[Freeipa-devel] [PATCH] a step closer to the final directory layout
Pete Rowley
prowley at redhat.com
Wed Aug 29 22:59:23 UTC 2007
comments in line denoted by #PARPAR:
Simo Sorce wrote:
> After a nice discussion with Pete we are coming close to the final
> Directory Layout.
> Patch attached.
>
> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User Simo Sorce <ssorce at redhat.com>
> # Date 1188425225 14400
> # Node ID ded52fae81587a7a1619294e75064bdde671151a
> # Parent 7aba398c4d982402d86a4cfd91bdde383884b3d3
> Finalize DIT, this is waht we are probably going to have in the end,
> or something very close to this one
> Add default groups and admin user
>
> TODO: need to discuss more in deep uid/gid generation, this will
> probably change as soon as the DNA plugin is activated
>
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/bootstrap-template.ldif
> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif Wed Aug 29 18:07:05 2007 -0400
> @@ -4,55 +4,78 @@ objectClass: pilotObject
> objectClass: pilotObject
> info: IPA V1.0
>
> -# default, $REALM
> -dn: ou=default,$SUFFIX
> +dn: cn=accounts,$SUFFIX
> changetype: add
> -objectClass: organizationalUnit
> objectClass: top
> -ou: default
> +objectClass: nsContainer
> +cn: accounts
>
> -# users, default, $REALM
> -dn: ou=users,ou=default,$SUFFIX
> +dn: cn=users,cn=accounts,$SUFFIX
> changetype: add
> -objectClass: organizationalUnit
> objectClass: top
> -ou: users
> +objectClass: nsContainer
> +cn: users
>
> -# groups, default, $REALM
> -dn: ou=groups,ou=default,$SUFFIX
> +dn: cn=groups,ou=accounts,$SUFFIX
> changetype: add
> -objectClass: organizationalUnit
> objectClass: top
> -ou: groups
> +objectClass: nsContainer
> +cn: groups
>
> -# computers, default, $REALM
> -#dn: ou=computers,ou=default,$SUFFIX
> -#objectClass: organizationalUnit
> +#dn: cn=computers,cn=accounts,$SUFFIX
> #objectClass: top
> -#ou: computers
> +#objectClass: nsContainer
> +#cn: computers
>
> -dn: ou=special,$SUFFIX
> +dn: cn=etc,$SUFFIX
> changetype: add
> -objectClass: organizationalUnit
> +objectClass: nsContainer
> objectClass: top
> -ou: special
> +cn: etc
>
> -dn: uid=webservice,ou=special,$SUFFIX
> +dn: cn=sysaccounts,cn=etc,$SUFFIX
> changetype: add
> +objectClass: nsContainer
> +objectClass: top
> +cn: sysaccounts
> +
> +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: account
> uid: webservice
> -objectClass: account
> +
> +dn: uid=admin,cn=users,cn=accounts,$SUFFIX
>
#PARPAR: I think this should be in cn=sysaccounts, cn=etc
> +changetype: add
> objectClass: top
> +objectClass: person
> +objectClass: organizationalPerson
>
#PARPAR: I also think it should _not_ be an organizationalPerson (or
person), this is truly an account unrelated to meat space
> objectClass: inetOrgPerson
> -objectClass: organizationalPerson
> -objectClass: person
> -cn: Web Service
> -sn: Service
> +objectClass: posixAccount
> +objectClass: KrbPrincipalAux
> +uid: admin
> +krbPrincipalName: admin@$REALM
> +cn: Administrator
> +sn: Administrator
> +uidNumber: 1000
> +gidNumber: 1001
> +homeDirectory: /home/admin
> +loginShell: /bin/bash
> +gecos: Administrator
>
> -dn: cn=admin,ou=groups,ou=default,$SUFFIX
> +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
> changetype: add
> -description: ou=users administrators
>
#PARPAR: description: Account administrator group
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: posixGroup
> -gidNumber: 500
> -cn: admin
> +cn: admins
>
#PARPAR: Account Admins?
> +gidNumber: 1001
> +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
>
#PARPAR: strictly speaking this admin doesn't need to be here - it's the
uber acount
> +
> +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: groupofuniquenames
> +objectClass: posixGroup
> +gidNumber: 1002
> +cn: ipausers
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/default-aci.ldif Wed Aug 29 18:07:05 2007 -0400
> @@ -3,12 +3,9 @@ changetype: modify
> changetype: modify
> replace: aci
> aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
#PARPAR: I think the anonymous aci should be limited to the cn=accounts
entry and we need to look through the current schema and whitelist
things that seem less sensitive and/or are required for common systems
like email to work rather than this blacklist a few approach.
> -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
> -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
> -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
> -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
> -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
> -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";)
> -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
> -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";)
> -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
> +aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
>
#PARPAR: mighty they may be but "Admin can do anything" is more descriptive
> +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
>
#PARPAR: hmm, skeptical about allowing anything to search on a password
- why is this needed?
> +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/kerberos.ldif
> --- a/ipa-server/ipa-install/share/kerberos.ldif Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/kerberos.ldif Wed Aug 29 18:07:05 2007 -0400
> @@ -1,26 +1,35 @@
> +#kerberos user
> +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
> +changetype: add
> +objectclass: account
> +objectclass: simplesecurityobject
> +uid: kdc
> +userPassword: $PASSWORD
> +
> #kerberos base object
> dn: cn=kerberos,$SUFFIX
> changetype: add
> objectClass: krbContainer
> objectClass: top
> cn: kerberos
> -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
> -
> -#kerberos user
> -dn: uid=kdc,cn=kerberos,$SUFFIX
> -changetype: add
> -objectclass: account
> -objectclass: simplesecurityobject
> -uid: kdc
> -userPassword: $PASSWORD
> +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>
> #sasl mapping
> -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
> +dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config
>
#PARPAR: cn=full principal more descriptive
> changetype: add
> objectclass: top
> objectclass: nsSaslMapping
> -cn: kerberos
> +cn: fullprinc
> nsSaslMapRegexString: \(.*\)@\(.*\)
> nsSaslMapBaseDNTemplate: $SUFFIX
> nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
>
> +dn: cn=justname,cn=mapping,cn=sasl,cn=config
>
#PARPAR: cn=name only?
> +changetype: add
> +objectclass: top
> +objectclass: nsSaslMapping
> +cn: justname
> +nsSaslMapRegexString: \(.*\)
> +nsSaslMapBaseDNTemplate: $SUFFIX
> +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
> +
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/test/test-users-template.ldif
> --- a/ipa-server/ipa-install/test/test-users-template.ldif Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/test/test-users-template.ldif Wed Aug 29 18:07:05 2007 -0400
> @@ -1,30 +1,22 @@
> # test, users, default, $REALM
> -dn: uid=test,ou=users,ou=default,$SUFFIX
> +dn: uid=test,cn=users,cn=accounts,$SUFFIX
> changetype: add
> -uidNumber: 1001
> +uidNumber: 1003
> uid: test
> gecos: test
> homeDirectory: /home/test
> loginShell: /bin/bash
> -shadowMin: 0
> -shadowWarning: 7
> -shadowMax: 99999
> -shadowExpire: -1
> -shadowInactive: -1
> -shadowLastChange: 13655
> -shadowFlag: -1
> -gidNumber: 100
> +gidNumber: 1002
> objectclass: krbPrincipalAux
> objectclass: inetOrgPerson
> objectClass: posixAccount
> -objectClass: shadowAccount
> objectClass: account
> objectClass: top
> cn: Test User
> sn: User
> krbPrincipalName: test@$REALM
>
> -dn: cn=admin,ou=groups,ou=default,$SUFFIX
> +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
> changetype: modify
> add: uniqueMember
> -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX
> +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/xmlrpc-server/funcs.py
> --- a/ipa-server/xmlrpc-server/funcs.py Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/xmlrpc-server/funcs.py Wed Aug 29 18:07:05 2007 -0400
> @@ -37,8 +37,8 @@ import re
> # Need a global to store this between requests
> _LDAPPool = None
>
> -DefaultUserContainer = "ou=users,ou=default"
> -DefaultGroupContainer = "ou=groups,ou=default"
> +DefaultUserContainer = "cn=users,cn=accounts"
> +DefaultGroupContainer = "cn=groups,cn=accounts"
>
> #
> # Apache runs in multi-process mode so each process will have its own
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070829/381fd675/attachment.bin>
More information about the Freeipa-devel
mailing list