IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Mass tree reorganization for IPAv2. To view previous history of files use:

Browse Source 
% git log --follow -- <file>

renamed: ipa-server/autogen.sh -> autogen.sh
renamed: ipa-server/ipa-kpasswd/Makefile.am -> daemons/ipa-kpasswd/Makefile.am
renamed: ipa-server/ipa-kpasswd/README -> daemons/ipa-kpasswd/README
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.c -> daemons/ipa-kpasswd/ipa_kpasswd.c
renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.init -> daemons/ipa-kpasswd/ipa_kpasswd.init
renamed: ipa-server/ipa-slapi-plugins/Makefile.am -> daemons/ipa-slapi-plugins/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/README -> daemons/ipa-slapi-plugins/README
renamed: ipa-server/ipa-slapi-plugins/dna/Makefile.am -> daemons/ipa-slapi-plugins/dna/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/dna/dna-conf.ldif -> daemons/ipa-slapi-plugins/dna/dna-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/dna/dna.c -> daemons/ipa-slapi-plugins/dna/dna.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am -> daemons/ipa-slapi-plugins/ipa-memberof/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif -> daemons/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am -> daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/README -> daemons/ipa-slapi-plugins/ipa-pwd-extop/README
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif -> daemons/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/Makefile.am -> daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/README -> daemons/ipa-slapi-plugins/ipa-winsync/README
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
renamed: ipa-server/xmlrpc-server/ipa-rewrite.conf -> install/conf/ipa-rewrite.conf
renamed: ipa-server/xmlrpc-server/ipa.conf -> install/conf/ipa.conf
renamed: ipa-server/xmlrpc-server/ssbrowser.html -> install/html/ssbrowser.html
renamed: ipa-server/xmlrpc-server/unauthorized.html -> install/html/unauthorized.html
renamed: ipa-server/ipa-install/share/60ipaconfig.ldif -> install/share/60ipaconfig.ldif
renamed: ipa-server/ipa-install/share/60kerberos.ldif -> install/share/60kerberos.ldif
renamed: ipa-server/ipa-install/share/60radius.ldif -> install/share/60radius.ldif
renamed: ipa-server/ipa-install/share/60samba.ldif -> install/share/60samba.ldif
renamed: ipa-server/ipa-install/share/Makefile.am -> install/share/Makefile.am
renamed: ipa-server/ipa-install/share/bind.named.conf.template -> install/share/bind.named.conf.template
renamed: ipa-server/ipa-install/share/bind.zone.db.template -> install/share/bind.zone.db.template
renamed: ipa-server/ipa-install/share/bootstrap-template.ldif -> install/share/bootstrap-template.ldif
renamed: ipa-server/ipa-install/share/certmap.conf.template -> install/share/certmap.conf.template
renamed: ipa-server/ipa-install/share/default-aci.ldif -> install/share/default-aci.ldif
renamed: ipa-server/ipa-install/share/default-keytypes.ldif -> install/share/default-keytypes.ldif
renamed: ipa-server/ipa-install/share/dna-posix.ldif -> install/share/dna-posix.ldif
renamed: ipa-server/ipa-install/share/encrypted_attribute.ldif -> install/share/encrypted_attribute.ldif
renamed: ipa-server/ipa-install/share/fedora-ds.init.patch -> install/share/fedora-ds.init.patch
renamed: ipa-server/ipa-install/share/indices.ldif -> install/share/indices.ldif
renamed: ipa-server/ipa-install/share/kdc.conf.template -> install/share/kdc.conf.template
renamed: ipa-server/ipa-install/share/kerberos.ldif -> install/share/kerberos.ldif
renamed: ipa-server/ipa-install/share/krb.con.template -> install/share/krb.con.template
renamed: ipa-server/ipa-install/share/krb5.conf.template -> install/share/krb5.conf.template
renamed: ipa-server/ipa-install/share/krb5.ini.template -> install/share/krb5.ini.template
renamed: ipa-server/ipa-install/share/krbrealm.con.template -> install/share/krbrealm.con.template
renamed: ipa-server/ipa-install/share/master-entry.ldif -> install/share/master-entry.ldif
renamed: ipa-server/ipa-install/share/memberof-task.ldif -> install/share/memberof-task.ldif
renamed: ipa-server/ipa-install/share/ntp.conf.server.template -> install/share/ntp.conf.server.template
renamed: ipa-server/ipa-install/share/ntpd.sysconfig.template -> install/share/ntpd.sysconfig.template
renamed: ipa-server/ipa-install/share/preferences.html.template -> install/share/preferences.html.template
renamed: ipa-server/ipa-install/share/referint-conf.ldif -> install/share/referint-conf.ldif
renamed: ipa-server/ipa-install/share/schema_compat.uldif -> install/share/schema_compat.uldif
renamed: ipa-server/ipa-install/share/unique-attributes.ldif -> install/share/unique-attributes.ldif
renamed: ipa-server/ipa-install/Makefile.am -> install/tools/Makefile.am
renamed: ipa-server/ipa-install/README -> install/tools/README
renamed: ipa-server/ipa-compat-manage -> install/tools/ipa-compat-manage
renamed: ipa-server/ipa-fix-CVE-2008-3274 -> install/tools/ipa-fix-CVE-2008-3274
renamed: ipa-server/ipa-ldap-updater -> install/tools/ipa-ldap-updater
renamed: ipa-server/ipa-install/ipa-replica-install -> install/tools/ipa-replica-install
renamed: ipa-server/ipa-install/ipa-replica-manage -> install/tools/ipa-replica-manage
renamed: ipa-server/ipa-install/ipa-replica-prepare -> install/tools/ipa-replica-prepare
renamed: ipa-server/ipa-install/ipa-server-certinstall -> install/tools/ipa-server-certinstall
renamed: ipa-server/ipa-install/ipa-server-install -> install/tools/ipa-server-install
renamed: ipa-server/ipa-upgradeconfig -> install/tools/ipa-upgradeconfig
renamed: ipa-server/ipa-install/ipactl -> install/tools/ipactl
renamed: ipa-server/man/Makefile.am -> install/tools/man/Makefile.am
renamed: ipa-server/man/ipa-compat-manage.1 -> install/tools/man/ipa-compat-manage.1
renamed: ipa-server/man/ipa-ldap-updater.1 -> install/tools/man/ipa-ldap-updater.1
renamed: ipa-server/man/ipa-replica-install.1 -> install/tools/man/ipa-replica-install.1
renamed: ipa-server/man/ipa-replica-manage.1 -> install/tools/man/ipa-replica-manage.1
renamed: ipa-server/man/ipa-replica-prepare.1 -> install/tools/man/ipa-replica-prepare.1
renamed: ipa-server/man/ipa-server-certinstall.1 -> install/tools/man/ipa-server-certinstall.1
renamed: ipa-server/man/ipa-server-install.1 -> install/tools/man/ipa-server-install.1
renamed: ipa-server/man/ipa_kpasswd.8 -> install/tools/man/ipa_kpasswd.8
renamed: ipa-server/man/ipa_webgui.8 -> install/tools/man/ipa_webgui.8
renamed: ipa-server/man/ipactl.8 -> install/tools/man/ipactl.8
renamed: ipa-server/ipa-install/updates/Makefile.am -> install/updates/Makefile.am
renamed: ipa-server/ipa-install/updates/RFC2307bis.update -> install/updates/RFC2307bis.update
renamed: ipa-server/ipa-install/updates/RFC4876.update -> install/updates/RFC4876.update
renamed: ipa-server/ipa-install/updates/indices.update -> install/updates/indices.update
renamed: ipa-server/ipa-install/updates/nss_ldap.update -> install/updates/nss_ldap.update
renamed: ipa-server/ipa-install/updates/replication.update -> install/updates/replication.update
renamed: ipa-server/ipa-install/updates/winsync_index.update -> install/updates/winsync_index.update
renamed: ipa-server/ipaserver/Makefile.am -> ipaserver/install/Makefile.am
renamed: ipa-server/ipaserver/__init__.py -> ipaserver/install/__init__.py
renamed: ipa-server/ipaserver/bindinstance.py -> ipaserver/install/bindinstance.py
renamed: ipa-server/ipaserver/certs.py -> ipaserver/install/certs.py
renamed: ipa-server/ipaserver/dsinstance.py -> ipaserver/install/dsinstance.py
renamed: ipa-server/ipaserver/httpinstance.py -> ipaserver/install/httpinstance.py
renamed: ipa-server/ipaserver/installutils.py -> ipaserver/install/installutils.py
renamed: ipa-server/ipaserver/ipaldap.py -> ipaserver/install/ipaldap.py
renamed: ipa-server/ipaserver/krbinstance.py -> ipaserver/install/krbinstance.py
renamed: ipa-server/ipaserver/ldapupdate.py -> ipaserver/install/ldapupdate.py
renamed: ipa-server/ipaserver/ntpinstance.py -> ipaserver/install/ntpinstance.py
renamed: ipa-server/ipaserver/replication.py -> ipaserver/install/replication.py
renamed: ipa-server/ipaserver/service.py -> ipaserver/install/service.py
renamed: ipa-server/selinux/Makefile -> selinux/Makefile
renamed: ipa-server/selinux/ipa-server-selinux.spec.in -> selinux/ipa-server-selinux.spec.in
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc -> selinux/ipa_kpasswd/ipa_kpasswd.fc
renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te -> selinux/ipa_kpasswd/ipa_kpasswd.te
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.fc -> selinux/ipa_webgui/ipa_webgui.fc
renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.te -> selinux/ipa_webgui/ipa_webgui.te
renamed: ipa-server/version.m4.in -> version.m4.in
This commit is contained in:
Rob Crittenden
2009-01-29 16:26:07 -05:00
parent c4ed025001
commit e30cd6ba42
108 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
install/conf/ipa-rewrite.conf Normal file
View File

@@ -0,0 +1,19 @@
# VERSION 2 - DO NOT REMOVE THIS LINE
RewriteEngine on
# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out. You will
# need to modify ipa_webgui.cfg as well.
RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC]
RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301]
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT} !^443$$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config)
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]

109
install/conf/ipa.conf Normal file
View File

@@ -0,0 +1,109 @@
#
# VERSION 2 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
ProxyRequests Off
# ipa-rewrite.conf is loaded separately
# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive jar
<ProxyMatch ^.*/ipa/ui.*$$>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
RewriteEngine on
Order deny,allow
Allow from all
RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
# RequestHeader unset Authorization
</ProxyMatch>
# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /ipa/ui http://localhost:8080/ipa/ui
ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui
# Configure the XML-RPC service
Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
<Directory "/usr/share/ipa/ipaserver">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
SetHandler mod_python
PythonHandler ipaxmlrpc
PythonDebug Off
PythonOption IPADebug Off
# this is pointless to use since it would just reload ipaxmlrpc.py
PythonAutoReload Off
</Directory>
# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
AllowOverride None
Satisfy Any
Allow from all
</Directory>
# Protect our CGIs
<Directory /var/www/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>
#Alias /ipatest "/usr/share/ipa/ipatest"
#<Directory "/usr/share/ipa/ipatest">
# AuthType Kerberos
# AuthName "Kerberos Login"
# KrbMethodNegotiate on
# KrbMethodK5Passwd off
# KrbServiceName HTTP
# KrbAuthRealms $REALM
# Krb5KeyTab /etc/httpd/conf/ipa.keytab
# KrbSaveCredentials on
# Require valid-user
# ErrorDocument 401 /ipa/errors/unauthorized.html
#
# SetHandler mod_python
# PythonHandler test_mod_python
#
# PythonDebug Off
#
#</Directory>

68
install/html/ssbrowser.html Normal file
View File

@@ -0,0 +1,68 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Browser Kerberos Setup</title>
</head>
<body>
<h2>Browser Kerberos Setup</h2>
<h3> Internet Explorer Configuration </h3>
<p>Once you are able to log into the workstation with your kerberos key you should be able to use that ticket in Internet Explorer. For illustration purposes his page will use EXAMPLE.COM as the sample realm and example.com for the domain.
</p>
<ul><li> Login to the Windows machine using an account of domain EXAMPLE.COM
</li><li> In Internet Explorer, click Tools, and then click Internet Options.
</li></ul>
<ol><li> Click the Security tab.
</li><li> Click Local intranet.
</li><li> Click Sites
</li><li> Click Advanced
</li><li> Add *.example.com to the list
</li></ol>
<ul><li> In Internet Explorer, click Tools, and then click Internet Options.
</li></ul>
<ol><li> Click the Security tab.
</li><li> Click Local intranet.
</li><li> Click Custom Level
</li><li> Select Automatic logon only in Intranet zone.
</li></ol>
<ul><li> Visit a kerberized web site using IE. You must use the fully-qualified DN in the URL.
</li><li> If all went right, it should work.
</li></ul>
<h3 class="title">Firefox Configuration</h3>
<p>
You can configure Firefox to use Kerberos for Single Sign-on. In order for this functionality to work correctly, you need to configure your web browser to send your Kerberos credentials to the appropriate <span class="abbrev">KDC</span>.The following section describes the configuration changes and other requirements to achieve this.
</p>
<ol class="arabic">
<li>
<p>
In the address bar of Firefox, type <b class="userinput"><tt>about:config</tt></b> to display the list of current configuration options.
</p>
</li>
<li>
<p>
In the <span><b class="guilabel">Filter</b></span> field, type <b class="userinput"><tt>negotiate</tt></b> to restrict the list of options.
</p>
</li>
<li>
<p>
Double-click the <span class="emphasis"><em>network.negotiate-auth.trusted-uris</em></span> entry to display the <span class="emphasis"><em>Enter string value</em></span> dialog box.
</p>
</li>
<li>
<p>
Enter the name of the domain against which you want to authenticate, for example, <i class="replaceable"><tt>.example.com</tt></i>.
</p>
</li>
<li>
<p>
Repeat the above procedure for the <span class="emphasis"><em>network.negotiate-auth.delegation-uris</em></span> entry, using the same domain.
</p>
</li>
</ol>
</body>
</html>

28
install/html/unauthorized.html Normal file
View File

@@ -0,0 +1,28 @@
<html>
<title>Kerberos Authentication Failed</h2>
<body>
<h2>Kerberos Authentication Failed</h2>
<p>
Unable to verify your Kerberos credentials. Please make sure
that you have valid Kerberos tickets (obtainable via kinit), and that you
have <a href="/ipa/errors/ssbrowser.html">configured your
browser correctly</a>. If you are still unable to access
the IPA Web interface, please contact the helpdesk on for additional assistance.
</p>
<p>
Import the <a href="/ipa/errors/ca.crt">IPA Certificate Authority</a>.
</p>
<p>
<script type="text/javascript">
if (navigator.userAgent.indexOf("Firefox") != -1 ||
navigator.userAgent.indexOf("SeaMonkey") != -1)
{
document.write("<p>You can automatically configure your browser to work with Kerberos by importing the Certificate Authority above and clicking on the Configure Browser button.</p>");
document.write("<p>You <strong>must</strong> reload this page after importing the Certificate Authority for the automatic settings to work</p>");
document.write("<object data=\"jar:/ipa/errors/configure.jar!/preferences.html\" type=\"text/html\"><\/object");
}
</script>
</p>
</ul>
</body>
</html>

42
install/share/60ipaconfig.ldif Normal file
View File

@@ -0,0 +1,42 @@
## schema file for ipa configuration
##
## IPA Base OID: 2.16.840.1.113730.3.8
##
## Attributes: 2.16.840.1.113730.3.8.1
## ObjectClasses: 2.16.840.1.113730.3.8.2
dn: cn=schema
###############################################
##
## Attributes
##
## ipaUserSearchFields - attribute names to search against when looking for users
attributetypes: ( 2.16.840.1.113730.3.8.1.1 NAME 'ipaUserSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
## ipaGroupSearchFields - attribute names to search against when looking for groups
attributetypes: ( 2.16.840.1.113730.3.8.1.2 NAME 'ipaGroupSearchFields' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
## ipaSearchTimeLimit - search time limit in seconds
attributetypes: ( 2.16.840.1.113730.3.8.1.3 NAME 'ipaSearchTimeLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
## ipaSearchRecordsLimit - maximum number of records to return
attributetypes: ( 2.16.840.1.113730.3.8.1.4 NAME 'ipaSearchRecordsLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
## ipaCustomFields - custom fields to show in the UI in addition to pre-defined ones
attributetypes: ( 2.16.840.1.113730.3.8.1.5 NAME 'ipaCustomFields' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
## ipaHomesRootDir - default posix home directory root dir to use when creating new accounts
attributetypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
## ipaDefaultLoginShell - default posix login shell to use when creating new accounts
attributetypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
## ipaDefaultPrimaryGroup - default posix primary group to assign when creating new accounts
attributetypes: ( 2.16.840.1.113730.3.8.1.8 NAME 'ipaDefaultPrimaryGroup' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
## ipaMaxUsernameLength - maximum username length to allow in the UI
attributetypes: ( 2.16.840.1.113730.3.8.1.9 NAME 'ipaMaxUsernameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
## ipaPwdExpAdvNotify - time in days to send out paswword expiration notification before passwpord actually expires
attributetypes: ( 2.16.840.1.113730.3.8.1.10 NAME 'ipaPwdExpAdvNotify' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
# ipaUserObjectClasses - required objectclasses for users
attributetypes: ( 2.16.840.1.113730.3.8.1.11 NAME 'ipaUserObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
# ipaGroupObjectClasses - required objectclasses for groups
attributetypes: ( 2.16.840.1.113730.3.8.1.12 NAME 'ipaGroupObjectClasses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
###############################################
##
## ObjectClasses
##
## ipaGuiConfig - GUI config parameters objectclass
objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchRecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaDefaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjectClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain) )

283
install/share/60kerberos.ldif Normal file
View File

@@ -0,0 +1,283 @@
dn: cn=schema
# Novell Kerberos Schema Definitions
# Novell Inc.
# 1800 South Novell Place
# Provo, UT 84606
#
# VeRsIoN=1.0
# CoPyRiGhT=(c) Copyright 2006, Novell, Inc. All rights reserved
#
# OIDs:
# joint-iso-ccitt(2)
# country(16)
# us(840)
# organization(1)
# Novell(113719)
# applications(1)
# kerberos(301)
# Kerberos Attribute Type(4) attr# version#
# specific attribute definitions
# Kerberos Attribute Syntax(5)
# specific syntax definitions
# Kerberos Object Class(6) class# version#
# specific class definitions
########################################################################
########################################################################
# Attribute Type Definitions #
########################################################################
##### This is the principal name in the RFC 1964 specified format
attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This specifies the type of the principal, the types could be any of
##### the types mentioned in section 6.2 of RFC 4120
attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### This flag is used to find whether directory User Password has to be used
##### as kerberos password.
##### TRUE, if User Password is to be used as the kerberos password.
##### FALSE, if User Password and the kerberos password are different.
attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
##### The time at which the principal expires
attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
##### The values (0x00000001 - 0x00800000) are reserved for standards and
##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
##### The flags and values as per RFC 4120 and MIT implementation are,
##### DISALLOW_POSTDATED 0x00000001
##### DISALLOW_FORWARDABLE 0x00000002
##### DISALLOW_TGT_BASED 0x00000004
##### DISALLOW_RENEWABLE 0x00000008
##### DISALLOW_PROXIABLE 0x00000010
##### DISALLOW_DUP_SKEY 0x00000020
##### DISALLOW_ALL_TIX 0x00000040
##### REQUIRES_PRE_AUTH 0x00000080
##### REQUIRES_HW_AUTH 0x00000100
##### REQUIRES_PWCHANGE 0x00000200
##### DISALLOW_SVR 0x00001000
##### PWCHANGE_SERVICE 0x00002000
attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### The maximum ticket lifetime for a principal in seconds
attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Maximum renewable lifetime for a principal's ticket in seconds
attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Forward reference to the Realm object.
##### (FDN of the krbRealmContainer object).
##### Example: cn=ACME.COM, cn=Kerberos, cn=Security
attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### List of LDAP servers that kerberos servers can contact.
##### The attribute holds data in the ldap uri format,
##### Example: ldaps://acme.com:636
#####
##### The values of this attribute need to be updated, when
##### the LDAP servers listed here are renamed, moved or deleted.
attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### A set of forward references to the KDC Service objects.
##### (FDNs of the krbKdcService objects).
##### Example: cn=kdc - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### A set of forward references to the Password Service objects.
##### (FDNs of the krbPwdService objects).
##### Example: cn=kpasswdd - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute holds the Host Name or the ip address,
##### transport protocol and ports of the kerberos service host
##### The format is host_name-or-ip_address#protocol#port
##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### This attribute holds the scope for searching the principals
##### under krbSubTree attribute of krbRealmContainer
##### The value can either be 1 (ONE) or 2 (SUB_TREE).
attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### FDNs pointing to Kerberos principals
attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute specifies which attribute of the user objects
##### be used as the principal name component for Kerberos.
##### The allowed values are cn, sn, uid, givenname, fullname.
attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
##### A set of forward references to the Administration Service objects.
##### (FDNs of the krbAdmService objects).
##### Example: cn=kadmindd - server 1, ou=uvw, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### Maximum lifetime of a principal's password
attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum lifetime of a principal's password
attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum number of character clases allowed in a password
attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Minimum length of the password
attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### Number of previous versions of passwords that are stored
attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### FDN pointing to a Kerberos Password Policy object
attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
##### The time at which the principal's password expires
attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
##### the master key (krbMKey).
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### FDN pointing to a Kerberos Ticket Policy object.
attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
##### Forward reference to an entry that starts sub-trees
##### where principals and other kerberos objects in the realm are configured.
##### Example: ou=acme, ou=pq, o=xyz
attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### Holds the default encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### Example: des-cbc-crc:normal
attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### Holds the Supported encryption/salt type combinations of principals for
##### the Realm. Stores in the form of key:salt strings.
##### The supported encryption types are mentioned in RFC 3961
##### The supported salt types are,
##### NORMAL
##### V4
##### NOREALM
##### ONLYREALM
##### SPECIAL
##### AFS3
##### Example: des-cbc-crc:normal
#####
##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
##### attributes.
attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
##### the kadmin/history key.
##### The attribute is ASN.1 encoded.
#####
##### The format of the value for this attribute is explained below,
##### KrbKeySet ::= SEQUENCE {
##### attribute-major-vno [0] UInt16,
##### attribute-minor-vno [1] UInt16,
##### kvno [2] UInt32,
##### mkvno [3] UInt32 OPTIONAL -- actually kadmin/history key,
##### keys [4] SEQUENCE OF KrbKey,
##### ...
##### }
#####
##### KrbKey ::= SEQUENCE {
##### salt [0] KrbSalt OPTIONAL,
##### key [1] EncryptionKey,
##### s2kparams [2] OCTET STRING OPTIONAL,
##### ...
##### }
#####
##### KrbSalt ::= SEQUENCE {
##### type [0] Int32,
##### salt [1] OCTET STRING OPTIONAL
##### }
#####
##### EncryptionKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### The time at which the principal's password last password change happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute holds the kerberos master key.
##### This can be used to encrypt principal keys.
##### This attribute has to be secured in directory.
#####
##### This attribute is ASN.1 encoded.
##### The format of the value for this attribute is explained below,
##### KrbMKey ::= SEQUENCE {
##### kvno [0] UInt32,
##### key [1] MasterKey
##### }
#####
##### MasterKey ::= SEQUENCE {
##### keytype [0] Int32,
##### keyvalue [1] OCTET STRING
##### }
attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### This stores the alternate principal names for the principal in the RFC 1961 specified format
attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
##### The time at which the principal's last successful authentication happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### The time at which the principal's last failed authentication happened.
attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
##### This attribute stores the number of failed authentication attempts
##### happened for the principal since the last successful authentication.
attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
##### This attribute holds the application specific data.
attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
##### This attributes holds references to the set of directory objects.
##### This stores the DNs of the directory objects to which the
##### principal object belongs to.
attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
##### This attribute holds references to a Container object where
##### the additional principal objects and stand alone principal
##### objects (krbPrincipal) can be created.
attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
########################################################################
########################################################################
# Object Class Definitions #
########################################################################
#### This is a kerberos container for all the realms in a tree.
objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top MUST ( cn ) )
##### The krbRealmContainer is created per realm and holds realm specific data.
objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
##### An instance of a class derived from krbService is created per
##### kerberos authentication or administration server in an realm and holds
##### references to the realm objects. These references is used to further read
##### realm specific data to service AS/TGS requests. Additionally this object
##### contains some server specific data like pathnames and ports that the
##### server uses. This is the identity the kerberos server logs in with. A key
##### pair for the same is created and the kerberos server logs in with the same.
#####
##### krbKdcService, krbAdmService and krbPwdService derive from this class.
objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' ABSTRACT SUP ( top ) MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences ) )
##### Representative object for the KDC server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) )
##### Representative object for the Kerberos Password server to bind into a LDAP directory
##### and have a connection to access Kerberos data with the required
##### access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
###### The principal data auxiliary class. Holds principal information
###### and is used to store principal information for Person, Service objects.
objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
###### This class is used to create additional principals and stand alone principals.
objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
###### The principal references auxiliary class. Holds all principals referred
###### from a service
objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
##### Representative object for the Kerberos Administration server to bind into a LDAP directory
##### and have a connection Id to access Kerberos data with the required access rights.
objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbService ) )
##### The krbPwdPolicy object is a template password policy that
##### can be applied to principals when they are created.
##### These policy attributes will be in effect, when the Kerberos
##### passwords are different from users' passwords (UP).
objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) )
##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
##### This class can be attached to a principal object or realm object.
objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )

559
install/share/60radius.ldif Normal file
View File

@@ -0,0 +1,559 @@
# This is a LDAPv3 schema for RADIUS attributes.
# Tested on OpenLDAP 2.0.7
# Posted by Javier Fernandez-Sanguino Pena <jfernandez@sgi.es>
# LDAP v3 version by Jochen Friedrich <jochen@scram.de>
# Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
# Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA
#
# Note: These OID's do not seem to be registered, the closest I could find
# was 1.3.6.1.4.1.3317
# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)}
#
##############
dn: cn=schema
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.1
NAME 'radiusArapFeatures'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.2
NAME 'radiusArapSecurity'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.3
NAME 'radiusArapZoneAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.44
NAME 'radiusAuthType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.4
NAME 'radiusCallbackId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.5
NAME 'radiusCallbackNumber'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.6
NAME 'radiusCalledStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.7
NAME 'radiusCallingStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.8
NAME 'radiusClass'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.45
NAME 'radiusClientIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.9
NAME 'radiusFilterId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.10
NAME 'radiusFramedAppleTalkLink'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.11
NAME 'radiusFramedAppleTalkNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.12
NAME 'radiusFramedAppleTalkZone'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.13
NAME 'radiusFramedCompression'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.14
NAME 'radiusFramedIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.15
NAME 'radiusFramedIPNetmask'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.16
NAME 'radiusFramedIPXNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.17
NAME 'radiusFramedMTU'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.18
NAME 'radiusFramedProtocol'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.19
NAME 'radiusFramedRoute'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.20
NAME 'radiusFramedRouting'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.46
NAME 'radiusGroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.47
NAME 'radiusHint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.48
NAME 'radiusHuntgroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.21
NAME 'radiusIdleTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.22
NAME 'radiusLoginIPHost'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.23
NAME 'radiusLoginLATGroup'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.24
NAME 'radiusLoginLATNode'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.25
NAME 'radiusLoginLATPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.26
NAME 'radiusLoginLATService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.27
NAME 'radiusLoginService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.28
NAME 'radiusLoginTCPPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.29
NAME 'radiusPasswordRetry'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.30
NAME 'radiusPortLimit'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.49
NAME 'radiusProfileDn'
DESC ''
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.31
NAME 'radiusPrompt'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.50
NAME 'radiusProxyToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.51
NAME 'radiusReplicateToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.52
NAME 'radiusRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.32
NAME 'radiusServiceType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.33
NAME 'radiusSessionTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.34
NAME 'radiusTerminationAction'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.35
NAME 'radiusTunnelAssignmentId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.36
NAME 'radiusTunnelMediumType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.37
NAME 'radiusTunnelPassword'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.38
NAME 'radiusTunnelPreference'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.39
NAME 'radiusTunnelPrivateGroupId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.40
NAME 'radiusTunnelServerEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.41
NAME 'radiusTunnelType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.42
NAME 'radiusVSA'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.43
NAME 'radiusTunnelClientEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
#need to change asn1.id
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.53
NAME 'radiusSimultaneousUse'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.54
NAME 'radiusLoginTime'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.55
NAME 'radiusUserCategory'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.56
NAME 'radiusStripUserName'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.57
NAME 'dialupAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.58
NAME 'radiusExpiration'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.59
NAME 'radiusCheckItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.60
NAME 'radiusReplyItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.61
NAME 'radiusNASIpAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.62
NAME 'radiusReplyMessage'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.1
NAME 'radiusprofile'
SUP top AUXILIARY
DESC ''
MUST uid
MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $
radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
radiusFramedCompression $ radiusFramedIPAddress $
radiusFramedIPNetmask $ radiusFramedIPXNetwork $
radiusFramedMTU $ radiusFramedProtocol $
radiusCheckItem $ radiusReplyItem $
radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
radiusGroupName $ radiusHint $ radiusHuntgroupName $
radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
radiusSessionTimeout $ radiusStripUserName $
radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $
radiusSimultaneousUse $ radiusTunnelAssignmentId $
radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $
radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
radiusTunnelType $ radiusUserCategory $ radiusVSA $
radiusExpiration $ dialupAccess $ radiusNASIpAddress $
radiusReplyMessage )
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.2
NAME 'radiusObjectProfile'
SUP top STRUCTURAL
DESC 'A Container Objectclass to be used for creating radius profile object'
MUST cn
MAY ( uid $ userPassword $ description )
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.64
NAME 'radiusClientSecret'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.65
NAME 'radiusClientNASType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.66
NAME 'radiusClientShortName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
objectClasses:
( 1.3.6.1.4.1.3317.4.3.2.3
NAME 'radiusClientProfile'
SUP top STRUCTURAL
DESC 'A Container Objectclass to be used for describing radius clients'
MUST (radiusClientIPAddress $ radiusClientSecret)
MAY ( radiusClientNASType $ radiusClientShortName $ description )
)

152
install/share/60samba.ldif Normal file
View File

@@ -0,0 +1,152 @@
## schema file for Fedora DS
##
## Schema for storing Samba user accounts and group maps in LDAP
## OIDs are owned by the Samba Team
##
## Prerequisite schemas - uid (cosine.schema)
## - displayName (inetorgperson.schema)
## - gidNumber (nis.schema)
##
## 1.3.6.1.4.1.7165.2.1.x - attributeTypess
## 1.3.6.1.4.1.7165.2.2.x - objectClasseses
##
## Printer support
## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess
## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses
##
## Samba4
## 1.3.6.1.4.1.7165.4.1.x - attributeTypess
## 1.3.6.1.4.1.7165.4.2.x - objectClasseses
## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
##
dn: cn=schema
##
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )
##
##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "password history"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "user must logon to change password"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "maximum password age"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "minimum password age"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "lockout duration"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "reset count minutes"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "bad lockout attempt"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "disconnect time"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "refuse machine password change"
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
#######################################################################
## objectClasses: used by Samba 3.0 schema ##
#######################################################################
##
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectClasses. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectClasses: (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) )
objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) )
## retired during privilege rewrite
##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
## DESC 'Samba Privilege'
## MUST ( sambaSID )
## MAY ( sambaPrivilegeList ) )

39
install/share/Makefile.am Normal file
View File

@@ -0,0 +1,39 @@
NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
60kerberos.ldif \
60samba.ldif \
60radius.ldif \
60ipaconfig.ldif \
bootstrap-template.ldif \
default-aci.ldif \
default-keytypes.ldif \
kerberos.ldif \
indices.ldif \
bind.named.conf.template \
bind.zone.db.template \
certmap.conf.template \
kdc.conf.template \
krb5.conf.template \
krb5.ini.template \
krb.con.template \
krbrealm.con.template \
ntp.conf.server.template \
ntpd.sysconfig.template \
preferences.html.template \
referint-conf.ldif \
dna-posix.ldif \
master-entry.ldif \
memberof-task.ldif \
unique-attributes.ldif \
schema_compat.uldif \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

41
install/share/bind.named.conf.template Normal file
View File

@@ -0,0 +1,41 @@
options {
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
/* Not used yet, support only on very recent bind versions */
# tkey-gssapi-credential "DNS/$FQDN";
# tkey-domain "$REALM";
};
logging {
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
zone "$DOMAIN" {
type master;
file "$DOMAIN.zone.db";
};

28
install/share/bind.zone.db.template Normal file
View File

@@ -0,0 +1,28 @@
$$ORIGIN $DOMAIN.
$$TTL 86400
@ IN SOA $DOMAIN. root.$DOMAIN. (
01 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS $HOST
$HOST IN A $IP
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 $HOST
;kerberos realm
_kerberos IN TXT $REALM
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 $HOST
_kerberos._udp IN SRV 0 100 88 $HOST
_kerberos-master._tcp IN SRV 0 100 88 $HOST
_kerberos-master._udp IN SRV 0 100 88 $HOST
_kpasswd._tcp IN SRV 0 100 464 $HOST
_kpasswd._udp IN SRV 0 100 464 $HOST
;ntp server
_ntp._udp IN SRV 0 100 123 $HOST

202
install/share/bootstrap-template.ldif Normal file
View File

@@ -0,0 +1,202 @@
dn: cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
objectClass: krbPwdPolicy
cn: accounts
krbMinPwdLife: 3600
krbPwdMinDiffChars: 0
krbPwdMinLength: 8
krbPwdHistoryLength: 0
krbMaxPwdLife: 7776000
dn: cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: users
dn: cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: groups
dn: cn=services,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: services
dn: cn=computers,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: computers
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: etc
dn: cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: sysaccounts
dn: cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ipa
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: masters
dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: KrbPrincipalAux
objectClass: inetUser
uid: admin
krbPrincipalName: admin@$REALM
cn: Administrator
sn: Administrator
uidNumber: 999
gidNumber: 1001
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
nsAccountLock: False
dn: cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: radius
dn: cn=clients,cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: clients
dn: cn=profiles,cn=radius,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: profiles
dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX
changetype: add
objectClass: top
objectClass: radiusprofile
uid: ipa_default
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
cn: admins
description: Account administrators group
gidNumber: 1001
member: uid=admin,cn=users,cn=accounts,$SUFFIX
nsAccountLock: False
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
gidNumber: 1002
description: Default group for all users
cn: ipausers
dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
gidNumber: 1003
description: Limited admins who can edit other users
cn: editors
dn: cn=ipaConfig,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
objectClass: ipaGuiConfig
ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 0
ipaHomesRootDir: /home
ipaDefaultLoginShell: /bin/sh
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 8
ipaPwdExpAdvNotify: 4
ipaGroupObjectClasses: top
ipaGroupObjectClasses: groupofnames
ipaGroupObjectClasses: posixGroup
ipaGroupObjectClasses: inetUser
ipaUserObjectClasses: top
ipaUserObjectClasses: person
ipaUserObjectClasses: organizationalPerson
ipaUserObjectClasses: inetOrgPerson
ipaUserObjectClasses: inetUser
ipaUserObjectClasses: posixAccount
ipaUserObjectClasses: krbPrincipalAux
ipaUserObjectClasses: radiusprofile
ipaDefaultEmailDomain: $DOMAIN
dn: cn=account inactivation,cn=accounts,$SUFFIX
changetype: add
description: Lock accounts based on group membership
objectClass: top
objectClass: ldapsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
cosAttribute: nsAccountLock operational
cosSpecifier: memberOf
cn: Account Inactivation
dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: nsContainer
cn: cosTemplates
dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: cosTemplate
objectClass: extensibleobject
nsAccountLock: true
cosPriority: 1
dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
dn: cn="cn=activated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: cosTemplate
objectClass: extensibleobject
nsAccountLock: false
cosPriority: 0
dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames

82
install/share/certmap.conf.template Normal file
View File

@@ -0,0 +1,82 @@
#
# BEGIN COPYRIGHT BLOCK
# This Program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; version 2 of the License.
#
# This Program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA.
#
# In addition, as a special exception, Red Hat, Inc. gives You the additional
# right to link the code of this Program with code not covered under the GNU
# General Public License ("Non-GPL Code") and to distribute linked combinations
# including the two, subject to the limitations in this paragraph. Non-GPL Code
# permitted under this exception must only link to the code of this Program
# through those well defined interfaces identified in the file named EXCEPTION
# found in the source code files (the "Approved Interfaces"). The files of
# Non-GPL Code may instantiate templates or use macros or inline functions from
# the Approved Interfaces without causing the resulting work to be covered by
# the GNU General Public License. Only Red Hat, Inc. may make changes or
# additions to the list of Approved Interfaces. You must obey the GNU General
# Public License in all respects for all of the Program code and other code used
# in conjunction with the Program except the Non-GPL Code covered by this
# exception. If you modify this file, you may extend this exception to your
# version of the file, but you are not obligated to do so. If you do not wish to
# provide this exception without modification, you must delete this exception
# statement from your version and license this file solely under the GPL without
# exception.
#
#
# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
# Copyright (C) 2005 Red Hat, Inc.
# All rights reserved.
# END COPYRIGHT BLOCK
#
#
# This file configures how a certificate is mapped to an LDAP entry. See the
# documentation for more information on this file.
#
# The format of this file is as follows:
# certmap <name> <issuerDN>
# <name>:<prop1> [<val1>]
# <name>:<prop2> [<val2>]
#
# Notes:
#
# 1. Mapping can be defined per issuer of a certificate. If mapping doesn't
# exists for a particular 'issuerDN' then the server uses the default
# mapping.
#
# 2. There must be an entry for <name>=default and issuerDN "default".
# This mapping is the default mapping.
#
# 3. '#' can be used to comment out a line.
#
# 4. DNComps & FilterComps are used to form the base DN and filter resp. for
# performing an LDAP search while mapping the cert to a user entry.
#
# 5. DNComps can be one of the following:
# commented out - take the user's DN from the cert as is
# empty - search the entire LDAP tree (DN == suffix)
# attr names - a comma separated list of attributes to form DN
#
# 6. FilterComps can be one of the following:
# commented out - set the filter to "objectclass=*"
# empty - set the filter to "objectclass=*"
# attr names - a comma separated list of attributes to form the filter
#
certmap default default
#default:DNComps
#default:FilterComps e, uid
#default:verifycert on
#default:CmapLdapAttr certSubjectDN
#default:library <path_to_shared_lib_or_dll>
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid

38
install/share/default-aci.ldif Normal file
View File

@@ -0,0 +1,38 @@
# $SUFFIX (base entry)
# FIXME: We need to allow truly anonymous access only to NIS data for older clients. We need to allow broad access to most attributes only to authenticated users
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
dn: cn=ipaConfig,cn=etc,$SUFFIX
changetype: modify
add: aci
aci: (targetfilter = "(objectClass=ipaGuiConfig)")(targetattr != "aci")(version 3.0;acl "Admins can change GUI config"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policy"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "aci")(version 3.0;acl "Admins can manage delegations"; allow (write, delete) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=radius,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
aci: (targetfilter = "(objectClass=radiusprofile)")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=services,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)

25
install/share/default-keytypes.ldif Normal file
View File

@@ -0,0 +1,25 @@
#kerberos keytypes
dn: cn=$REALM,cn=kerberos,$SUFFIX
changetype: modify
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: des-hmac-sha1:normal
krbSupportedEncSaltTypes: des-cbc-md5:normal
krbSupportedEncSaltTypes: des-cbc-crc:normal
krbSupportedEncSaltTypes: des-cbc-crc:v4
krbSupportedEncSaltTypes: des-cbc-crc:afs3
#kerberos keytypes
dn: cn=$REALM,cn=kerberos,$SUFFIX
changetype: modify
add: krbDefaultEncSaltTypes
krbDefaultEncSaltTypes: aes256-cts:normal
krbDefaultEncSaltTypes: aes128-cts:normal
krbDefaultEncSaltTypes: des3-hmac-sha1:normal
krbDefaultEncSaltTypes: arcfour-hmac:normal
krbDefaultEncSaltTypes: des-hmac-sha1:normal
krbDefaultEncSaltTypes: des-cbc-md5:normal

39
install/share/dna-posix.ldif Normal file
View File

@@ -0,0 +1,39 @@
# add container for posix configuration
dn: cn=Posix,cn=ipa-dna,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: nsContainer
objectclass: extensibleObject
cn: Posix
# add plugin configuration for posix users
dn: cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: Accounts
dnaType: uidNumber
dnaNextValue: 1100
dnaInterval: 1
dnaMaxValue: 1000000000
dnaMagicRegen: 999
dnaFilter: (objectclass=posixAccount)
dnaScope: $SUFFIX
# add plugin configuration for posix groups
dn: cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: Groups
dnaType: gidNumber
dnaNextValue: 1100
dnaInterval: 1
dnaMaxValue: 1000000000
dnaMagicRegen: 999
dnaFilter: (objectclass=posixGroup)
dnaScope: $SUFFIX

6
install/share/encrypted_attribute.ldif Normal file
View File

@@ -0,0 +1,6 @@
dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
changetype: add
objectClass: top
objectClass: nsAttributeEncryption
cn: $ENCRYPTED_ATTRIBUTE
nsEncryptionAlgorithm: AES

12
install/share/fedora-ds.init.patch Normal file
View File

@@ -0,0 +1,12 @@
--- /etc/init.d/dirsrv.orig 2007-07-06 18:21:30.000000000 -0400
+++ /etc/init.d/dirsrv 2007-05-18 19:36:24.000000000 -0400
@@ -10,6 +10,9 @@
# datadir: /var/lib/dirsrv/slapd-<instance name>
#
+# Get config.
+[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv
+
# Source function library.
if [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions

93
install/share/indices.ldif Normal file
View File

@@ -0,0 +1,93 @@
dn: cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:krbPrincipalName
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:ou
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:carLicense
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:title
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:manager
nsSystemIndex:false
nsIndexType:eq
dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:secretary
nsSystemIndex:false
nsIndexType:eq
dn: cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:displayname
nsSystemIndex:false
nsIndexType:eq
nsIndexType:sub
dn: cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: nsIndexType
nsIndexType:sub
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:uidnumber
nsSystemIndex:false
nsIndexType:eq
nsMatchingRule: integerOrderingMatch
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
objectClass:top
objectClass:nsIndex
cn:gidnumber
nsSystemIndex:false
nsIndexType:eq
nsMatchingRule: integerOrderingMatch
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsIndexType
nsIndexType: eq,pres
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsIndexType
nsIndexType: eq,pres

15
install/share/kdc.conf.template Normal file
View File

@@ -0,0 +1,15 @@
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
$REALM = {
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
}

16
install/share/kerberos.ldif Normal file
View File

@@ -0,0 +1,16 @@
#kerberos user
dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: kdc
userPassword: $PASSWORD
#kerberos base object
dn: cn=kerberos,$SUFFIX
changetype: add
objectClass: krbContainer
objectClass: top
cn: kerberos
aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)

2
install/share/krb.con.template Normal file
View File

@@ -0,0 +1,2 @@
$REALM $DOMAIN
$REALM $DOMAIN admin server

42
install/share/krb5.conf.template Normal file
View File

@@ -0,0 +1,42 @@
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = $REALM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
$REALM = {
kdc = $FQDN:88
admin_server = $FQDN:749
default_domain = $DOMAIN
}
[domain_realm]
.$DOMAIN = $REALM
$DOMAIN = $REALM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
$REALM = {
db_library = kldap
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}

19
install/share/krb5.ini.template Normal file
View File

@@ -0,0 +1,19 @@
[libdefaults]
default_realm = $REALM
krb4_config = /usr/kerberos/lib/krb.conf
krb4_realms = /usr/kerberos/lib/krb.realms
dns_lookup_kdc = true
[realms]
$REALM = {
admin_server = $FQDN
kdc = $FQDN
default_domain = $REALM
}
[domain_realm]
.$DOMAIN = $REALM
$DOMAIN = $REALM
[logging]
# kdc = CONSOLE

3
install/share/krbrealm.con.template Normal file
View File

@@ -0,0 +1,3 @@
.$REALM $REALM
.$REALM. $REALM
$REALM $REALM

7
install/share/master-entry.ldif Normal file
View File

@@ -0,0 +1,7 @@
dn: cn=$FQHN,cn=masters,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectclass: top
objectclass: extensibleObject
cn: $FQHN
dnabase: 1100
dnainterval: 4

8
install/share/memberof-task.ldif Normal file
View File

@@ -0,0 +1,8 @@
dn: cn=IPA install $TIME, cn=memberof task, cn=tasks, cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
cn: IPA install
basedn: $SUFFIX
filter: (objectclass=*)
ttl: 10

50
install/share/ntp.conf.server.template Normal file
View File

@@ -0,0 +1,50 @@
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap
restrict -6 default kod nomodify notrap
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server $SERVERA
server $SERVERB
server $SERVERC
#broadcast 192.168.1.255 key 42 # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 key 42 # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 key 42 # manycast client
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8

8
install/share/ntpd.sysconfig.template Normal file
View File

@@ -0,0 +1,8 @@
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-x -u ntp:ntp -p /var/run/ntpd.pid"
# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=""

33
install/share/preferences.html.template Normal file
View File

@@ -0,0 +1,33 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Automatically set browser preferences</title>
</head>
<body>
<form action="undefined" method="get">
<input type=button onclick="setPreferences()" name="prefs" value="Configure Firefox">
</form>
<script type="text/javascript">
function setPreferences() {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesWrite");
try {
navigator.preference("network.negotiate-auth.using-native-gsslib", true)
navigator.preference("network.negotiate-auth.delegation-uris", ".$DOMAIN")
navigator.preference("network.negotiate-auth.trusted-uris", ".$DOMAIN")
navigator.preference("network.negotiate-auth.allow-proxies", true)
} catch (e) {
alert("Unable to store preferences: " + e)
}
netscape.security.PrivilegeManager.disablePrivilege("UniversalPreferencesWrite");
alert("Successfully configured Firefox for single sign on.")
} catch (e) {
alert("Unable to apply recommended settings.\n\nClick on the Certificate Authority link and select trust for all, then reload this page and try again.\n\nThe error returned was: " + e);
return;
}
}
</script>
</body>
</html>

11
install/share/referint-conf.ldif Normal file
View File

@@ -0,0 +1,11 @@
dn: cn=referential integrity postoperation,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginenabled
nsslapd-pluginenabled: on
-
add: nsslapd-pluginArg7
nsslapd-pluginArg7: manager
-
add: nsslapd-pluginArg8
nsslapd-pluginArg8: secretary

50
install/share/schema_compat.uldif Normal file
View File

@@ -0,0 +1,50 @@
#
# Enable the Schema Compatibility plugin provided by slapi-nis.
#
# http://slapi-nis.fedorahosted.org/
#
dn: cn=Schema Compatibility, cn=plugins, cn=config
default:objectclass: top
default:objectclass: nsSlapdPlugin
default:objectclass: extensibleObject
default:cn: Schema Compatibility
default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/schemacompat-plugin.so
default:nsslapd-plugininitfunc: schema_compat_plugin_init
default:nsslapd-plugintype: object
default:nsslapd-pluginenabled: on
default:nsslapd-pluginid: schema-compat-plugin
default:nsslapd-pluginversion: 0.8
default:nsslapd-pluginvendor: redhat.com
default:nsslapd-plugindescription: Schema Compatibility Plugin
dn: cn=users, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: users
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=users
default:schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixAccount
default:schema-compat-entry-rdn: uid=%{uid}
default:schema-compat-entry-attribute: objectclass=posixAccount
default:schema-compat-entry-attribute: gecos=%{cn}
default:schema-compat-entry-attribute: cn=%{cn}
default:schema-compat-entry-attribute: uidNumber=%{uidNumber}
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: loginShell=%{loginShell}
default:schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
dn: cn=groups, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: groups
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=groups
default:schema-compat-search-base: cn=groups, cn=accounts, $SUFFIX
default:schema-compat-search-filter: objectclass=posixGroup
default:schema-compat-entry-rdn: cn=%{cn}
default:schema-compat-entry-attribute: objectclass=posixGroup
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: memberUid=%{memberUid}
default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid")

35
install/share/unique-attributes.ldif Normal file
View File

@@ -0,0 +1,35 @@
dn: cn=krbPrincipalName uniqueness,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: krbPrincipalName uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: krbPrincipalName
nsslapd-pluginarg1: $SUFFIX
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.1.0
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: Enforce unique attribute values
#dn: cn=uid uniqueness,cn=plugins,cn=config
#objectClass: top
#objectClass: nsSlapdPlugin
#objectClass: extensibleObject
#cn: uid uniqueness
#nsslapd-pluginPath: libattr-unique-plugin
#nsslapd-pluginInitfunc: NSUniqueAttr_Init
#nsslapd-pluginType: preoperation
#nsslapd-pluginEnabled: on
#nsslapd-pluginarg0: uid
#nsslapd-pluginarg1: cn=accounts,$SUFFIX
#nsslapd-plugin-depends-on-type: database
#nsslapd-pluginId: NSUniqueAttr
#nsslapd-pluginVersion: 1.1.0
#nsslapd-pluginVendor: Fedora Project
#nsslapd-pluginDescription: Enforce unique attribute values
#

24
install/tools/Makefile.am Normal file
View File

@@ -0,0 +1,24 @@
NULL =
SUBDIRS = \
share \
updates \
$(NULL)
sbin_SCRIPTS = \
ipa-server-install \
ipa-replica-install \
ipa-replica-prepare \
ipa-replica-manage \
ipa-server-certinstall \
ipactl \
$(NULL)
EXTRA_DIST = \
README \
$(sbin_SCRIPTS) \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

67
install/tools/README Normal file
View File

@@ -0,0 +1,67 @@
Required packages:
krb5-server
fedora-ds-base
fedora-ds-base-devel
openldap-clients
openldap-devel
krb5-server-ldap
cyrus-sasl-gssapi
httpd
mod_auth_kerb
ntp
openssl-devel
nspr-devel
nss-devel
mozldap-devel
mod_python
gcc
python-ldap
TurboGears
python-kerberos
python-krbV
python-tgexpandingformwidget
python-pyasn1
Installation example:
TEMPORARY: until bug https://bugzilla.redhat.com/show_bug.cgi?id=248169 is
fixed.
Please apply the fedora-ds.init.patch in freeipa/ipa-server/ipa-install/share/
to patch your init scripts before running ipa-server-install. This tells
FDS where to find its kerberos keytab.
Things done as root are denoted by #. Things done as a unix user are denoted
by %.
# cd freeipa
# patch -p0 < ipa-server/ipa-install/share/fedora-ds.init.patch
Now to do the installation.
# cd freeipa
# make install
To start an interactive installation use:
# /usr/sbin/ipa-server-install
For more verbose output add the -d flag run the command with -h to see all options
You have a basic working system with one super administrator (named admin).
To create another administrative user:
% kinit admin@FREEIPA.ORG
% /usr/sbin/ipa-adduser -f Test -l User test
% ldappasswd -Y GSSAPI -h localhost -s password uid=test,cn=users,cn=accounts,dc=freeipa,dc=org
% /usr/sbin/ipa-groupmod -a test admins
An admin user is just a regular user in the group admin.
Now you can destroy the old ticket and log in as test:
% kdestroy
% kinit test@FREEIPA.ORG
% /usr/sbin/ipa-finduser test

171
install/tools/ipa-compat-manage Executable file
View File

@@ -0,0 +1,171 @@
#!/usr/bin/env python
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import sys
try:
from optparse import OptionParser
from ipaserver import ipaldap
from ipa import entity, ipaerror, ipautil, config
from ipaserver import installutils
from ipaserver.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
import ldap
import logging
import re
import krbV
import platform
import shlex
import time
import random
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def parse_options():
usage = "%prog [options] <enable|disable>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
config.init_config(options)
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False)
return password
def main():
retval = 0
loglevel = logging.NOTSET
files=['/usr/share/ipa/schema_compat.uldif']
options, args = parse_options()
if options.debug:
loglevel = logging.DEBUG
if len(args) != 1:
print "You must specify one action, either enable or disable"
sys.exit(1)
elif args[0] != "enable" and args[0] != "disable":
print "Unrecognized action [" + args[0] + "]"
sys.exit(1)
logging.basicConfig(level=loglevel,
format='%(levelname)s %(message)s')
dirman_password = ""
if options.password:
pw = ipautil.template_file(options.password, [])
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
try:
try:
conn = ipaldap.IPAdmin(installutils.get_fqdn())
conn.do_simple_bind(bindpw=dirman_password)
except ldap.LDAPError, e:
print "An error occurred while connecting to the server."
print "%s" % e[0]['desc']
return 1
if args[0] == "enable":
try:
conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
ldap.SCOPE_BASE, "(objectclass=*)")
print "Plugin already Enabled"
retval = 2
except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
print "Enabling plugin"
except ldap.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
retval = 1
if retval == 0:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
retval = ld.update(files)
if retval == 0:
print "This setting will not take effect until you restart Directory Server."
elif args[0] == "disable":
# Make a quick hack foir now, directly delete the entries by name,
# In future we should add delete capabilites to LDAPUpdate
try:
conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
ldap.SCOPE_BASE, "(objectclass=*)")
conn.deleteEntry("cn=groups,cn=Schema Compatibility,cn=plugins,cn=config")
conn.deleteEntry("cn=users,cn=Schema Compatibility,cn=plugins,cn=config")
conn.deleteEntry("cn=Schema Compatibility,cn=plugins,cn=config")
except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
print "Plugin is already disabled"
retval = 2
except ldap.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
retval = 1
else:
retval = 1
finally:
if conn:
conn.unbind()
return retval
try:
if __name__ == "__main__":
sys.exit(main())
except BadSyntax, e:
print "There is a syntax error in this update file:"
print " %s" % e
sys.exit(1)
except RuntimeError, e:
print "%s" % e
sys.exit(1)
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)
except config.IPAConfigError, e:
print "An IPA server to update cannot be found. Has one been configured yet?"
print "The error was: %s" % e
sys.exit(1)
except ipaerror, e:
print "An error occurred while performing operations: %s" % e
sys.exit(1)

524
install/tools/ipa-fix-CVE-2008-3274 Normal file
View File

@@ -0,0 +1,524 @@
#!/usr/bin/python
#
# Upgrade configuration files to a newer template.
etckrb5conf = "/etc/krb5.conf"
krb5dir = "/var/kerberos/krb5kdc"
cachedir = "/var/cache/ipa"
libdir = "/var/lib/ipa"
basedir = libdir+"/mkey"
ourkrb5conf = basedir+"/krb5.conf"
ldappwdfile = basedir+"/ldappwd"
import sys
try:
from optparse import OptionParser
import os
import random
import time
import shutil
import getpass
import ipa
import ipa.config
import ipa.ipautil
import krbV
import ldap
from ldap import LDAPError
from ldap import ldapobject
from ipaclient import ipachangeconf
from ipaserver import ipaldap
from pyasn1.type import univ, namedtype
import pyasn1.codec.ber.encoder
import pyasn1.codec.ber.decoder
import struct
import base64
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def parse_options():
parser = OptionParser("%prog [--check] [--fix] [--fix-replica]")
parser.add_option("--check", dest="check", action="store_true",
help="Just check for the vulnerability and report (default action)")
parser.add_option("--fix", dest="fix", action="store_true",
help="Run checks and start procedure to fix the problem")
parser.add_option("--fix-replica", dest="fix_replica", action="store_true",
help="Fix a replica after the tool has been tun with --fix on another master")
ipa.config.add_standard_options(parser)
options, args = parser.parse_args()
ipa.config.verify_args(parser, args)
if not options.fix and not options.fix_replica and not options.check:
parser.error("please specify at least one option")
ipa.config.init_config(options)
return options, args
def check_vuln(realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind()
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
if len(res) != 2:
err = 'Realm Container not found, unable to proceed'
print err
raise Exception, err
if 'krbmkey' in res[1][0][1]:
print 'System vulnerable'
return 1
else:
print 'System *not* vulnerable'
return 0
except Exception, e:
print "Could not connect to the LDAP server, unable to check server"
print "("+type(e)+")("+dir(e)+")"
raise e
# We support only des3 encoded stash files for now
def generate_new_stash_file(file):
odd_parity_bytes_pool = ['\x01', '\x02', '\x04', '\x07', '\x08', '\x0b',
'\r', '\x0e', '\x10', '\x13', '\x15', '\x16', '\x19', '\x1a', '\x1c',
'\x1f', ' ', '#', '%', '&', ')', '*', ',', '/', '1', '2', '4', '7', '8',
';', '=', '>', '@', 'C', 'E', 'F', 'I', 'J', 'L', 'O', 'Q', 'R', 'T',
'W', 'X', '[', ']', '^', 'a', 'b', 'd', 'g', 'h', 'k', 'm', 'n', 'p',
's', 'u', 'v', 'y', 'z', '|', '\x7f', '\x80', '\x83', '\x85', '\x86',
'\x89', '\x8a', '\x8c', '\x8f', '\x91', '\x92', '\x94', '\x97', '\x98',
'\x9b', '\x9d', '\x9e', '\xa1', '\xa2', '\xa4', '\xa7', '\xa8', '\xab',
'\xad', '\xae', '\xb0', '\xb3', '\xb5', '\xb6', '\xb9', '\xba', '\xbc',
'\xbf', '\xc1', '\xc2', '\xc4', '\xc7', '\xc8', '\xcb', '\xcd', '\xce',
'\xd0', '\xd3', '\xd5', '\xd6', '\xd9', '\xda', '\xdc', '\xdf', '\xe0',
'\xe3', '\xe5', '\xe6', '\xe9', '\xea', '\xec', '\xef', '\xf1', '\xf2',
'\xf4', '\xf7', '\xf8', '\xfb', '\xfd', '\xfe']
pool_len = len(odd_parity_bytes_pool)
keytype = 16 # des3
keydata = ""
r = random.SystemRandom()
for k in range(24):
keydata += r.choice(odd_parity_bytes_pool)
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open(file, "w")
fd.write(s)
except os.error, e:
logging.critical("failed to write stash file")
raise e
# clean up procedures
def change_mkey_cleanup(password):
try:
os.stat(basedir)
except:
return None
try:
# always remove ldappwdfile as it contains the Directory Manager password
os.remove(ldappwdfile)
except:
pass
# tar and encrypt the working dir so that we do not leave sensitive data
# around unproteceted
curtime = time.strftime("%Y%m%d%H%M%S",time.gmtime())
tarfile = libdir+"/ipa-change-mkey-"+curtime+".tar"
gpgfile = tarfile+".gpg"
args = ['/bin/tar', '-C', libdir, '-cf', tarfile, 'mkey']
ipa.ipautil.run(args)
ipa.ipautil.encrypt_file(tarfile, gpgfile, password, cachedir)
os.remove(tarfile)
shutil.rmtree(basedir, ignore_errors=True)
return "The temporary working directory with backup dump files has been securely archived and gpg-encrypted as "+gpgfile+" using the Directory Manager password."
def change_mkey(password = None, quiet = False):
krbctx = krbV.default_context()
realm = krbctx.default_realm
suffix = ipa.ipautil.realm_to_suffix(realm)
backupfile = basedir+"/backup.dump"
convertfile = basedir+"/convert.dump"
oldstashfile = krb5dir+"/.k5."+realm
newstashfile = basedir+"/.new.mkey"
bkpstashfile = basedir+"/.k5."+realm
if os.getuid() != 0:
print "ERROR: This command must be run as root"
sys.exit(1)
print "DANGER: This is a dangerous operation, make sure you backup all your IPA data before running the tool"
print "This command will restart your Directory and KDC Servers."
#TODO: ask for confirmation
if not ipa.ipautil.user_input("Do you want to proceed and change the Kerberos Master key?", False):
print ""
print "Aborting..."
return 1
if not password:
password = getpass.getpass("Directory Manager password: ")
# get a connection to the DS
try:
conn = ipaldap.IPAdmin(ipa.config.config.default_server[0])
conn.do_simple_bind(bindpw=password)
except Exception, e:
print "ERROR: Could not connect to the Directory Server on "+ipa.config.config.default_server[0]+" ("+str(e)+")"
return 1
# Wipe basedir and recreate it
shutil.rmtree(basedir, ignore_errors=True)
os.mkdir(basedir, 0700)
generate_new_stash_file(newstashfile)
# Generate conf files
try:
shutil.copyfile(etckrb5conf, ourkrb5conf)
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment(" = ")
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
#OPTS
opts = [{'name':'ldap_kadmind_dn', 'type':'option', 'action':'set', 'value':'cn=Directory Manager'},
{'name':'ldap_service_password_file', 'type':'option', 'action':'set', 'value':ldappwdfile}]
#REALM
realmopts = [{'name':realm, 'type':'subsection', 'action':'set', 'value':opts}]
#DBMODULES
dbopts = [{'name':'dbmodules', 'type':'section', 'action':'set', 'value':realmopts}]
krbconf.changeConf(ourkrb5conf, dbopts);
hexpwd = ""
for x in password:
hexpwd += (hex(ord(x))[2:])
pwd_fd = open(ldappwdfile, "w")
pwd_fd.write("cn=Directory Manager#{HEX}"+hexpwd+"\n")
pwd_fd.close()
os.chmod(ldappwdfile, 0600)
except Exception, e:
print "Failed to create custom configuration files ("+str(e)+") aborting..."
return 1
#Set environment vars so that the modified krb5.conf is used
os.environ['KRB5_CONFIG'] = ourkrb5conf
#Backup the kerberos key material for recovery if needed
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", backupfile]
print "Performing safety backup of the key material"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to backup key material ("+str(e)+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals stored into the backup file "+backupfile+":"
for p in princlist:
print p
print ""
#Convert the kerberos keys to the new master key
args = ["/usr/kerberos/sbin/kdb5_util", "dump", "-verbose", "-new_mkey_file", newstashfile, convertfile]
print "Converting key material to new master key"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to convert key material, aborting ..."
return 1
savedprinclist = output[1].split('\n')
if not quiet:
princlist = output[1].split('\n')
print "Principals dumped for conversion:"
for p in princlist:
print p
print ""
#Stop the KDC
args = ["/etc/init.d/krb5kdc", "stop"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "You will have to manually restart the KDC when the operation is completed"
#Change the mkey into ldap
try:
stash = open(newstashfile, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn="+realm+",cn=kerberos,"+suffix
mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn.modify_s(dn, mod)
except Exception, e:
print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
return 1
#Backup old stash file and substitute with new
try:
shutil.move(oldstashfile, bkpstashfile)
shutil.copyfile(newstashfile, oldstashfile)
except Exception, e:
print "ERROR: An error occurred while installing the new stash file("+str(e)+")"
print "The KDC may fail to start if the correct stash file is not in place"
print "Verify that "+newstashfile+" has been correctly installed into "+oldstashfile
print "A backup copy of the old stash file should be saved in "+bkpstashfile
#Finally upload the converted principals
args = ["/usr/kerberos/sbin/kdb5_util", "load", "-verbose", "-update", convertfile]
print "Uploading converted key material"
try:
output = ipa.ipautil.run(args)
except ipa.ipautil.CalledProcessError, e:
print "Failed to upload key material ("+e+"), aborting ..."
return 1
if not quiet:
princlist = output[1].split('\n')
print "Principals converted and uploaded:"
for p in princlist:
print p
print ""
uploadedprinclist = output[1].split('\n')
#Check for differences and report
d = []
for p in savedprinclist:
if uploadedprinclist.count(p) == 0:
d.append(p)
if len(d) != 0:
print "WARNING: Not all dumped principals have been updated"
print "Principals not Updated:"
for p in d:
print p
#Remove custom environ
del os.environ['KRB5_CONFIG']
#Restart Directory Server (the pwd plugin need to read the new mkey)
args = ["/etc/init.d/dirsrv", "restart"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the Directory Server ("+str(e)+")"
print "Please manually restart the DS with 'service dirsrv restart'"
#Restart the KDC
args = ["/etc/init.d/krb5kdc", "start"]
try:
output = ipa.ipautil.run(args)
if output[0]:
print output[0]
if output[1]:
print output[1]
except ipa.ipautil.CalledProcessError, e:
print "WARNING: Failed to restart the KDC ("+str(e)+")"
print "Please manually restart the kdc with 'service krb5kdc start'"
print "Master Password successfully changed"
#print "You MUST now copy the stash file "+oldstashfile+" to all the replicas and restart them!"
print ""
return 0
def fix_replica(password, realm, suffix):
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
krbmkey = res[1][0][1]['krbmkey'][0]
except Exception, e:
print "Could not connect to the LDAP server, unable to fix server"
print "("+type(e)+")("+dir(e)+")"
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(krbmkey)
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open("/var/kerberos/krb5kdc/.k5."+realm, "w")
fd.write(s)
fd.close()
except os.error, e:
print "failed to write stash file"
raise e
#restart KDC so that it can reload the new Master Key
os.system("/etc/init.d/krb5kdc restart")
KRBMKEY_DENY_ACI = """
(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
"""
def fix_main(password, realm, suffix):
#Run the change master key tool
print "Changing Kerberos master key"
try:
ret = change_mkey(password, True)
except SystemExit:
ret = 1
pass
except Exception, e:
ret = 1
print "%s" % str(e)
try:
msg = change_mkey_cleanup(password)
if msg:
print msg
except Exception, e:
print "Failed to clean up the temporary location for the dump files and generate and encrypted archive with error:"
print e
print "Please securely archive/encrypt "+basedir
if ret is not 0:
sys.exit(ret)
#Finally upload new master key
#get the Master Key from the stash file
try:
stash = open("/var/kerberos/krb5kdc/.k5."+realm, "r")
keytype = struct.unpack('h', stash.read(2))[0]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
except os.error:
print "Failed to retrieve Master Key from Stash file: %s"
raise e
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
sub_dict = dict(REALM=realm, SUFFIX=suffix)
#protect the master key by adding an appropriate deny rule along with the key
mod = [(ldap.MOD_ADD, 'aci', ipa.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
conn.modify_s(dn, mod)
conn.unbind()
print "\n"
print "This server is now correctly configured and the master-key has been changed and secured."
print "Please now run this tool with the --fix-replica option on all your other replicas."
print "Until you fix the replicas their KDCs will not work."
def main():
options, args = parse_options()
if options.fix or options.fix_replica:
password = getpass.getpass("Directory Manager password: ")
krbctx = krbV.default_context()
realm = krbctx.default_realm
suffix = ipa.ipautil.realm_to_suffix(realm)
try:
ret = check_vuln(realm, suffix)
except:
sys.exit(1)
if options.fix_replica:
if ret is 1:
print "Your system is still vulnerable"
print "If you have already run this tool with --fix on a master then make sure your replication is working correctly, before runnig --fix-replica"
sys.exit(1)
try:
fix_replica(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(0)
if options.check:
sys.exit(0)
if options.fix:
if ret is 1:
try:
ret = fix_main(password, realm, suffix)
except Exception, e:
print "Unexpected error ("+str(e)+")"
sys.exit(1)
sys.exit(ret)
try:
if __name__ == "__main__":
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)

126
install/tools/ipa-ldap-updater Executable file
View File

@@ -0,0 +1,126 @@
#!/usr/bin/env python
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Documentation can be found at http://freeipa.org/page/LdapUpdate
# TODO
# save undo files?
import sys
try:
from optparse import OptionParser
from ipaserver import ipaldap
from ipa import entity, ipaerror, ipautil, config
from ipaserver import installutils
from ipaserver.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
import ldap
import logging
import re
import krbV
import platform
import shlex
import time
import random
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def parse_options():
usage = "%prog [options] input_file(s)\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-t", "--test", action="store_true", dest="test",
help="Run through the update without changing anything")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
config.init_config(options)
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False)
return password
def main():
loglevel = logging.INFO
options, args = parse_options()
if options.debug:
loglevel = logging.DEBUG
logging.basicConfig(level=loglevel,
format='%(levelname)s %(message)s')
dirman_password = ""
if options.password:
pw = ipautil.template_file(options.password, [])
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test)
files=[]
if len(args) < 1:
files = ld.get_all_files(UPDATES_DIR)
else:
files = args
modified = ld.update(files)
if modified and options.test:
return 2
else:
return 0
try:
if __name__ == "__main__":
sys.exit(main())
except BadSyntax, e:
print "There is a syntax error in this update file:"
print " %s" % e
sys.exit(1)
except RuntimeError, e:
print "%s" % e
sys.exit(1)
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)
except config.IPAConfigError, e:
print "An IPA server to update cannot be found. Has one been configured yet?"
print "The error was: %s" % e
sys.exit(1)

312
install/tools/ipa-replica-install Normal file
View File

@@ -0,0 +1,312 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import sys
import tempfile, os, pwd, traceback, logging, shutil
from ConfigParser import SafeConfigParser
import ldap
from ipa import ipautil
from ipaserver import dsinstance, replication, installutils, krbinstance, service
from ipaserver import httpinstance, ntpinstance, certs, ipaldap
from ipa import version
CACERT="/usr/share/ipa/html/ca.crt"
class ReplicaConfig:
def __init__(self):
self.realm_name = ""
self.domain_name = ""
self.master_host_name = ""
self.dirman_password = ""
self.ds_user = ""
self.host_name = ""
self.repl_password = ""
self.dir = ""
def parse_options():
from optparse import OptionParser
parser = OptionParser(version=version.VERSION)
parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password")
options, args = parser.parse_args()
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
return options, args[0]
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def expand_info(filename, password):
top_dir = tempfile.mkdtemp("ipa")
tarfile = top_dir+"/files.tar"
dir = top_dir + "/realm_info"
ipautil.decrypt_file(filename, tarfile, password, top_dir)
ipautil.run(["tar", "xf", tarfile, "-C", top_dir])
os.remove(tarfile)
return top_dir, dir
def read_info(dir, rconfig):
filename = dir + "/realm_info"
fd = open(filename)
config = SafeConfigParser()
config.readfp(fd)
rconfig.realm_name = config.get("realm", "realm_name")
rconfig.master_host_name = config.get("realm", "master_host_name")
rconfig.ds_user = config.get("realm", "ds_user")
rconfig.domain_name = config.get("realm", "domain_name")
rconfig.host_name = config.get("realm", "destination_host")
def get_host_name():
hostname = installutils.get_fqdn()
try:
installutils.verify_fqdn(hostname)
except RuntimeError, e:
logging.error(str(e))
sys.exit(1)
return hostname
def set_owner(config, dir):
pw = pwd.getpwnam(config.ds_user)
os.chown(dir, pw.pw_uid, pw.pw_gid)
def install_ds(config):
dsinstance.check_existing_installation()
dsinstance.check_ports()
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = None
if ipautil.file_exists(config.dir + "/dscert.p12"):
pkcs12_info = (config.dir + "/dscert.p12",
config.dir + "/dirsrv_pin.txt")
ds = dsinstance.DsInstance()
ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
return ds
def install_krb(config):
krb = krbinstance.KrbInstance()
ldappwd_filename = config.dir + "/ldappwd"
kpasswd_filename = config.dir + "/kpasswd.keytab"
krb.create_replica(config.ds_user, config.realm_name, config.host_name,
config.domain_name, config.dirman_password,
ldappwd_filename, kpasswd_filename)
def install_ca_cert(config):
if ipautil.file_exists(config.dir + "/ca.crt"):
try:
shutil.copy(config.dir + "/ca.crt", CACERT)
os.chmod(CACERT, 0444)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def install_http(config):
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = None
if ipautil.file_exists(config.dir + "/httpcert.p12"):
pkcs12_info = (config.dir + "/httpcert.p12",
config.dir + "/http_pin.txt")
http = httpinstance.HTTPInstance()
http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info)
# Now copy the autoconfiguration files
if ipautil.file_exists(config.dir + "/preferences.html"):
try:
shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def check_dirsrv():
serverids = dsinstance.check_existing_installation()
if serverids:
print ""
print "An existing Directory Server has been detected."
if not ipautil.user_input("Do you wish to remove it and create a new one?", False):
print ""
print "Only a single Directory Server instance is allowed on an IPA"
print "server, the one used by IPA itself."
sys.exit(1)
try:
service.stop("dirsrv")
except:
pass
for serverid in serverids:
dsinstance.erase_ds_instance_data(serverid)
(ds_unsecure, ds_secure) = dsinstance.check_ports()
if not ds_unsecure or not ds_secure:
print "IPA requires ports 389 and 636 for the Directory Server."
print "These are currently in use:"
if not ds_unsecure:
print "\t389"
if not ds_secure:
print "\t636"
sys.exit(1)
def main():
options, filename = parse_options()
installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
check_dirsrv()
# get the directory manager password
dirman_password = options.password
if not dirman_password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
try:
top_dir, dir = expand_info(filename, dirman_password)
except Exception, e:
print "ERROR: Failed to decrypt or open the replica file."
print "Verify you entered the correct Directory Manager password."
sys.exit(1)
config = ReplicaConfig()
read_info(dir, config)
config.dirman_password = dirman_password
host = get_host_name()
if config.host_name != host:
try:
print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
if not ipautil.user_input("This may cause problems. Continue?", True):
sys.exit(0)
config.host_name = host
print ""
except KeyboardInterrupt:
sys.exit(0)
config.repl_password = ipautil.ipa_generate_password()
config.dir = dir
# Try out the password
try:
conn = ipaldap.IPAdmin(config.master_host_name)
conn.do_simple_bind(bindpw=config.dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance()
ntp.create_instance()
# Configure dirsrv
ds = install_ds(config)
# Install CA cert so that we can do SSL connections with ldap
install_ca_cert(config)
try:
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
ret = repl.setup_replication(config.master_host_name, config.realm_name)
except Exception, e:
logging.debug("Connection error: %s" % e)
raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
if ret != 0:
raise RuntimeError("Failed to start replication")
install_krb(config)
install_http(config)
# Create the config file
fd = open("/etc/ipa/ipa.conf", "w")
fd.write("[defaults]\n")
fd.write("server=" + config.host_name + "\n")
fd.write("realm=" + config.realm_name + "\n")
fd.write("domain=" + config.domain_name + "\n")
fd.close()
# Create a Web Gui instance
webgui = httpinstance.WebGuiInstance()
webgui.create_instance()
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
service.restart("dirsrv")
service.restart("krb5kdc")
# Call client install script
try:
ipautil.run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name])
except Exception, e:
print "Configuration of client side components failed!"
print "ipa-client-install returned: " + str(e)
raise RuntimeError("Failed to configure the client")
ds.init_memberof()
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
main()
sys.exit(0)
except SystemExit, e:
sys.exit(e)
except Exception, e:
print "creation of replica failed: %s" % str(e)
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)
except KeyboardInterrupt:
print "Installation cancelled."
print ""
print "Your system may be partly configured."
print "Run /usr/sbin/ipa-server-install --uninstall to clean up."
# the only way to get here is on error or ^C
sys.exit(1)

218
install/tools/ipa-replica-manage Executable file
View File

@@ -0,0 +1,218 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import sys
import getpass, ldap, re, krbV
import traceback, logging
from ipa import ipautil
from ipaserver import replication, ipaldap, dsinstance, installutils
from ipa import version
def parse_options():
from optparse import OptionParser
parser = OptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="provide additional information")
parser.add_option("--port", type="int", dest="port",
help="port number of other server")
parser.add_option("--binddn", dest="binddn",
help="Bind DN to use with remote server")
parser.add_option("--bindpw", dest="bindpw",
help="Password for Bind DN to use with remote server")
parser.add_option("--winsync", dest="winsync", action="store_true", default=False,
help="This is a Windows Sync Agreement")
parser.add_option("--cacert", dest="cacert",
help="Full path and filename of CA certificate to use with TLS/SSL to the remote server")
parser.add_option("--win-subtree", dest="win_subtree",
help="DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix)")
parser.add_option("--passsync", dest="passsync",
help="Password for the Windows PassSync user")
options, args = parser.parse_args()
if not len(args) or not ("list" in args[0] or "add" in args[0] or "del" in args[0] or "init" in args[0] or "synch" in args[0]):
parser.error("must provide a command [list | add | del | init | synch]")
# set log level
if options.verbose:
# if verbose, output events at INFO level if not already
mylogger = logging.getLogger()
if mylogger.getEffectiveLevel() > logging.INFO:
mylogger.setLevel(logging.INFO)
# else user has already configured logging externally lower
return options, args
def get_realm_name():
c = krbV.default_context()
return c.default_realm
def get_suffix():
suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(get_realm_name()))
return suffix
def get_host_name():
hostname = installutils.get_fqdn()
try:
installutils.verify_fqdn(hostname)
except RuntimeError, e:
logging.error(str(e))
sys.exit(1)
return hostname
def list_masters(replman, verbose):
dns = replman.find_replication_dns(replman.conn)
for dn in dns:
entry = replman.conn.search_s(dn, ldap.SCOPE_SUBTREE)[0]
print entry.getValue('nsds5replicahost')
if verbose:
print " last init status: %s" % entry.nsds5replicalastinitstatus
print " last init ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastinitend))
print " last update status: %s" % entry.nsds5replicalastupdatestatus
print " last update ended: %s" % str(ipautil.parse_generalized_time(entry.nsds5replicalastupdateend))
def del_master(replman, hostname):
try:
t = replman.get_agreement_type(hostname)
except ldap.NO_SUCH_OBJECT:
print "No replication agreement found for %s" % hostname
if t == replication.IPA_REPLICA:
dirman_passwd = getpass.getpass("Directory Manager password (%s): " % hostname)
other_replman = replication.ReplicationManager(hostname, dirman_passwd)
other_replman.suffix = get_suffix()
other_replman.delete_agreement(replman.conn.host)
replman.delete_agreement(hostname)
def add_master(replman, hostname, options):
other_args = {}
if options.port:
other_args['port'] = options.port
if options.binddn:
other_args['binddn'] = options.binddn
if options.bindpw:
other_args['bindpw'] = options.bindpw
if options.cacert:
other_args['cacert'] = options.cacert
if options.win_subtree:
other_args['win_subtree'] = options.win_subtree
if options.passsync:
other_args['passsync'] = options.passsync
if options.winsync:
other_args['winsync'] = True
if not options.binddn or not options.bindpw or not options.cacert or not options.passsync:
logging.error("The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement")
sys.exit(1)
if options.cacert:
# have to install the given CA cert before doing anything else
ds = dsinstance.DsInstance(realm_name = get_realm_name(),
dm_password = replman.dirman_passwd)
if not ds.add_ca_cert(options.cacert):
logging.error("Could not load the required CA certificate file [%s]" %
options.cacert)
sys.exit(1)
else:
logging.info("Added CA certificate %s to certificate database for %s" %
(options.cacert, replman.hostname))
# have to reconnect replman connection since the directory server was restarted
replman = replication.ReplicationManager(replman.hostname, replman.dirman_passwd)
logging.info("Restarted directory server " + replman.hostname)
replman.setup_replication(hostname, get_realm_name(), **other_args)
logging.info("Added agreement for other host " + hostname)
def init_master(replman, dirman_passwd, hostname):
filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % hostname
entry = replman.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter)
if len(entry) == 0:
logging.error("Unable to find replication agreement for %s" % hostname)
sys.exit(1)
if len(entry) > 1:
logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (hostname, entry[0].dn))
replman.initialize_replication(entry[0].dn, replman.conn)
ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = dirman_passwd)
ds.init_memberof()
def synch_master(replman, hostname):
filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % hostname
entry = replman.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter)
if len(entry) == 0:
logging.error("Unable to find replication agreement for %s" % hostname)
sys.exit(1)
if len(entry) > 1:
logging.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (hostname, entry[0].dn))
replman.force_synch(entry[0].dn, entry[0].nsds5replicaupdateschedule, replman.conn)
def main():
options, args = parse_options()
if options.dirman_passwd:
dirman_passwd = options.dirman_passwd
else:
dirman_passwd = getpass.getpass("Directory Manager password: ")
if options.host:
host = options.host
else:
host = get_host_name()
r = replication.ReplicationManager(host, dirman_passwd)
r.suffix = get_suffix()
if args[0] == "list":
list_masters(r, options.verbose)
elif args[0] == "del":
if len(args) != 2:
print "must provide hostname of master to delete"
sys.exit(1)
del_master(r, args[1])
elif args[0] == "add":
if len(args) != 2:
print "must provide hostname of master to add"
sys.exit(1)
add_master(r, args[1], options)
elif args[0] == "init":
if len(args) != 2:
print "hostname of master to initialize is required."
sys.exit(1)
init_master(r, dirman_passwd, args[1])
elif args[0] == "synch":
if len(args) != 2:
print "must provide hostname of supplier to synchronize with"
sys.exit(1)
synch_master(r, args[1])
try:
main()
except KeyboardInterrupt:
sys.exit(1)
except SystemExit, e:
sys.exit(e)
except ldap.INVALID_CREDENTIALS:
print "Invalid password"
sys.exit(1)
except Exception, e:
print "unexpected error: %s" % str(e)

294
install/tools/ipa-replica-prepare Normal file
View File

@@ -0,0 +1,294 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import sys
import logging, tempfile, shutil, os, pwd
import traceback
from ConfigParser import SafeConfigParser
import krbV
from optparse import OptionParser
import ipa.config
from ipa import ipautil
from ipaserver import dsinstance, installutils, certs, ipaldap
from ipa import version
import ldap
def parse_options():
usage = "%prog [options] FQDN (e.g. replica.example.com)"
parser = OptionParser(usage=usage, version=version.VERSION)
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="install certificate for the directory server")
parser.add_option("--http_pkcs12", dest="http_pkcs12",
help="install certificate for the http server")
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
help="PIN for the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin",
help="PIN for the Apache Server PKCS#12 file")
parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password")
ipa.config.add_standard_options(parser)
options, args = parser.parse_args()
# If any of the PKCS#12 options are selected, all are required. Create a
# list of the options and count it to enforce that all are required without
# having a huge set of it blocks.
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
parser.error("error: All PKCS#12 options are required if any are used.")
if len(args) != 1:
parser.error("must provide the fully-qualified name of the replica")
ipa.config.init_config(options)
return options, args
def get_host_name():
hostname = installutils.get_fqdn()
try:
installutils.verify_fqdn(hostname)
except RuntimeError, e:
logging.error(str(e))
sys.exit(1)
return hostname
def get_realm_name():
try:
c = krbV.default_context()
return c.default_realm
except Exception, e:
return None
def get_domain_name():
try:
ipa.config.init_config()
domain_name = ipa.config.config.get_domain()
except Exception, e:
return None
return domain_name
def check_ipa_configuration(realm_name):
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
if not ipautil.dir_exists(config_dir):
logging.error("could not find directory instance: %s" % config_dir)
sys.exit(1)
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
"""realm is the kerberos realm for the IPA server.
ds_dir is the location of the master DS we are creating a replica for.
dir is the location of the files for the replica we are creating.
passwd_fname is the file containing the PKCS#12 password
fname is the filename of the PKCS#12 file for this cert (minus the .p12).
subject is the subject of the certificate we are creating
"""
try:
ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
ca = certs.CertDB(dir)
ca.create_from_cacert(ds_ca.cacert_fname)
ca.create_server_cert("Server-Cert", subject, ds_ca)
except Exception, e:
raise e
pkcs12_fname = dir + "/" + fname + ".p12"
try:
ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
except ipautil.CalledProcessError, e:
print "error exporting CA certificate: " + str(e)
try:
os.unlink(pkcs12_fname)
os.unlink(passwd_fname)
except:
pass
os.unlink(dir + "/cert8.db")
os.unlink(dir + "/key3.db")
os.unlink(dir + "/secmod.db")
os.unlink(dir + "/noise.txt")
if ipautil.file_exists(passwd_fname + ".orig"):
os.unlink(passwd_fname + ".orig")
def get_ds_user(ds_dir):
uid = os.stat(ds_dir).st_uid
user = pwd.getpwuid(uid)[0]
return user
def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host):
config = SafeConfigParser()
config.add_section("realm")
config.set("realm", "realm_name", realm_name)
config.set("realm", "master_host_name", host_name)
config.set("realm", "ds_user", ds_user)
config.set("realm", "domain_name", domain_name)
config.set("realm", "destination_host", dest_host)
fd = open(dir + "/realm_info", "w")
config.write(fd)
def copy_files(realm_name, dir):
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
try:
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def main():
options, args = parse_options()
replica_fqdn = args[0]
if not ipautil.file_exists(certs.CA_SERIALNO) and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
print "Determining current realm name"
realm_name = get_realm_name()
if realm_name is None:
print "Unable to determine default realm"
sys.exit(1)
check_ipa_configuration(realm_name)
print "Getting domain name from LDAP"
domain_name = get_domain_name()
if domain_name is None:
print "Unable to determine LDAP default domain"
sys.exit(1)
host_name = get_host_name()
if host_name == replica_fqdn:
print "You can't create a replica on itself"
sys.exit(1)
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
ds_user = get_ds_user(ds_dir)
# get the directory manager password
dirman_password = options.password
if not options.password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
# Try out the password
try:
conn = ipaldap.IPAdmin(host_name)
conn.do_simple_bind(bindpw=dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name)
print "Preparing replica for %s from %s" % (replica_fqdn, host_name)
top_dir = tempfile.mkdtemp("ipa")
dir = top_dir + "/realm_info"
os.mkdir(dir, 0700)
if options.dirsrv_pin:
passwd = options.dirsrv_pin
else:
passwd = ""
passwd_fname = dir + "/dirsrv_pin.txt"
fd = open(passwd_fname, "w")
fd.write("%s\n" % passwd)
fd.close()
if options.dirsrv_pkcs12:
print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
try:
shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12")
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
else:
print "Creating SSL certificate for the Directory Server"
export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn)
if options.http_pin:
passwd = options.http_pin
else:
passwd = ""
passwd_fname = dir + "/http_pin.txt"
fd = open(passwd_fname, "w")
fd.write("%s\n" % passwd)
fd.close()
if options.http_pkcs12:
print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
try:
shutil.copy(options.http_pkcs12, dir + "/httpcert.p12")
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
else:
print "Creating SSL certificate for the Web Server"
export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn)
print "Copying additional files"
copy_files(realm_name, dir)
print "Finalizing configuration"
save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn)
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
encfile = replicafile+".gpg"
print "Packaging replica information into %s" % encfile
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
os.remove(replicafile)
shutil.rmtree(dir)
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
main()
except SystemExit, e:
sys.exit(e)
except Exception, e:
print "preparation of replica failed: %s" % str(e)
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)
print message
sys.exit(1)

157
install/tools/ipa-server-certinstall Normal file
View File

@@ -0,0 +1,157 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import sys
import os
import pwd
import tempfile
import traceback
import krbV, ldap, getpass
from ipa.ipautil import user_input
from ipaserver import certs, dsinstance, httpinstance, ipaldap, installutils
def get_realm_name():
c = krbV.default_context()
return c.default_realm
def parse_options():
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
default=False, help="install certificate for the directory server")
parser.add_option("-w", "--http", dest="http", action="store_true",
default=False, help="install certificate for the http server")
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
help="The password of the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin",
help="The password of the Apache Server PKCS#12 file")
options, args = parser.parse_args()
if not options.dirsrv and not options.http:
parser.error("you must specify dirsrv and/or http")
if ((options.dirsrv and not options.dirsrv_pin) or
(options.http and not options.http_pin)):
parser.error("you must provide the password for the PKCS#12 file")
if len(args) != 1:
parser.error("you must provide a pkcs12 filename")
return options, args[0]
def set_ds_cert_name(cert_name, dm_password):
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)]
conn.modify_s("cn=RSA,cn=encryption,cn=config", mod)
conn.unbind()
def choose_server_cert(server_certs):
print "Please select the certificate to use:"
num = 1
for cert in server_certs:
print "%d. %s" % (num, cert[0])
num += 1
while 1:
num = user_input("Certificate number", 1)
print ""
if num < 1 or num > len(server_certs):
print "number out of range"
else:
break
return server_certs[num - 1]
def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
cdb = certs.CertDB(dirname)
cdb.create_passwd_file(db_password)
cdb.create_certdbs()
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, pkcs12_passwd)
os.close(pw_fd)
try:
try:
cdb.import_pkcs12(pkcs12_fname, pw_name)
except RuntimeError, e:
print str(e)
sys.exit(1)
finally:
os.remove(pw_name)
server_certs = cdb.find_server_certs()
if len(server_certs) == 0:
print "could not find a suitable server cert in import"
sys.exit(1)
elif len(server_certs) == 1:
server_cert = server_certs[0]
else:
server_cert = choose_server_cert(server_certs)
cdb.trust_root_cert(server_cert[0])
return server_cert
def main():
options, pkcs12_fname = parse_options()
try:
if options.dirsrv:
dm_password = getpass.getpass("Directory Manager password: ")
realm = get_realm_name()
dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
fd = open(dirname + "/pwdfile.txt")
passwd = fd.read()
fd.close()
server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
set_ds_cert_name(server_cert[0], dm_password)
if options.http:
dirname = httpinstance.NSS_DIR
server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0])
# Fix the database permissions
os.chmod(dirname + "/cert8.db", 0640)
os.chmod(dirname + "/key3.db", 0640)
os.chmod(dirname + "/secmod.db", 0640)
pent = pwd.getpwnam("apache")
os.chown(dirname + "/cert8.db", 0, pent.pw_gid )
os.chown(dirname + "/key3.db", 0, pent.pw_gid )
os.chown(dirname + "/secmod.db", 0, pent.pw_gid )
except Exception, e:
print "an unexpected error occurred: %s" % str(e)
traceback.print_exc()
return 1
return 0
sys.exit(main())

622
install/tools/ipa-server-install Normal file
View File

@@ -0,0 +1,622 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools
import sys
import os
import socket
import errno
import logging
import pwd
import subprocess
import signal
import shutil
import glob
import traceback
from optparse import OptionParser
import ipaserver.dsinstance
import ipaserver.krbinstance
import ipaserver.bindinstance
import ipaserver.httpinstance
import ipaserver.ntpinstance
from ipaserver import service
from ipa import version
from ipaserver.installutils import *
from ipa import sysrestore
from ipa.ipautil import *
pw_name = None
def parse_options():
parser = OptionParser(version=version.VERSION)
parser.add_option("-u", "--user", dest="ds_user",
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
parser.add_option("-n", "--domain", dest="domain_name",
help="domain name")
parser.add_option("-p", "--ds-password", dest="dm_password",
help="admin password")
parser.add_option("-P", "--master-password", dest="master_password",
help="kerberos master password (normally autogenerated)")
parser.add_option("-a", "--admin-password", dest="admin_password",
help="admin user kerberos password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address")
parser.add_option("--setup-bind", dest="setup_bind", action="store_true",
default=False, help="configure bind with our zone file")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
default=False, help="uninstall an existing installation")
parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="PKCS#12 file containing the Directory Server SSL certificate")
parser.add_option("--http_pkcs12", dest="http_pkcs12",
help="PKCS#12 file containing the Apache Server SSL certificate")
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
help="The password of the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin",
help="The password of the Apache Server PKCS#12 file")
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
options, args = parser.parse_args()
if options.uninstall:
if (options.ds_user or options.realm_name or
options.dm_password or options.admin_password or
options.master_password):
parser.error("error: In uninstall mode, -u, r, -p and -P options are not allowed")
elif options.unattended:
if (not options.ds_user or not options.realm_name or
not options.dm_password or not options.admin_password):
parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options")
# If any of the PKCS#12 options are selected, all are required. Create a
# list of the options and count it to enforce that all are required without
# having a huge set of it blocks.
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
parser.error("error: All PKCS#12 options are required if any are used.")
return options
def signal_handler(signum, frame):
global ds
print "\nCleaning up..."
if ds:
print "Removing configuration for %s instance" % ds.serverid
ds.stop()
if ds.serverid:
ipaserver.dsinstance.erase_ds_instance_data (ds.serverid)
sys.exit(1)
def read_host_name(host_default,no_host_dns=False):
host_name = ""
print "Enter the fully qualified domain name of the computer"
print "on which you're setting up server software. Using the form"
print "<hostname>.<domainname>"
print "Example: master.example.com."
print ""
print ""
if host_default == "":
host_default = "master.example.com"
while True:
host_name = user_input("Server host name", host_default, allow_empty = False)
print ""
try:
verify_fqdn(host_name,no_host_dns)
except Exception, e:
raise e
else:
break
return host_name
def resolve_host(host_name):
ip = ""
try:
ip = socket.gethostbyname(host_name)
if ip == "127.0.0.1" or ip == "::1":
print "The hostname resolves to the localhost address (127.0.0.1/::1)"
print "Please change your /etc/hosts file so that the hostname"
print "resolves to the ip address of your network interface."
print "The KDC service does not listen on localhost"
print ""
print "Please fix your /etc/hosts file and restart the setup program"
return None
except:
print "Unable to lookup the IP address of the provided host"
return ip
def verify_ip_address(ip):
is_ok = True
try:
socket.inet_pton(socket.AF_INET, ip)
except:
try:
socket.inet_pton(socket.AF_INET6, ip)
except:
print "Unable to verify IP address"
is_ok = False
return is_ok
def read_ip_address(host_name):
while True:
ip = user_input("Please provide the IP address to be used for this host name", allow_empty = False)
if ip == "127.0.0.1" or ip == "::1":
print "The IPA Server can't use localhost as a valid IP"
continue
if not verify_ip_address(ip):
continue
print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file"
fstore.backup_file("/etc/hosts")
hosts_fd = open('/etc/hosts', 'r+')
hosts_fd.seek(0, 2)
hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n')
hosts_fd.close()
return ip
def read_ds_user():
print "The server must run as a specific user in a specific group."
print "It is strongly recommended that this user should have no privileges"
print "on the computer (i.e. a non-root user). The setup procedure"
print "will give this user/group some permissions in specific paths/files"
print "to perform server-specific operations."
print ""
ds_user = ""
try:
pwd.getpwnam('dirsrv')
print "A user account named 'dirsrv' already exists. This is the user id"
print "that the Directory Server will run as."
print ""
if user_input("Do you want to use the existing 'dirsrv' account?", True):
ds_user = "dirsrv"
else:
print ""
ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False)
print ""
except KeyError:
ds_user = "dirsrv"
return ds_user
def read_domain_name(domain_name, unattended):
print "The domain name has been calculated based on the host name."
print ""
if not unattended:
domain_name = user_input("Please confirm the domain name", domain_name)
print ""
return domain_name
def read_realm_name(domain_name, unattended):
print "The kerberos protocol requires a Realm name to be defined."
print "This is typically the domain name converted to uppercase."
print ""
if unattended:
return domain_name.upper()
realm_name = user_input("Please provide a realm name", domain_name.upper())
upper_dom = realm_name.upper()
if upper_dom != realm_name:
print "An upper-case realm name is required."
if not user_input("Do you want to use " + upper_dom + " as realm name?", True):
print ""
print "An upper-case realm name is required. Unable to continue."
sys.exit(1)
else:
realm_name = upper_dom
print ""
return realm_name
def read_dm_password():
print "Certain directory server operations require an administrative user."
print "This user is referred to as the Directory Manager and has full access"
print "to the Directory for system management tasks and will be added to the"
print "instance of directory server created for IPA."
print "The password must be at least 8 characters long."
print ""
#TODO: provide the option of generating a random password
dm_password = read_password("Directory Manager")
return dm_password
def read_admin_password():
print "The IPA server requires an administrative user, named 'admin'."
print "This user is a regular system account used for IPA server administration."
print ""
#TODO: provide the option of generating a random password
admin_password = read_password("IPA admin")
return admin_password
def check_dirsrv(unattended):
serverids = ipaserver.dsinstance.check_existing_installation()
if serverids:
print ""
print "An existing Directory Server has been detected."
if unattended or not user_input("Do you wish to remove it and create a new one?", False):
print ""
print "Only a single Directory Server instance is allowed on an IPA"
print "server, the one used by IPA itself."
sys.exit(1)
try:
service.stop("dirsrv")
except:
pass
for serverid in serverids:
ipaserver.dsinstance.erase_ds_instance_data(serverid)
(ds_unsecure, ds_secure) = ipaserver.dsinstance.check_ports()
if not ds_unsecure or not ds_secure:
print "IPA requires ports 389 and 636 for the Directory Server."
print "These are currently in use:"
if not ds_unsecure:
print "\t389"
if not ds_secure:
print "\t636"
sys.exit(1)
def uninstall():
try:
run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"])
except Exception, e:
print "Uninstall of client side components failed!"
print "ipa-client-install returned: " + str(e)
pass
ipaserver.ntpinstance.NTPInstance(fstore).uninstall()
ipaserver.bindinstance.BindInstance(fstore).uninstall()
ipaserver.httpinstance.WebGuiInstance().uninstall()
ipaserver.httpinstance.HTTPInstance(fstore).uninstall()
ipaserver.krbinstance.KrbInstance(fstore).uninstall()
ipaserver.dsinstance.DsInstance().uninstall()
fstore.restore_all_files()
return 0
def main():
global ds
global pw_name
ds = None
options = parse_options()
if os.getegid() != 0:
print "Must be root to setup server"
return 1
signal.signal(signal.SIGTERM, signal_handler)
signal.signal(signal.SIGINT, signal_handler)
if options.uninstall:
standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
else:
standard_logging_setup("/var/log/ipaserver-install.log", options.debug)
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
if options.uninstall:
if not options.unattended:
print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
if not user_input("Are you sure you want to continue with the uninstall procedure?", False):
print ""
print "Aborting uninstall operation."
sys.exit(1)
return uninstall()
print "=============================================================================="
print "This program will setup the FreeIPA Server."
print ""
print "This includes:"
if options.conf_ntp:
print " * Configure the Network Time Daemon (ntpd)"
print " * Create and configure an instance of Directory Server"
print " * Create and configure a Kerberos Key Distribution Center (KDC)"
print " * Configure Apache (httpd)"
print " * Configure TurboGears"
if options.setup_bind:
print " * Configure DNS (bind)"
if not options.conf_ntp:
print ""
print "Excluded by options:"
print " * Configure the Network Time Daemon (ntpd)"
print ""
print "To accept the default shown in brackets, press the Enter key."
print ""
check_dirsrv(options.unattended)
ds_user = ""
realm_name = ""
host_name = ""
domain_name = ""
ip_address = ""
master_password = ""
dm_password = ""
admin_password = ""
# check bind packages are installed
if options.setup_bind:
if not ipaserver.bindinstance.check_inst():
print "--setup-bind was specified but bind is not installed on the system"
print "Please install bind and restart the setup program"
return 1
# check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set
# up some of the standard entries
host_default = ""
if options.host_name:
host_default = options.host_name
else:
host_default = get_fqdn()
if options.unattended:
try:
verify_fqdn(host_default,options.no_host_dns)
except RuntimeError, e:
logging.error(str(e) + "\n")
return 1
host_name = host_default
else:
host_name = read_host_name(host_default,options.no_host_dns)
host_name = host_name.lower()
if not options.domain_name:
domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
else:
domain_name = options.domain_name
domain_name = domain_name.lower()
# Check we have a public IP that is associated with the hostname
ip = resolve_host(host_name)
if ip is None:
if options.ip_address:
ip = options.ip_address
if ip is None and options.unattended:
print "Unable to resolve IP address for host name"
return 1
if not verify_ip_address(ip):
ip = ""
if options.unattended:
return 1
if options.ip_address and options.ip_address != ip:
if options.setup_bind:
ip = options.ip_address
else:
print "Error: the hostname resolves to an IP address that is different"
print "from the one provided on the command line. Please fix your DNS"
print "or /etc/hosts file and restart the installation."
return 1
if options.unattended:
if not ip:
print "Unable to resolve IP address"
return 1
if not ip:
ip = read_ip_address(host_name)
ip_address = ip
print "The IPA Master Server will be configured with"
print "Hostname: " + host_name
print "IP address: " + ip_address
print "Domain name: " + domain_name
print ""
if not options.ds_user:
ds_user = read_ds_user()
if ds_user == "":
return 1
else:
ds_user = options.ds_user
if not options.realm_name:
realm_name = read_realm_name(domain_name, options.unattended)
else:
realm_name = options.realm_name.upper()
if not options.dm_password:
dm_password = read_dm_password()
else:
dm_password = options.dm_password
if not options.master_password:
master_password = ipa_generate_password()
else:
master_password = options.master_password
if not options.admin_password:
admin_password = read_admin_password()
else:
admin_password = options.admin_password
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
# Configure ntpd
if options.conf_ntp:
ntp = ipaserver.ntpinstance.NTPInstance(fstore)
ntp.create_instance()
if options.dirsrv_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd)
# Create a directory server instance
ds = ipaserver.dsinstance.DsInstance()
if options.dirsrv_pkcs12:
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info)
os.remove(pw_name)
else:
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
# Create a kerberos instance
krb = ipaserver.krbinstance.KrbInstance(fstore)
krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
# Create a HTTP instance
if options.http_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.http_pin)
os.close(pw_fd)
http = ipaserver.httpinstance.HTTPInstance(fstore)
if options.http_pkcs12:
pkcs12_info = (options.http_pkcs12, pw_name)
http.create_instance(realm_name, host_name, domain_name, autoconfig=False, pkcs12_info=pkcs12_info)
os.remove(pw_name)
else:
http.create_instance(realm_name, host_name, domain_name, autoconfig=True)
# Create the config file
fstore.backup_file("/etc/ipa/ipa.conf")
fd = open("/etc/ipa/ipa.conf", "w")
fd.write("[defaults]\n")
fd.write("server=" + host_name + "\n")
fd.write("realm=" + realm_name + "\n")
fd.write("domain=" + domain_name + "\n")
fd.close()
# Create a Web Gui instance
webgui = ipaserver.httpinstance.WebGuiInstance()
webgui.create_instance()
bind = ipaserver.bindinstance.BindInstance(fstore)
bind.setup(host_name, ip_address, realm_name, domain_name)
if options.setup_bind:
bind.create_instance()
else:
bind.create_sample_bind_zone()
# Apply any LDAP updates. Needs to be done after the configuration file
# is created
service.print_msg("Applying LDAP updates")
ds.apply_updates()
# Restart ds and krb after configurations have been changed
service.print_msg("restarting the directory server")
ds.restart()
service.print_msg("restarting the KDC")
krb.restart()
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
# Call client install script
try:
run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
except Exception, e:
print "Configuration of client side components failed!"
print "ipa-client-install returned: " + str(e)
return 1
print "=============================================================================="
print "Setup complete"
print ""
print "Next steps:"
print "\t1. You must make sure these network ports are open:"
print "\t\tTCP Ports:"
print "\t\t * 80, 443: HTTP/HTTPS"
print "\t\t * 389, 636: LDAP/LDAPS"
print "\t\t * 88, 464: kerberos"
if options.setup_bind:
print "\t\t * 53: bind"
print "\t\tUDP Ports:"
print "\t\t * 88, 464: kerberos"
if options.setup_bind:
print "\t\t * 53: bind"
if options.conf_ntp:
print "\t\t * 123: ntp"
print ""
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'"
print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
print "\t and the web user interface."
if not service.is_running("ntpd"):
print "\t3. Kerberos requires time synchronization between clients"
print "\t and servers for correct operation. You should consider enabling ntpd."
print ""
if not options.dirsrv_pkcs12:
print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12"
print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
else:
print "In order for Firefox autoconfiguration to work you will need to"
print "use a SSL signing certificate. See the IPA documentation for more details."
print "You also need to install a PEM copy of the HTTP issuing CA into"
print "/usr/share/ipa/html/ca.crt"
return 0
try:
try:
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except Exception, e:
message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
print message
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)
sys.exit(1)
finally:
if pw_name and ipautil.file_exists(pw_name):
os.remove(pw_name)

130
install/tools/ipa-upgradeconfig Normal file
View File

@@ -0,0 +1,130 @@
#!/usr/bin/python
#
# Upgrade configuration files to a newer template.
import sys
try:
from ipa import ipautil
import krbV
import re
import os
import shutil
import fileinput
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
def backup_file(filename, ext):
"""Make a backup of filename using ext as the extension. Do not overwrite
previous backups."""
if not os.path.isabs(filename):
raise ValueError("Absolute path required")
backupfile = filename + ".bak"
(reldir, file) = os.path.split(filename)
while os.path.exists(backupfile):
backupfile = backupfile + "." + str(ext)
shutil.copy2(filename, backupfile)
def update_conf(sub_dict, filename, template_filename):
template = ipautil.template_file(template_filename, sub_dict)
fd = open(filename, "w")
fd.write(template)
fd.close()
def find_hostname():
"""Find the hostname currently configured in ipa-rewrite.conf"""
filename="/etc/httpd/conf.d/ipa-rewrite.conf"
pattern = "^[\s#]*.*https:\/\/([A-Za-z0-9\.\-]*)\/.*"
p = re.compile(pattern)
for line in fileinput.input(filename):
if p.search(line):
fileinput.close()
return p.search(line).group(1)
fileinput.close()
return None
def find_version(filename):
"""Find the version of a configuration file"""
if os.path.exists(filename):
pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
p = re.compile(pattern)
for line in fileinput.input(filename):
if p.search(line):
fileinput.close()
return p.search(line).group(1)
fileinput.close()
# no VERSION found
return 0
else:
return -1
def upgrade(sub_dict, filename, template):
old = int(find_version(filename))
new = int(find_version(template))
if old < 0:
print "%s not found." % filename
sys.exit(1)
if new < 0:
print "%s not found." % template
if old < new:
backup_file(filename, new)
update_conf(sub_dict, filename, template)
print "Upgraded %s to version %d" % (filename, new)
def check_certs(realm_name):
"""Check ca.crt is in the right place, and try to fix if not"""
if not os.path.exists("/usr/share/ipa/html/ca.crt"):
ca_file = "/etc/dirsrv/slapd-" + ("-".join(realm_name.split("."))) + "/cacert.asc"
if os.path.exists(ca_file):
shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
else:
print "Missing Certification Authority file."
print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
def main():
try:
krbctx = krbV.default_context()
except krbV.Krb5Error, e:
print "Unable to get default kerberos realm: %s" % e[1]
sys.exit(1)
try:
check_certs(krbctx.default_realm)
except Error, e:
print "Failed to check CA certificate: %s" % e
try:
fqdn = find_hostname()
except IOError:
# ipa-rewrite.conf doesn't exist, nothing to do
sys.exit(0)
if fqdn is None:
print "Unable to determine hostname from ipa-rewrite.conf"
sys.exit(1)
sub_dict = { "REALM" : krbctx.default_realm, "FQDN": fqdn }
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
try:
if __name__ == "__main__":
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt, e:
sys.exit(1)

57
install/tools/ipactl Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/sh
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# IPA control to start/stop the various services required for IPA in the
# proper order
#
function start() {
/sbin/service dirsrv start
/sbin/service ntpd start
/sbin/service krb5kdc start
/sbin/service ipa_kpasswd start
/sbin/service ipa_webgui start
/sbin/service httpd start
}
function stop() {
/sbin/service ipa_webgui stop
/sbin/service ipa_kpasswd stop
/sbin/service httpd stop
/sbin/service krb5kdc stop
/sbin/service dirsrv stop
/sbin/service ntpd stop
}
case "$1" in
restart)
stop
start
;;
start)
start
;;
stop)
stop
;;
*)
echo "Usage: ipactl {start|stop|restart}"
exit 1
;;
esac

27
install/tools/man/Makefile.am Normal file
View File

@@ -0,0 +1,27 @@
# This file will be processed with automake-1.7 to create Makefile.in
AUTOMAKE_OPTIONS = 1.7
NULL=
man1_MANS = \
ipa-replica-install.1 \
ipa-replica-manage.1 \
ipa-replica-prepare.1 \
ipa-server-certinstall.1 \
ipa-server-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1
man8_MANS = \
ipactl.8 \
ipa_kpasswd.8 \
ipa_webgui.8
install-data-hook:
@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
@for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
MAINTAINERCLEANFILES = \
Makefile.in \
$(NULL)

45
install/tools/man/ipa-compat-manage.1 Normal file
View File

@@ -0,0 +1,45 @@
.\" A man page for ipa-ldap-updater
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "freeipa" ""
.SH "NAME"
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"
ipa\-compat\-manage [options] <enable|disable>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable the compat plugin.
Run the command with the \fBdisable\fR option to disable the compat plugin.
In both cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
Directory Server will need to be restarted after the schema compatibility plugin has been enabled.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-y\fR \fIfile\fR
File containing the Directory Manager password
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the plugin is already in the required status (enabled or disabled)

78
install/tools/man/ipa-ldap-updater.1 Normal file
View File

@@ -0,0 +1,78 @@
.\" A man page for ipa-ldap-updater
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "freeipa" ""
.SH "NAME"
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
ipa\-ldap\-updater [options] input_file(s)
ipa\-ldap\-updater [options]
.SH "DESCRIPTION"
Run with no file arguments, ipa\-ldap\-updater will process all files with the extension .update in /usr/share/ipa/updates.
An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries. It cannot remove entries, just specific values in a given attribute.
Blank lines and lines beginning with # are ignored.
There are 4 keywords:
* default: the starting value
* add: add a value (or values) to an attribute
* remove: remove a value (or values) from an attribute
* only: set an attribute to this
Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.
The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.
It alsos provide some things that can be templated such as architecture (for plugin paths), realm and domain name.
The available template variables are:
* $REALM \- the kerberos realm (EXAMPLE.COM)
* $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)
* $DOMAIN \- the domain name (example.com)
* $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)
* $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
* $TIME \- an integer representation of current time
A few rules:
1. Only one rule per line
2. Each line stands alone (e.g. an only followed by an only results in the last only being used)
3. adding a value that exists is ok. The request is ignored, duplicate values are not added
4. removing a value that doesn't exist is ok. It is simply ignored.
5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied
6. If a DN does exist the default values are skipped
7. Only the first rule on a line is respected
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug
Enable debug logging when more verbose output is needed
.TP
\fB\-t\fR, \fB\-\-test\fR
Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.
.TP
\fB\-y\fR
File containing the Directory Manager password
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if run with in test mode (\-t) and updates are available

41
install/tools/man/ipa-replica-install.1 Normal file
View File

@@ -0,0 +1,41 @@
.\" A man page for ipa-replica-install
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-install" "1" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa\-replica\-install \- Create an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-install [\fIOPTION\fR]... replica_file
.SH "DESCRIPTION"
Configures a new IPA server that is a replica of the server that generated it. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
The replica_file is created using the ipa\-replica\-prepare utility.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug
Enable debug logging when more verbose output is needed
.TP
\fB\-n\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
.TP
\fB\-p\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

70
install/tools/man/ipa-replica-manage.1 Normal file
View File

@@ -0,0 +1,70 @@
.\" A man page for ipa-replica-manage
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-manage" "1" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-manage [\fIOPTION\fR]... [add|del|list|init|synch] [SERVER]
.SH "DESCRIPTION"
Manages the replication agreements of an IPA server.
.TP
add \- Adds a new replication agreement between two existing IPA servers
.TP
del \- Removes a replication agreement
.TP
list \- Lists the hostnames that HOST IPA server has agreements with
.TP
init \- Forces a full initialization of the IPA server on SERVER from HOST
.TP
synch \- Immediately flush any data to be replicated to SERVER
.SH "OPTIONS"
.TP
\fB\-H HOST\fR, \fB\-\-host\fR=\fIHOST\fR
The IPA server to manage
.TP
\fB\-p DM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Provide additional information
.TP
\fB\-\-winsync\fR
Specifies to create/use a Windows Sync Agreement
.TP
\fB\-\-port\fR=\fISERVER_PORT\fR
Port number of other server (default is 636, the LDAPS port)
.TP
\fB\-\-binddn\fR=\fIADMIN_DN\fR
Bind DN to use with remote server (default is cn=Directory Manager) - Be careful to quote this value on the command line
.TP
\fB--bindpw\fR=\fIADMIN_PWD\fR
Password for Bind DN to use with remote server (default is the DM_PASSWORD above)
.TP
\fB\-\-cacert\fR=\fI/path/to/cacertfile\fR
Full path and filename of CA certificate to use with TLS/SSL to the remote server - this CA certificate will be installed in the directory server's certificate database
.TP
\fB\-\-win-subtree\fR=\fIcn=Users,dc=example,dc=com\fR
DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> - this is typically what Windows AD uses as the default value) - Be careful to quote this value on the command line
.TP
\fB\-\-passsync\fR=\fIPASSSYNC_PWD\fR
Password for the Windows PassSync user.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

48
install/tools/man/ipa-replica-prepare.1 Normal file
View File

@@ -0,0 +1,48 @@
.\" A man page for ipa-replica-prepare
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-prepare" "1" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa\-replica\-prepare \- Create an IPA replica file
.SH "SYNOPSIS"
ipa\-replica\-prepare [\fIOPTION\fR]... hostname
.SH "DESCRIPTION"
Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server.
A replica can only be created on an IPA server installed with ipa\-server\-install (the first server).
You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
.SH "OPTIONS"
.TP
\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Directory Server SSL Certificate
.TP
\fB\-\-http_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Apache Server SSL Certificate
.TP
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
The password of the Directory Server PKCS#12 file
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

48
install/tools/man/ipa-server-certinstall.1 Normal file
View File

@@ -0,0 +1,48 @@
.\" A man page for ipa-server-certinstall
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-server-certinstall" "1" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
ipa\-server\-certinstall [\fIOPTION\fR]... PKCS12_FILE
.SH "DESCRIPTION"
Replace the current SSL Directory and/or Apache server certificate(s) with the certificate in the PKCS#12 file.
PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-dirsrv\fR
Install the certificate on the Directory Server
.TP
\fB\-w\fR, \fB\-\-http\fR
Install the certificate in the Apache Web Server
.TP
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
The password of the Directory Server PKCS#12 file
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

81
install/tools/man/ipa-server-install.1 Normal file
View File

@@ -0,0 +1,81 @@
.\" A man page for ipa-server-install
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-server-install" "1" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
ipa\-server\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back\-end, configuring Apache, configuring NTP and starting some IPA\-provided services: ipa_kpasswd and ipa_webgui.
.SH "OPTIONS"
.TP
\fB\-u\fR, \fB\-\-user\fR=\fIDS_USER\fR
The user that the Directory Server will run as
.TP
\fB\-r\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm name for the IPA server
.TP
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
Your DNS domain name
.TP
\fB\-p\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user
.TP
\fB\-P\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
The kerberos master password (normally autogenerated)
.TP
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
The password for the IPA admin user
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-\-hostname\fR=\fIHOST_NAME\fR
The fully\-qualified DNS name of this server
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.TP
\fB\-\-setup\-bind\fR
Generate a DNS zone file that contains auto\-discovery records for this IPA server
.TP
\fB\-n\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
\fB\-U\fR, \fB\-\-uninstall\fR
Uninstall an existing IPA installation
.TP
\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Directory Server SSL Certificate
.TP
\fB\-\-http_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Apache Server SSL Certificate
.TP
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
The password of the Directory Server PKCS#12 file
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
.PP
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

36
install/tools/man/ipa_kpasswd.8 Normal file
View File

@@ -0,0 +1,36 @@
.\" A man page for ipa_kpasswd
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa_kpasswd" "8" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa_kpasswd \- Proxy Kerberos password change requests
.SH "SYNOPSIS"
ipa_kpasswd
.SH "DESCRIPTION"
Implementation of the kpasswd protocol (RFC 3244).
It is used to proxy password change operations to Directory Server.
.SH "ENVIRONMENT VARIABLES"
.TP
KRB5_KTNAME
Location of the keytab to be used by ipa_kpasswd
.TP
IPA_KPASSWD_DEBUG
Enable additional syslog output from ipa_kpasswd. Setting greater than 0 gets basic output. Setting higher than 100 gets more.
.SH "EXIT STATUS"
\-1 if an error occurred

37
install/tools/man/ipa_webgui.8 Normal file
View File

@@ -0,0 +1,37 @@
.\" A man page for ipa_webgui
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa_webgui" "8" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipa_webgui \- Start the IPA Web User Interface
.SH "SYNOPSIS"
ipa_webgui [\fIOPTION\fR]...
.SH "DESCRIPTION"
Used to start the TurboGears web user interface for IPA
.SH "OPTIONS"
.TP
\fB\-f\fR, \fB\-\-foreground\fR
Remain in the foreground instead of becoming a daemon.
.TP
\fB\-d\fR, \fB\-\-debug\fR
.TP
Increase the amount of logging and print it to stdout instead of logging to /var/log/ipa_error.log
.SH "EXIT STATUS"
1 if an error occurred

37
install/tools/man/ipactl.8 Normal file
View File

@@ -0,0 +1,37 @@
.\" A man page for ipactl
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipactl" "8" "Mar 14 2008" "freeipa" ""
.SH "NAME"
ipactl \- IPA Server Control Interface
.SH "SYNOPSIS"
ipactl \fIcommand\fR
.SH "DESCRIPTION"
A tool to help an administer control an IPA environment.
IPA glues several discrete services together to work in concert and the order that these services are started and stopped is important. ipactl ensures that they are started and stopped in the correct order.
.SH "OPTIONS"
.TP
start
Start all of the services that make up IPA
.TP
stop
Stop all of the services that make up IPA
.TP
restart
Stop then start all of the services that make up IPA

19
install/updates/Makefile.am Normal file
View File

@@ -0,0 +1,19 @@
NULL =
appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
RFC4876.update \
RFC2307bis.update \
nss_ldap.update \
winsync_index.update \
replication.update \
indices.update \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

65
install/updates/RFC2307bis.update Normal file
View File

@@ -0,0 +1,65 @@
#
# Schema derived from RFC 2307bis:
# "An Approach for Using LDAP as a Network Information Service"
#
dn: cn=schema
add: attributeTypes:
( 1.3.6.1.1.1.1.28 NAME 'nisPublickey'
DESC 'nisPublickey'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey'
DESC 'nisSecretkey'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain'
DESC 'NIS domain'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember'
DESC 'mgrpRFC822MailMember'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser'
DESC 'nisNetIdUser'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup'
DESC 'nisNetIdGroup'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:attributeTypes:
( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost'
DESC 'nisNetIdHost'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC2307bis' )
add:objectClasses:
( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject'
DESC 'nisKeyObject' SUP top
MUST ( cn $ nisPublickey $ nisSecretkey )
MAY ( uidNumber $ description ) )
add:objectClasses:
( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject'
DESC 'nisDomainObject' SUP top AUXILIARY
MUST ( nisDomain ) )
add:objectClasses:
( 2.16.840.1.113730.3.2.4 NAME 'mailGroup'
DESC 'mailGroup' SUP top
MUST ( mail )
MAY ( cn $ mgrpRFC822MailMember ) )
add:objectClasses:
( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId'
DESC 'nisNetId' SUP top
MUST ( cn )
MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) )

146
install/updates/RFC4876.update Normal file
View File

@@ -0,0 +1,146 @@
#
# Schema more or less verbatim from RFC 4876:
# "A Configuration Profile Schema for Lightweight Directory Access
# Protocol (LDAP)-Based Agents"
#
dn: cn=schema
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList'
DESC 'List of default servers'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase'
DESC 'Default base for searches'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList'
DESC 'List of preferred servers'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit'
DESC 'Maximum time an agent or service allows for a
search to complete'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit'
DESC 'Maximum time an agent or service allows for a
bind operation to complete'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals'
DESC 'An agent or service does or should follow referrals'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod'
DESC 'Identifies the types of authentication methods either
used, required, or provided by a service or peer'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL'
DESC 'Time to live, in seconds, before a profile is
considered stale'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap'
DESC 'Attribute mappings used, required, or supported by an
agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel'
DESC 'Identifies type of credentials either used, required,
or supported by an agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap'
DESC 'Object class mappings used, required, or supported by
an agent or service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope'
DESC 'Default scope used when performing a search'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel'
DESC 'Specifies the type of credentials either used, required,
or supported by a specific service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor'
DESC 'Specifies search descriptors required, used, or
supported by a particular service or agent'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod'
DESC 'Specifies types authentication methods either
used, required, or supported by a particular service'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'RFC4876' )
add:attributeTypes:
( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases'
DESC 'Specifies if a service or agent either requires,
supports, or uses dereferencing of aliases.'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'RFC4876' )
add:objectClasses:
( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile'
SUP top STRUCTURAL
DESC 'Abstraction of a base configuration for a DUA'
MUST ( cn )
MAY ( defaultServerList $ preferredServerList $
defaultSearchBase $ defaultSearchScope $
searchTimeLimit $ bindTimeLimit $
credentialLevel $ authenticationMethod $
followReferrals $ dereferenceAliases $
serviceSearchDescriptor $ serviceCredentialLevel $
serviceAuthenticationMethod $ objectclassMap $
attributeMap $ profileTTL )
X-ORIGIN 'RFC4876' )

18
install/updates/indices.update Normal file
View File

@@ -0,0 +1,18 @@
#
# Some nss_ldap implementations will always ask for memberuid so we must
# have an index for it.
#
dn: cn=memberuid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberuid
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq,pres
dn: cn=memberof,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
default:cn: memberof
default:ObjectClass: top
default:ObjectClass: nsIndex
default:nsSystemIndex: false
default:nsIndexType: eq

33
install/updates/nss_ldap.update Normal file
View File

@@ -0,0 +1,33 @@
#
# Add profile for RFC 4876 agents (Solaris and HP/ux)
#
# Update the top-level entry
dn: $SUFFIX
add:objectClass: domain
add:objectClass: domainRelatedObject
add:objectClass: nisDomainObject
add:associatedDomain: $DOMAIN
add:nisDomain: $DOMAIN
# Add a place to store the nss_ldap default profile
dn: ou=profile,$SUFFIX
add: objectClass: top
add: objectClass: organizationalUnit
add: ou: profiles
# The DUA profile. On Solaris one can run:
# ldap_client init ipa.example.com
dn: cn=default,ou=profile,$SUFFIX
default:ObjectClass: top
default:ObjectClass: DUAConfigProfile
default:defaultServerList: $FQDN
default:defaultSearchBase: $SUFFIX
default:authenticationMethod: none
default:searchTimeLimit: 15
default:cn: default
default:serviceSearchDescriptor: passwd:cn=users,cn=accounts,$SUFFIX
default:serviceSearchDescriptor: group:cn=groups,cn=compat,$SUFFIX
default:bindTimeLimit: 5
default:objectClassMap: shadow:shadowAccount=posixAccount
default:followReferrals:TRUE

9
install/updates/replication.update Normal file
View File

@@ -0,0 +1,9 @@
#
# Counter used to store the next replica id
#
# Start at 3 to avoid conflicts with v1.0 replica ids. The value itself
# isn't important but each replica needs a unique id.
dn: cn=replication,cn=etc,$SUFFIX
add: objectclass: nsDS5Replica
add: nsDS5ReplicaId: 3
add: nsDS5ReplicaRoot: '$SUFFIX'

10
install/updates/winsync_index.update Normal file
View File

@@ -0,0 +1,10 @@
#
# Make sure winsync attributes have the correct indexing
#
dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only: nsIndexType: eq,pres
dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
only: nsIndexType: eq,pres