mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Make sure all entries are generated by us according to IPA
default tree. This patch make sure that the DS setup script does not add unwanted entries.
This commit is contained in:
parent
2c559fce85
commit
d7ad62cd7e
@ -1,11 +1,3 @@
|
||||
dn: $SUFFIX
|
||||
changetype: modify
|
||||
add: objectClass
|
||||
objectClass: pilotObject
|
||||
-
|
||||
add: info
|
||||
info: IPA V1.0
|
||||
|
||||
dn: cn=accounts,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
|
@ -2,7 +2,7 @@
|
||||
# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
|
||||
dn: $SUFFIX
|
||||
changetype: modify
|
||||
replace: aci
|
||||
add: aci
|
||||
aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
|
||||
|
@ -97,6 +97,16 @@ ServerIdentifier= $SERVERID
|
||||
Suffix= $SUFFIX
|
||||
RootDN= cn=Directory Manager
|
||||
RootDNPwd= $PASSWORD
|
||||
InstallLdifFile= /var/lib/dirsrv/boot.ldif
|
||||
"""
|
||||
|
||||
BASE_TEMPLATE = """
|
||||
dn: $SUFFIX
|
||||
objectClass: top
|
||||
objectClass: domain
|
||||
objectClass: pilotObject
|
||||
dc: $BASEDC
|
||||
info: IPA V1.0
|
||||
"""
|
||||
|
||||
class DsInstance(service.Service):
|
||||
@ -177,6 +187,15 @@ class DsInstance(service.Service):
|
||||
def __create_instance(self):
|
||||
self.backup_state("running", self.is_running())
|
||||
self.backup_state("serverid", self.serverid)
|
||||
|
||||
self.sub_dict['BASEDC'] = self.domain[:self.domain.find('.')]
|
||||
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
|
||||
logging.debug(base_txt)
|
||||
base_fd = file("/var/lib/dirsrv/boot.ldif", "w")
|
||||
base_fd.write(base_txt)
|
||||
base_fd.flush()
|
||||
base_fd.close()
|
||||
|
||||
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
|
||||
logging.debug("writing inf template")
|
||||
inf_fd = ipautil.write_tmp_file(inf_txt)
|
||||
@ -200,6 +219,8 @@ class DsInstance(service.Service):
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "failed to restart ds instance", e
|
||||
logging.debug("failed to restart ds instance %s" % e)
|
||||
inf_fd.close()
|
||||
os.remove("/var/lib/dirsrv/boot.ldif")
|
||||
|
||||
def __add_default_schemas(self):
|
||||
shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",
|
||||
|
Loading…
Reference in New Issue
Block a user