daemons: Remove ipa_kpasswd

Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
This commit is contained in:
Simo Sorce 2011-07-20 18:11:05 -04:00
parent a60a71497b
commit dfa944da24
18 changed files with 14 additions and 1700 deletions

1
.gitignore vendored
View File

@ -28,7 +28,6 @@ daemons/config.status
daemons/config.sub
daemons/depcomp
daemons/install-sh
daemons/ipa-kpasswd/ipa_kpasswd
daemons/ipa-version.h
daemons/libtool
daemons/ltmain.sh

View File

@ -14,7 +14,6 @@ export AM_CFLAGS
SUBDIRS = \
ipa-kdb \
ipa-kpasswd \
ipa-slapi-plugins \
$(NULL)

View File

@ -289,7 +289,6 @@ AC_SUBST(LDFLAGS)
AC_CONFIG_FILES([
Makefile
ipa-kdb/Makefile
ipa-kpasswd/Makefile
ipa-slapi-plugins/Makefile
ipa-slapi-plugins/ipa-enrollment/Makefile
ipa-slapi-plugins/ipa-lockout/Makefile

View File

@ -1,59 +0,0 @@
NULL =
INCLUDES = \
-I. \
-I$(srcdir) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
$(AM_CFLAGS) \
$(OPENLDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
sbin_PROGRAMS = \
ipa_kpasswd \
$(NULL)
ipa_kpasswd_SOURCES = \
ipa_kpasswd.c \
$(NULL)
ipa_kpasswd_LDADD = \
$(OPENLDAP_LIBS) \
$(KRB5_LIBS) \
$(NULL)
install-exec-local:
mkdir -p $(DESTDIR)$(localstatedir)/cache/ipa/kpasswd
chmod 700 $(DESTDIR)$(localstatedir)/cache/ipa/kpasswd
uninstall-local:
-rmdir $(DESTDIR)$(localstatedir)/cache/ipa/kpasswd
-rmdir $(DESTDIR)$(localstatedir)/cache/ipa
EXTRA_DIST = \
README \
ipa_kpasswd.init \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in
initdir=$(sysconfdir)/rc.d/init.d
install-data-hook: ipa_kpasswd.init
if test '!' -d $(DESTDIR)$(initdir); then \
$(mkinstalldirs) $(DESTDIR)$(initdir); \
chmod 755 $(DESTDIR)$(initdir); \
fi
$(INSTALL_SCRIPT) $(srcdir)/ipa_kpasswd.init $(DESTDIR)$(initdir)/ipa_kpasswd
uninstall-hook:
rm -f $(DESTDIR)$(initdir)/ipa_kpasswd

View File

@ -1,2 +0,0 @@
This is an implementation of the RFC3244 kpasswd protocol.
It is used to proxy password change operations to Directory Server.

File diff suppressed because it is too large Load Diff

View File

@ -1,83 +0,0 @@
#!/bin/sh
#
# ipa_kpasswd This starts and stops ipa_kpasswd
#
# chkconfig: - 36 64
# description: ipa_kpasswd IPA Kpasswd daemon
# processname: /usr/sbin/ipa_kpasswd
# configdir: /etc/sysconfig/ipa-kpasswd
#
# Source function library.
if [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
fi
# Source networking configuration.
if [ -f /etc/sysconfig/network ] ; then
. /etc/sysconfig/network
fi
# Check that networking is up.
if [ "${NETWORKING}" = "no" ]
then
echo "Networking is down"
exit 0
fi
# Source networking configuration.
if [ -f /etc/sysconfig/ipa-kpasswd ] ; then
. /etc/sysconfig/ipa-kpasswd
fi
NAME="ipa_kpasswd"
PROG="/usr/sbin/ipa_kpasswd"
start() {
echo -n $"Starting $NAME: "
daemon $NAME
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ipa_kpasswd || \
RETVAL=1
return $RETVAL
}
stop() {
echo -n $"Shutting down $NAME: "
killproc $NAME
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ipa_kpasswd
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $PROG
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/ipa_kpasswd ] && restart || :
;;
reload)
exit 3
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 2
esac
exit $?

View File

@ -305,6 +305,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_initrddir}
install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
%endif
@ -326,7 +327,6 @@ rm -rf %{buildroot}
%post server
if [ $1 = 1 ]; then
/sbin/chkconfig --add ipa
/sbin/chkconfig --add ipa_kpasswd
fi
if [ $1 -gt 1 ] ; then
/usr/sbin/ipa-upgradeconfig || :
@ -336,7 +336,6 @@ fi
%preun server
if [ $1 = 0 ]; then
/sbin/chkconfig --del ipa
/sbin/chkconfig --del ipa_kpasswd
/sbin/service ipa stop >/dev/null 2>&1 || :
fi
@ -355,7 +354,7 @@ if [ -s /etc/selinux/config ]; then
fi
%post server-selinux
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@ -377,7 +376,7 @@ fi
%postun server-selinux
if [ $1 = 0 ]; then
semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag
semodule -s targeted -r ipa_httpd ipa_dogtag
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
@ -406,13 +405,11 @@ fi
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-host-net-manage
%{_sbindir}/ipa_kpasswd
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-compliance
%{_sysconfdir}/cron.d/ipa-compliance
%attr(755,root,root) %{_initrddir}/ipa
%attr(755,root,root) %{_initrddir}/ipa_kpasswd
%dir %{python_sitelib}/ipaserver
%{python_sitelib}/ipaserver/*
%dir %{_usr}/share/ipa
@ -467,7 +464,6 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%dir %{_localstatedir}/cache/ipa
%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
@ -482,14 +478,12 @@ fi
%{_mandir}/man1/ipa-nis-manage.1.gz
%{_mandir}/man1/ipa-host-net-manage.1.gz
%{_mandir}/man1/ipa-ldap-updater.1.gz
%{_mandir}/man8/ipa_kpasswd.8.gz
%{_mandir}/man8/ipactl.8.gz
%{_mandir}/man1/ipa-compliance.1.gz
%files server-selinux
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
%{_usr}/share/selinux/targeted/ipa_httpd.pp
%{_usr}/share/selinux/targeted/ipa_dogtag.pp
%endif
@ -540,6 +534,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
* Wed Aug 25 2011 Simo Sorce <ssorce#redhat.com> - 3.0.0
- Remove ipa_kpasswd.
* Tue Aug 23 2011 Jan Cholasta <jcholast@redhat.com> - 2.1.0-1
- Add subscription-manager dependency for RHEL.

View File

@ -22,7 +22,6 @@ man1_MANS = \
man8_MANS = \
ipactl.8 \
ipa_kpasswd.8 \
$(NULL)
install-data-hook:

View File

@ -22,7 +22,7 @@ ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
ipa\-server\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back\-end, configuring Apache, configuring NTP and starting the ipa_kpasswd service provided by IPA. By default a dogtag\-based CA will be configured to issue server certificates.
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back\-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By default a dogtag\-based CA will be configured to issue server certificates.
.SH "OPTIONS"
.TP
\fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR

View File

@ -1,36 +0,0 @@
.\" A man page for ipa_kpasswd
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa_kpasswd" "8" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa_kpasswd \- Proxy Kerberos password change requests
.SH "SYNOPSIS"
ipa_kpasswd
.SH "DESCRIPTION"
Implementation of the kpasswd protocol (RFC 3244).
It is used to proxy password change operations to Directory Server.
.SH "ENVIRONMENT VARIABLES"
.TP
KRB5_KTNAME
Location of the keytab to be used by ipa_kpasswd
.TP
IPA_KPASSWD_DEBUG
Enable additional syslog output from ipa_kpasswd. Setting greater than 0 gets basic output. Setting higher than 100 gets more.
.SH "EXIT STATUS"
\-1 if an error occurred

2
ipa.1
View File

@ -192,7 +192,7 @@ IPA default configuration file.
2 If an entry is not found
.SH "SEE ALSO"
ipa\-client\-install(1), ipa\-compat\-manage(1), ipactl(1), ipa\-dns\-install(1),
ipa\-getcert(1), ipa\-getkeytab(1), ipa\-join(1), ipa_kpasswd(1), ipa\-ldap\-updater(1),
ipa\-getcert(1), ipa\-getkeytab(1), ipa\-join(1), ipa\-ldap\-updater(1),
ipa\-nis\-manage(1), ipa\-replica\-install(1), ipa\-replica\-manage(1), ipa\-replica\-prepare(1),
ipa\-rmkeytab(1), ipa\-server\-certinstall(2), ipa\-server\-install(1), ipa\-upgradeconfig(1),
ipa\-host\-net\-manage(1)

View File

@ -71,7 +71,7 @@ def update_key_val_in_file(filename, key, val):
class KpasswdInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_kpasswd")
service.SimpleServiceInstance.__init__(self, "kadmin")
class KrbInstance(service.Service):
def __init__(self, fstore=None):

View File

@ -34,7 +34,7 @@ CACERT = "/etc/ipa/ca.crt"
SERVICE_LIST = {
'KDC':('krb5kdc', 10),
'KPASSWD':('ipa_kpasswd', 20),
'KPASSWD':('kadmin', 20),
'DNS':('named', 30),
'HTTP':('httpd', 40),
'CA':('pki-cad', 50)

View File

@ -1,4 +1,4 @@
SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag
SUBDIRS = ipa_httpd ipa_dogtag
POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
@ -21,9 +21,8 @@ maintainer-clean: distclean
install: all
install -d $(POLICY_DIR)
install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR)
load:
/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
/usr/sbin/semodule -i ipa_httpd/ipa_httpd.pp

View File

@ -36,7 +36,6 @@ make DESTDIR=%{buildroot} install
%files
%{_usr}/share/selinux/targeted/ipa_webgui.pp
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
%define saveFileContext() \
@ -61,7 +60,7 @@ fi;
%saveFileContext targeted
%post
semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp
%relabel targeted
%preun
@ -71,7 +70,7 @@ fi
%postun
if [ $1 = 0 ]; then
semodule -s targeted -r ipa_webgui ipa_kpasswd
semodule -s targeted -r ipa_webgui
%relabel targeted
fi

View File

@ -1,9 +0,0 @@
#
# /usr
#
/usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
#
# /var
#
/var/cache/ipa/kpasswd(/.*)? gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)

View File

@ -1,80 +0,0 @@
policy_module(ipa_kpasswd, 1.0)
########################################
#
# Declarations
#
type ipa_kpasswd_t;
type ipa_kpasswd_exec_t;
type ipa_kpasswd_var_run_t;
type ipa_kpasswd_ccache_t;
init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
########################################
#
# IPA kpasswd local policy
#
allow ipa_kpasswd_t self:capability { sys_nice dac_override };
allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
allow ipa_kpasswd_t self:udp_socket create_socket_perms;
files_read_etc_files(ipa_kpasswd_t)
files_search_usr(ipa_kpasswd_t)
files_pid_file(ipa_kpasswd_var_run_t);
allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms;
files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file)
auth_use_nsswitch(ipa_kpasswd_t)
libs_use_ld_so(ipa_kpasswd_t)
libs_use_shared_libs(ipa_kpasswd_t)
logging_send_syslog_msg(ipa_kpasswd_t)
miscfiles_read_localization(ipa_kpasswd_t)
kerberos_use(ipa_kpasswd_t)
kerberos_manage_host_rcache(ipa_kpasswd_t)
kerberos_read_kdc_config(ipa_kpasswd_t)
kernel_read_system_state(ipa_kpasswd_t)
# /var/cache/ipa/kpasswd
files_type(ipa_kpasswd_ccache_t)
manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
kernel_read_network_state(ipa_kpasswd_t)
kernel_read_network_state_symlinks(ipa_kpasswd_t)
corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t)
corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t)
corenet_udp_sendrecv_all_ports(ipa_kpasswd_t)
corenet_non_ipsec_sendrecv(ipa_kpasswd_t)
corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
corenet_udp_bind_all_nodes(ipa_kpasswd_t)
corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
require {
type krb5kdc_conf_t;
};
allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms;
optional_policy(`
gen_require(`
type kerberos_password_port_t;
')
corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
')