Finalize DIT, this is waht we are probably going to have in the end,

or something very close to this one Add default groups and admin user TODO: need to discuss more in deep uid/gid generation, this will probably change as soon as the DNA plugin is activated
2025-01-26 08:06:30 -06:00 · 2007-08-29 18:07:05 -04:00 · 2007-08-29 18:07:05 -04:00 · bebc413366
commit bebc413366
parent 46eeca740e
5 changed files with 87 additions and 66 deletions
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@ -4,55 +4,78 @@ add: objectClass
 objectClass: pilotObject
 info: IPA V1.0

-# default, $REALM
-dn: ou=default,$SUFFIX
+dn: cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: default
+objectClass: nsContainer
+cn: accounts

-# users, default, $REALM
-dn: ou=users,ou=default,$SUFFIX
+dn: cn=users,cn=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: users
+objectClass: nsContainer
+cn: users

-# groups, default, $REALM
-dn: ou=groups,ou=default,$SUFFIX
+dn: cn=groups,ou=accounts,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
 objectClass: top
-ou: groups
+objectClass: nsContainer
+cn: groups

-# computers, default, $REALM
-#dn: ou=computers,ou=default,$SUFFIX
-#objectClass: organizationalUnit
+#dn: cn=computers,cn=accounts,$SUFFIX
 #objectClass: top
-#ou: computers
+#objectClass: nsContainer
+#cn: computers

-dn: ou=special,$SUFFIX
+dn: cn=etc,$SUFFIX
 changetype: add
-objectClass: organizationalUnit
+objectClass: nsContainer
 objectClass: top
-ou: special
+cn: etc

-dn: uid=webservice,ou=special,$SUFFIX
+dn: cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
-uid: webservice
+objectClass: nsContainer
+objectClass: top
+cn: sysaccounts
+
+dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
 objectClass: account
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-objectClass: person
-cn: Web Service
-sn: Service
+uid: webservice

-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: uid=admin,cn=users,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: KrbPrincipalAux
+uid: admin
+krbPrincipalName: admin@$REALM
+cn: Administrator
+sn: Administrator
+uidNumber: 1000
+gidNumber: 1001
+homeDirectory: /home/admin
+loginShell: /bin/bash
+gecos: Administrator
+
+dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
 changetype: add
-description: ou=users administrators
 objectClass: top
 objectClass: groupofuniquenames
 objectClass: posixGroup
-gidNumber: 500
-cn: admin
+cn: admins
+gidNumber: 1001
+uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
+
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofuniquenames
+objectClass: posixGroup
+gidNumber: 1002
+cn: ipausers
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@ -3,12 +3,9 @@ dn: $SUFFIX
 changetype: modify
 replace: aci
 aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
-aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
-aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
-aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
-aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
-aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) 
+aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
+aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
+aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
--- a/ipa-server/ipa-install/share/kerberos.ldif
+++ b/ipa-server/ipa-install/share/kerberos.ldif
@ -1,26 +1,35 @@
-#kerberos base object
-dn: cn=kerberos,$SUFFIX
-changetype: add
-objectClass: krbContainer
-objectClass: top
-cn: kerberos
-aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
-
 #kerberos user
-dn: uid=kdc,cn=kerberos,$SUFFIX
+dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: kdc
 userPassword: $PASSWORD

+#kerberos base object
+dn: cn=kerberos,$SUFFIX
+changetype: add
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+
 #sasl mapping
-dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
+dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config
 changetype: add
 objectclass: top
 objectclass: nsSaslMapping
-cn: kerberos
+cn: fullprinc
 nsSaslMapRegexString: \(.*\)@\(.*\)
 nsSaslMapBaseDNTemplate: $SUFFIX
 nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)

+dn: cn=justname,cn=mapping,cn=sasl,cn=config
+changetype: add
+objectclass: top
+objectclass: nsSaslMapping
+cn: justname
+nsSaslMapRegexString: \(.*\)
+nsSaslMapBaseDNTemplate: $SUFFIX
+nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
+
--- a/ipa-server/ipa-install/test/test-users-template.ldif
+++ b/ipa-server/ipa-install/test/test-users-template.ldif
@ -1,30 +1,22 @@
 # test, users, default, $REALM
-dn: uid=test,ou=users,ou=default,$SUFFIX
+dn: uid=test,cn=users,cn=accounts,$SUFFIX
 changetype: add
-uidNumber: 1001
+uidNumber: 1003
 uid: test
 gecos: test
 homeDirectory: /home/test
 loginShell: /bin/bash
-shadowMin: 0
-shadowWarning: 7
-shadowMax: 99999
-shadowExpire: -1
-shadowInactive: -1
-shadowLastChange: 13655
-shadowFlag: -1
-gidNumber: 100
+gidNumber: 1002
 objectclass: krbPrincipalAux
 objectclass: inetOrgPerson
 objectClass: posixAccount
-objectClass: shadowAccount
 objectClass: account
 objectClass: top
 cn: Test User
 sn: User
 krbPrincipalName: test@$REALM

-dn: cn=admin,ou=groups,ou=default,$SUFFIX
+dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
 changetype: modify
 add: uniqueMember
-uniqueMember: uid=test,ou=users,ou=default,$SUFFIX
+uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@ -37,8 +37,8 @@ import re
 # Need a global to store this between requests
 _LDAPPool = None

-DefaultUserContainer = "ou=users,ou=default"
-DefaultGroupContainer = "ou=groups,ou=default"
+DefaultUserContainer = "cn=users,cn=accounts"
+DefaultGroupContainer = "cn=groups,cn=accounts"

 #
 # Apache runs in multi-process mode so each process will have its own