Update anonymous access ACI to protect secret attributes.

Update anonymous access ACI so that no users besides Trust Admins users can read AD Trust key attributes (ipaNTTrustAuthOutgoing, ipaNTTrustAuthIncoming). The change is applied both for updated IPA servers and new installations.
2025-02-25 18:55:28 -06:00 · 2013-01-22 17:06:04 -05:00 · 2013-01-22 17:06:04 -05:00 · d5966bde80
commit d5966bde80
parent 31e41eea6c
3 changed files with 83 additions and 1 deletions
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@ -9,6 +9,7 @@ app_PYTHON = 			\
 	dns.py			\
 	updateclient.py		\
 	update_services.py	\
+	update_anonymous_aci.py	\
 	$(NULL)

 EXTRA_DIST =			\
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@ -0,0 +1,81 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from copy import deepcopy
+from ipaserver.install.plugins import FIRST, LAST
+from ipaserver.install.plugins.baseupdate import PostUpdate
+#from ipalib.frontend import Updater
+#from ipaserver.install.plugins import baseupdate
+from ipalib import api
+from ipalib.aci import ACI
+from ipalib.plugins import aci
+from ipapython.ipa_log_manager import *
+
+class update_anonymous_aci(PostUpdate):
+    """
+    Update the Anonymous ACI to ensure that all secrets are protected.
+    """
+    order = FIRST
+
+    def execute(self, **options):
+        aciname = u'Enable Anonymous access'
+        aciprefix = u'none'
+        ldap = self.obj.backend
+
+        (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
+
+        acistrs = entry_attrs.get('aci', [])
+        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
+        rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
+
+        attrs = rawaci.target['targetattr']['expression']
+
+        update_attrs = deepcopy(attrs)
+
+        needed_attrs = []
+        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
+            if attr not in attrs:
+                needed_attrs.append(attr)
+
+        update_attrs.extend(needed_attrs)
+        if len(attrs) == len(update_attrs):
+            root_logger.debug("Anonymous ACI already update-to-date")
+            return (False, False, [])
+        else:
+            root_logger.debug("New Anonymous ACI attributes needed: %s",
+                needed_attrs)
+
+        for tmpaci in acistrs:
+            candidate = ACI(tmpaci)
+            if rawaci.isequal(candidate):
+                acistrs.remove(tmpaci)
+                break
+
+        rawaci.target['targetattr']['expression'] = update_attrs
+        acistrs.append(unicode(rawaci))
+        entry_attrs['aci'] = acistrs
+
+        try:
+            ldap.update_entry(dn, entry_attrs)
+        except Exception, e:
+            root_logger.error("Failed to update Anonymous ACI: %s" % e)
+
+        return (False, False, [])
+
+api.register(update_anonymous_aci)