     fi
 
-    # look for admin server cert
-    if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then
-        echo "Using existing admin server-cert"
-    else
-        echo "No Admin Server Cert found - will create new one"
-        needASCert=1
-    fi
     prefix="new-"
     prefixarg="-P $prefix"
 else
     needCA=1
     needServerCert=1
-    needASCert=1
 fi
 
-if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then
+if test -z "$needCA" -a -z "$needServerCert" ; then
     echo "No certs needed - exiting"
     exit 0
 fi
@@ -120,17 +112,17 @@ if test -n "$needServerCert" ; then
     certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
 fi
 
-if test -n "$needASCert" ; then
-# Generate the admin server certificate
-    certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# 8. Generate the web service client certificate:
+    echo -e "0\n2\n9\nn\n0\n9\nn\n" | certutil -S $prefixarg -n webservice -s "uid=webservice, CN=Web Service, OU=Fedora Directory Server" -c "CA certificate" -t u,pu,u -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -1 -5
 
-# export the admin server certificate/private key for import into its key/cert db
-    pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
-    if test -n "$isroot" ; then
-        chown $uid:$gid $secdir/adminserver.p12
-    fi
-    chmod 400 $secdir/adminserver.p12
-fi
+    pk12util -d $secdir $prefixarg -o $secdir/webservice.p12 -n "webservice" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+
+    openssl pkcs12 -in $secdir/webservice.p12 -clcerts -nokeys -out /usr/share/ipa/cert.pem -passin file:$secdir/pwdfile.txt
+    openssl pkcs12 -in $secdir/webservice.p12 -nocerts -nodes -out /usr/share/ipa/key.pem -passin file:$secdir/pwdfile.txt
+
+    cp -p $secdir/cacert.asc /usr/share/ipa
+    chown apache:apache /usr/share/ipa/cert.pem /usr/share/ipa/key.pem /usr/share/ipa/cacert.asc
+    chmod 600 /usr/share/ipa/cert.pem /usr/share/ipa/key.pem
 
 # create the pin file
 if [ ! -f $secdir/pin.txt ] ; then
@@ -153,42 +145,6 @@ if [ -n "$prefix" ] ; then
     mv $secdir/${prefix}key3.db $secdir/key3.db
 fi
 
-# create the admin server key/cert db
-asprefix=admin-serv-
-if [ ! -f ${asprefix}cert8.db ] ; then
-    certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt
-    if test -n "$isroot" ; then
-        chown $uid:$gid $secdir/admin-serv-*.db
-    fi
-    chmod 600 $secdir/admin-serv-*.db
-fi
-
-if test -n "$needASCert" ; then
-# import the admin server key/cert
-    pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
-
-# import the CA cert to the admin server cert db
-    certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
-fi
-
-if [ ! -f $secdir/password.conf ] ; then
-# create the admin server password file
-    echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf
-    if test -n "$isroot" ; then
-        chown $uid:$gid $secdir/password.conf
-    fi
-    chmod 400 $secdir/password.conf
-fi
-
-# tell admin server to use the password file
-if [ -f ../admin-serv/config/nss.conf ] ; then
-    sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf
-    if test -n "$isroot" ; then
-        chown $uid:$gid ../admin-serv/config/nss.conf
-    fi
-    chmod 400 ../admin-serv/config/nss.conf
-fi
-
 # enable SSL in the directory server
 
 ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF

ipa-server/ipa-install/share/bootstrap-template.ldif

@@ -31,3 +31,26 @@ ou: groups
 #objectClass: top
 #ou: computers
 
+dn: ou=special,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
+objectClass: top
+ou: special
+
+dn: uid=webservice,ou=special,$SUFFIX
+changetype: add
+uid: webservice
+objectClass: account
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: Web Service
+sn: Service
+
+dn: cn=admin,ou=groups,ou=default,$SUFFIX
+changetype: add
+description: ou=users administrators
+objectClass: top
+objectClass: groupofuniquenames
+cn: admin

ipa-server/ipa-install/share/certmap.conf.template

@@ -0,0 +1,82 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# This Program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; version 2 of the License.
+# 
+# This Program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License along with
+# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
+# Place, Suite 330, Boston, MA 02111-1307 USA.
+# 
+# In addition, as a special exception, Red Hat, Inc. gives You the additional
+# right to link the code of this Program with code not covered under the GNU
+# General Public License ("Non-GPL Code") and to distribute linked combinations
+# including the two, subject to the limitations in this paragraph. Non-GPL Code
+# permitted under this exception must only link to the code of this Program
+# through those well defined interfaces identified in the file named EXCEPTION
+# found in the source code files (the "Approved Interfaces"). The files of
+# Non-GPL Code may instantiate templates or use macros or inline functions from
+# the Approved Interfaces without causing the resulting work to be covered by
+# the GNU General Public License. Only Red Hat, Inc. may make changes or
+# additions to the list of Approved Interfaces. You must obey the GNU General
+# Public License in all respects for all of the Program code and other code used
+# in conjunction with the Program except the Non-GPL Code covered by this
+# exception. If you modify this file, you may extend this exception to your
+# version of the file, but you are not obligated to do so. If you do not wish to
+# provide this exception without modification, you must delete this exception
+# statement from your version and license this file solely under the GPL without
+# exception. 
+# 
+# 
+# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
+# Copyright (C) 2005 Red Hat, Inc.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+#
+# This file configures how a certificate is mapped to an LDAP entry.  See the
+# documentation for more information on this file.
+#
+# The format of this file is as follows:
+#	certmap <name> <issuerDN>
+#	<name>:<prop1> [<val1>]
+#	<name>:<prop2> [<val2>]
+#
+# Notes:
+#
+# 1.  Mapping can be defined per issuer of a certificate.  If mapping doesn't
+#     exists for a particular 'issuerDN' then the server uses the default
+#     mapping. 
+#
+# 2.  There must be an entry for <name>=default and issuerDN "default".
+#     This mapping is the default mapping.
+#
+# 3.  '#' can be used to comment out a line.
+#
+# 4.  DNComps & FilterComps are used to form the base DN and filter resp. for 
+#     performing an LDAP search while mapping the cert to a user entry.
+#
+# 5.  DNComps can be one of the following:
+#	commented out - take the user's DN from the cert as is
+#	empty         - search the entire LDAP tree (DN == suffix)
+#	attr names    - a comma separated list of attributes to form DN
+#
+# 6.  FilterComps can be one of the following:
+#	commented out - set the filter to "objectclass=*"
+#	empty         - set the filter to "objectclass=*"
+#	attr names    - a comma separated list of attributes to form the filter
+#
+
+certmap default		default
+#default:DNComps
+#default:FilterComps	e, uid
+#default:verifycert	on
+#default:CmapLdapAttr	certSubjectDN
+#default:library	<path_to_shared_lib_or_dll>
+#default:InitFn		<Init function's name>
+default:DNComps		
+default:FilterComps	uid

ipa-server/ipa-install/share/default-aci.ldif

@@ -7,4 +7,6 @@ aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNum
 aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
 aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
 aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-
+aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
+aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
+aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) 

ipa-server/ipa-install/test/Makefile

@@ -0,0 +1,8 @@
+SHAREDIR = $(DESTDIR)/usr/share/ipa
+
+install:
+	-mkdir -p $(SHAREDIR)
+	install -m 644 *.ldif $(SHAREDIR)
+
+clean:
+	rm -f *~

ipa-server/ipa-install/test/test-users-template.ldif

@@ -1,5 +1,6 @@
 # test, users, default, $REALM
 dn: uid=test,ou=users,ou=default,$SUFFIX
+changetype: add
 uidNumber: 1001
 uid: test
 gecos: test
@@ -13,8 +14,17 @@ shadowInactive: -1
 shadowLastChange: 13655
 shadowFlag: -1
 gidNumber: 100
+objectclass: krbPrincipalAux
+objectclass: inetOrgPerson
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: account
 objectClass: top
-cn: test
+cn: Test User
+sn: User
+krbPrincipalName: test@$REALM
+
+dn: cn=admin,ou=groups,ou=default,$SUFFIX
+changetype: modify
+add: uniqueMember
+uniqueMember: uid=test,ou=users,ou=default,$SUFFIX