diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index 0a969de38..014f9d61d 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -1,11 +1,3 @@ -dn: $SUFFIX -changetype: modify -add: objectClass -objectClass: pilotObject -- -add: info -info: IPA V1.0 - dn: cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index d7b5d300b..a452b50d2 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -2,7 +2,7 @@ # FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users dn: $SUFFIX changetype: modify -replace: aci +add: aci aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 99ebae506..4ed4ddf09 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -97,6 +97,16 @@ ServerIdentifier= $SERVERID Suffix= $SUFFIX RootDN= cn=Directory Manager RootDNPwd= $PASSWORD +InstallLdifFile= /var/lib/dirsrv/boot.ldif +""" + +BASE_TEMPLATE = """ +dn: $SUFFIX +objectClass: top +objectClass: domain +objectClass: pilotObject +dc: $BASEDC +info: IPA V1.0 """ class DsInstance(service.Service): @@ -177,6 +187,15 @@ class DsInstance(service.Service): def __create_instance(self): self.backup_state("running", self.is_running()) self.backup_state("serverid", self.serverid) + + self.sub_dict['BASEDC'] = self.domain[:self.domain.find('.')] + base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) + logging.debug(base_txt) + base_fd = file("/var/lib/dirsrv/boot.ldif", "w") + base_fd.write(base_txt) + base_fd.flush() + base_fd.close() + inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) logging.debug("writing inf template") inf_fd = ipautil.write_tmp_file(inf_txt) @@ -200,6 +219,8 @@ class DsInstance(service.Service): except ipautil.CalledProcessError, e: print "failed to restart ds instance", e logging.debug("failed to restart ds instance %s" % e) + inf_fd.close() + os.remove("/var/lib/dirsrv/boot.ldif") def __add_default_schemas(self): shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",