freeipa/install/share/bootstrap-template.ldif
Christian Heimes 4911a3f055 Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 22:44:42 +03:00

502 lines
11 KiB
Plaintext

dn: cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: accounts
dn: cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: users
dn: cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: groups
dn: cn=services,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: services
dn: cn=computers,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: computers
dn: cn=hostgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hostgroups
dn: cn=ipservices,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: ipservices
dn: cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
cn: alt
dn: cn=ng,cn=alt,$SUFFIX
changetype: add
objectClass: nsContainer
cn: ng
dn: cn=automount,$SUFFIX
changetype: add
objectClass: nsContainer
cn: automount
dn: cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: nsContainer
cn: default
dn: automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automountMap
automountMapName: auto.master
dn: automountmapname=auto.direct,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automountMap
automountMapName: auto.direct
dn: description=/- auto.direct,automountmapname=auto.master,cn=default,cn=automount,$SUFFIX
changetype: add
objectClass: automount
automountKey: /-
automountInformation: auto.direct
description: /- auto.direct
dn: cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbac
dn: cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbacservices
dn: cn=hbacservicegroups,cn=hbac,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: hbacservicegroups
dn: cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudo
dn: cn=sudocmds,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudocmds
dn: cn=sudocmdgroups,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudocmdgroups
dn: cn=sudorules,cn=sudo,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: sudorules
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: etc
dn: cn=locations,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: locations
dn: cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: sysaccounts
dn: cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ipa
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: masters
dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: replicas
dn: cn=dna,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: dna
dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: posix-ids
dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ca_renewal
dn: cn=certificates,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: certificates
dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: custodia
dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: dogtag
dn: cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: s4u2proxy
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/$HOST@$REALM
ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-ldap-delegation-targets
memberPrincipal: ldap/$HOST@$REALM
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
dn: uid=admin,cn=users,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
uid: admin
krbPrincipalName: admin@$REALM
krbPrincipalName: root@$REALM
cn: Administrator
sn: Administrator
uidNumber: $IDSTART
gidNumber: $IDSTART
homeDirectory: /home/admin
loginShell: $DEFAULT_ADMIN_SHELL
gecos: Administrator
nsAccountLock: FALSE
ipaUniqueID: autogenerate
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
cn: admins
description: Account administrators group
gidNumber: $IDSTART
member: uid=admin,cn=users,cn=accounts,$SUFFIX
nsAccountLock: FALSE
ipaUniqueID: autogenerate
dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: autogenerate
dn: cn=editors,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
gidNumber: eval($IDSTART+2)
description: Limited admins who can edit other users
cn: editors
ipaUniqueID: autogenerate
dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: ipaobject
objectClass: ipahostgroup
description: IPA server hosts
cn: ipaservers
ipaUniqueID: autogenerate
dn: cn=sshd,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sshd
description: sshd
ipauniqueid:autogenerate
dn: cn=ftp,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: ftp
description: ftp
ipauniqueid:autogenerate
dn: cn=su,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: su
description: su
ipauniqueid:autogenerate
dn: cn=login,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: login
description: login
ipauniqueid:autogenerate
dn: cn=su-l,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: su-l
description: su with login shell
ipauniqueid:autogenerate
dn: cn=sudo,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sudo
description: sudo
ipauniqueid:autogenerate
dn: cn=sudo-i,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: sudo-i
description: sudo-i
ipauniqueid:autogenerate
dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: systemd-user
description: pam_systemd and systemd user@.service
ipauniqueid:autogenerate
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: gdm
description: gdm
ipauniqueid:autogenerate
dn: cn=gdm-password,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: gdm-password
description: gdm-password
ipauniqueid:autogenerate
dn: cn=kdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
objectclass: ipaobject
cn: kdm
description: kdm
ipauniqueid:autogenerate
dn: cn=Sudo,cn=hbacservicegroups,cn=hbac,$SUFFIX
changetype: add
objectClass: ipaobject
objectClass: ipahbacservicegroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
cn: Sudo
ipauniqueid:autogenerate
description: Default group of Sudo related services
member: cn=sudo,cn=hbacservices,cn=hbac,$SUFFIX
member: cn=sudo-i,cn=hbacservices,cn=hbac,$SUFFIX
dn: cn=ipaConfig,cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
objectClass: ipaGuiConfig
objectClass: ipaConfigObject
ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
ipaGroupSearchFields: cn,description
ipaSearchTimeLimit: 2
ipaSearchRecordsLimit: 100
ipaHomesRootDir: /home
ipaDefaultLoginShell: $DEFAULT_SHELL
ipaDefaultPrimaryGroup: ipausers
ipaMaxUsernameLength: 32
ipaMaxHostnameLength: 64
ipaPwdExpAdvNotify: 4
ipaGroupObjectClasses: top
ipaGroupObjectClasses: groupofnames
ipaGroupObjectClasses: nestedgroup
ipaGroupObjectClasses: ipausergroup
ipaGroupObjectClasses: ipaobject
ipaUserObjectClasses: top
ipaUserObjectClasses: person
ipaUserObjectClasses: organizationalperson
ipaUserObjectClasses: inetorgperson
ipaUserObjectClasses: inetuser
ipaUserObjectClasses: posixaccount
ipaUserObjectClasses: krbprincipalaux
ipaUserObjectClasses: krbticketpolicyaux
ipaUserObjectClasses: ipaobject
ipaUserObjectClasses: ipasshuser
ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash
ipaConfigString: KDC:Disable Last Success
ipaSELinuxUserMapOrder: $SELINUX_USERMAP_ORDER
ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add
objectclass: top
objectclass: nsContainer
cn: cosTemplates
# templates for this cos definition are managed by the pwpolicy plugin
dn: cn=Password Policy,cn=accounts,$SUFFIX
changetype: add
description: Password Policy based on group membership
objectClass: top
objectClass: ldapsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
cosAttribute: krbPwdPolicyReference override
cosSpecifier: memberOf
dn: cn=selinux,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: selinux
dn: cn=usermap,cn=selinux,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: usermap
dn: cn=ranges,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: nsContainer
cn: ranges
dn: cn=${REALM}_id_range,cn=ranges,cn=etc,$SUFFIX
changetype: add
objectClass: top
objectClass: ipaIDrange
objectClass: ipaDomainIDRange
cn: ${REALM}_id_range
ipaBaseID: $IDSTART
ipaIDRangeSize: $IDRANGE_SIZE
ipaRangeType: ipa-local
dn: cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: ca
dn: cn=certprofiles,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: certprofiles
dn: cn=caacls,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: caacls
dn: cn=cas,cn=ca,$SUFFIX
changetype: add
objectClass: nsContainer
objectClass: top
cn: cas