Make sure all entries are generated by us according to IPA

default tree. This patch make sure that the DS setup script
does not add unwanted entries.
This commit is contained in:
Simo Sorce 2008-02-28 13:35:10 -05:00
parent 2c559fce85
commit d7ad62cd7e
3 changed files with 22 additions and 9 deletions

View File

@ -1,11 +1,3 @@
dn: $SUFFIX
changetype: modify
add: objectClass
objectClass: pilotObject
-
add: info
info: IPA V1.0
dn: cn=accounts,$SUFFIX dn: cn=accounts,$SUFFIX
changetype: add changetype: add
objectClass: top objectClass: top

View File

@ -2,7 +2,7 @@
# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users # FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
dn: $SUFFIX dn: $SUFFIX
changetype: modify changetype: modify
replace: aci add: aci
aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)

View File

@ -97,6 +97,16 @@ ServerIdentifier= $SERVERID
Suffix= $SUFFIX Suffix= $SUFFIX
RootDN= cn=Directory Manager RootDN= cn=Directory Manager
RootDNPwd= $PASSWORD RootDNPwd= $PASSWORD
InstallLdifFile= /var/lib/dirsrv/boot.ldif
"""
BASE_TEMPLATE = """
dn: $SUFFIX
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: $BASEDC
info: IPA V1.0
""" """
class DsInstance(service.Service): class DsInstance(service.Service):
@ -177,6 +187,15 @@ class DsInstance(service.Service):
def __create_instance(self): def __create_instance(self):
self.backup_state("running", self.is_running()) self.backup_state("running", self.is_running())
self.backup_state("serverid", self.serverid) self.backup_state("serverid", self.serverid)
self.sub_dict['BASEDC'] = self.domain[:self.domain.find('.')]
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
logging.debug(base_txt)
base_fd = file("/var/lib/dirsrv/boot.ldif", "w")
base_fd.write(base_txt)
base_fd.flush()
base_fd.close()
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
logging.debug("writing inf template") logging.debug("writing inf template")
inf_fd = ipautil.write_tmp_file(inf_txt) inf_fd = ipautil.write_tmp_file(inf_txt)
@ -200,6 +219,8 @@ class DsInstance(service.Service):
except ipautil.CalledProcessError, e: except ipautil.CalledProcessError, e:
print "failed to restart ds instance", e print "failed to restart ds instance", e
logging.debug("failed to restart ds instance %s" % e) logging.debug("failed to restart ds instance %s" % e)
inf_fd.close()
os.remove("/var/lib/dirsrv/boot.ldif")
def __add_default_schemas(self): def __add_default_schemas(self):
shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif", shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",