IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

aci: add IPA servers host group 'ipaservers'

Browse Source 
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Jan Cholasta 2015-12-01 10:42:38 +01:00
parent ee853a3d35
commit a8d7ce5cf1
7 changed files with 66 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ACI.txt
View File

@ -119,7 +119,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
dn: cn=computers,cn=accounts,dc=ipa,dc=example dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example dn: cn=computers,cn=accounts,dc=ipa,dc=example
@ -137,7 +137,7 @@ aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example

11
install/share/bootstrap-template.ldif
View File

@ -261,6 +261,17 @@ description: Limited admins who can edit other users
cn: editors cn: editors
ipaUniqueID: autogenerate ipaUniqueID: autogenerate
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: ipaobject
objectClass: ipahostgroup
description: IPA server hosts
cn: ipaservers
ipaUniqueID: autogenerate
dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add changetype: add
objectclass: ipahbacservice objectclass: ipahbacservice

13
install/updates/20-ipaservers_hostgroup.update Normal file
View File

@ -0,0 +1,13 @@
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
default: objectClass: top
default: objectClass: groupOfNames
default: objectClass: nestedGroup
default: objectClass: ipaobject
default: objectClass: ipahostgroup
default: description: IPA server hosts
default: cn: ipaservers
default: ipaUniqueID: autogenerate
# Add local host to ipaservers
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
add: member: fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX

1
install/updates/Makefile.am
View File

@ -14,6 +14,7 @@ app_DATA = \
20-dna.update \ 20-dna.update \
20-host_nis_groups.update \ 20-host_nis_groups.update \
20-indices.update \ 20-indices.update \
20-ipaservers_hostgroup.update \
20-nss_ldap.update \ 20-nss_ldap.update \
20-replication.update \ 20-replication.update \
20-sslciphers.update \ 20-sslciphers.update \

6
ipalib/plugins/host.py
View File

@ -395,6 +395,12 @@ class host(LDAPObject):
}, },
'System: Manage Host Keytab': { 'System: Manage Host Keytab': {
'ipapermright': {'write'}, 'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=ipahost)',
'(!(memberOf=%s))' % DN('cn=ipaservers',
api.env.container_hostgroup,
api.env.basedn),
],
'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
'replaces': [ 'replaces': [
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)', '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',

26
ipalib/plugins/hostgroup.py
View File

@ -72,6 +72,8 @@ def get_complete_hostgroup_member_list(hostgroup):
register = Registry() register = Registry()
PROTECTED_HOSTGROUPS = (u'ipaservers',)
@register() @register()
class hostgroup(LDAPObject): class hostgroup(LDAPObject):
@ -121,6 +123,10 @@ class hostgroup(LDAPObject):
}, },
'System: Modify Hostgroup Membership': { 'System: Modify Hostgroup Membership': {
'ipapermright': {'write'}, 'ipapermright': {'write'},
'ipapermtargetfilter': [
'(objectclass=ipahostgroup)',
'(!(cn=ipaservers))',
],
'ipapermdefaultattr': {'member'}, 'ipapermdefaultattr': {'member'},
'replaces': [ 'replaces': [
'(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)', '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)',
@ -229,6 +235,14 @@ class hostgroup_del(LDAPDelete):
msg_summary = _('Deleted hostgroup "%(value)s"') msg_summary = _('Deleted hostgroup "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
if keys[0] in PROTECTED_HOSTGROUPS:
raise errors.ProtectedEntryError(label=_(u'hostgroup'),
key=keys[0],
reason=_(u'privileged hostgroup'))
return dn
@register() @register()
class hostgroup_mod(LDAPUpdate): class hostgroup_mod(LDAPUpdate):
@ -283,6 +297,18 @@ class hostgroup_add_member(LDAPAddMember):
class hostgroup_remove_member(LDAPRemoveMember): class hostgroup_remove_member(LDAPRemoveMember):
__doc__ = _('Remove members from a hostgroup.') __doc__ = _('Remove members from a hostgroup.')
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
if keys[0] in PROTECTED_HOSTGROUPS and 'host' in options:
result = api.Command.hostgroup_show(keys[0])
hosts_left = set(result['result'].get('member_host', []))
hosts_deleted = set(options['host'])
if hosts_left.issubset(hosts_deleted):
raise errors.LastMemberError(key=sorted(hosts_deleted)[0],
label=_(u'hostgroup'),
container=keys[0])
return dn
def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)
self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs) self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)

7
ipaserver/install/krbinstance.py
View File

@ -117,6 +117,13 @@ class KrbInstance(service.Service):
host_entry['krbticketflags'] = service_entry['krbticketflags'] host_entry['krbticketflags'] = service_entry['krbticketflags']
self.admin_conn.add_entry(host_entry) self.admin_conn.add_entry(host_entry)
# Add the host to the ipaserver host group
hostgroup_dn = DN(('cn', 'ipaservers'), ('cn', 'hostgroups'),
('cn', 'accounts'), self.suffix)
hostgroup_entry = self.admin_conn.get_entry(hostgroup_dn, ['member'])
hostgroup_entry.setdefault('member', []).append(host_dn)
self.admin_conn.update_entry(hostgroup_entry)
def __common_setup(self, realm_name, host_name, domain_name, admin_password): def __common_setup(self, realm_name, host_name, domain_name, admin_password):
self.fqdn = host_name self.fqdn = host_name
self.realm = realm_name.upper() self.realm = realm_name.upper()