Make sure all entries are generated by us according to IPA

default tree. This patch make sure that the DS setup script
does not add unwanted entries.
This commit is contained in:
Simo Sorce 2008-02-28 13:35:10 -05:00
parent 2c559fce85
commit d7ad62cd7e
3 changed files with 22 additions and 9 deletions

View File

@ -1,11 +1,3 @@
dn: $SUFFIX
changetype: modify
add: objectClass
objectClass: pilotObject
-
add: info
info: IPA V1.0
dn: cn=accounts,$SUFFIX
changetype: add
objectClass: top

View File

@ -2,7 +2,7 @@
# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
dn: $SUFFIX
changetype: modify
replace: aci
add: aci
aci: (targetattr = "krbMKey")(version 3.0; acl "Only the kerberos account can access this one"; deny (read, search, compare, write) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)

View File

@ -97,6 +97,16 @@ ServerIdentifier= $SERVERID
Suffix= $SUFFIX
RootDN= cn=Directory Manager
RootDNPwd= $PASSWORD
InstallLdifFile= /var/lib/dirsrv/boot.ldif
"""
BASE_TEMPLATE = """
dn: $SUFFIX
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: $BASEDC
info: IPA V1.0
"""
class DsInstance(service.Service):
@ -177,6 +187,15 @@ class DsInstance(service.Service):
def __create_instance(self):
self.backup_state("running", self.is_running())
self.backup_state("serverid", self.serverid)
self.sub_dict['BASEDC'] = self.domain[:self.domain.find('.')]
base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
logging.debug(base_txt)
base_fd = file("/var/lib/dirsrv/boot.ldif", "w")
base_fd.write(base_txt)
base_fd.flush()
base_fd.close()
inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
logging.debug("writing inf template")
inf_fd = ipautil.write_tmp_file(inf_txt)
@ -200,6 +219,8 @@ class DsInstance(service.Service):
except ipautil.CalledProcessError, e:
print "failed to restart ds instance", e
logging.debug("failed to restart ds instance %s" % e)
inf_fd.close()
os.remove("/var/lib/dirsrv/boot.ldif")
def __add_default_schemas(self):
shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif",