IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Enrollment for a host in an IPA domain

Browse Source 
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
This commit is contained in:
Rob Crittenden
2009-09-14 17:04:08 -04:00
committed by Jason Gerard DeRose
parent 4f4d57cd30
commit d0587cbdd5
19 changed files with 1578 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
install/updates/40-delegation.update
View File

@@ -222,8 +222,9 @@ add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
add:aci: '(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version
3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
taskgroups,cn=accounts,$SUFFIX";)'
add:aci: '(targetattr = "cn || description || locality || location || platform
|| os")(target = "ldap:///cn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
add:aci: '(targetattr = "cn || description || l || location ||
nshardwareplatform || nsosversion")
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;
acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
cn=taskgroups,cn=accounts,$SUFFIX";)'
@@ -449,16 +450,36 @@ add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACI needed to do host keytab admin
dn: $SUFFIX
add:aci: '(targetattr = "krbPrincipalKey")(target = "ldap:///cn=*,
cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";
add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange")
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
(version 3.0;acl "Manage host keytab";
allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups,
cn=accounts,$SUFFIX";)'
# Taskgroup for enrolling hosts. Note that this also requires
# manage_host_keytab access
dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: enroll_host
add:description: Enroll a host
add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX'
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
# set enrolledBy to whoever ran join.
dn: $SUFFIX
add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass")
(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")
(version 3.0;acl "Enroll a host";
allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
cn=accounts,$SUFFIX";)'
# Taskgroup for updating the DNS entries
dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: manage_host_keytab
add:cn: update_sn
add:description: Updates DNS
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'