[Freeipa-devel] [PATCH] a step closer to the final directory layout

Pete Rowley prowley at redhat.com
Wed Aug 29 22:59:23 UTC 2007 

comments in line denoted by #PARPAR:

Simo Sorce wrote:
> After a nice discussion with Pete we are coming close to the final
> Directory Layout.
>  Patch attached.
>   
> ------------------------------------------------------------------------
>
> # HG changeset patch
> # User Simo Sorce <ssorce at redhat.com>
> # Date 1188425225 14400
> # Node ID ded52fae81587a7a1619294e75064bdde671151a
> # Parent  7aba398c4d982402d86a4cfd91bdde383884b3d3
> Finalize DIT, this is waht we are probably going to have in the end,
> or something very close to this one
> Add default groups and admin user
>
> TODO: need to discuss more in deep uid/gid generation, this will
>       probably change as soon as the DNA plugin is activated
>
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/bootstrap-template.ldif
> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif	Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif	Wed Aug 29 18:07:05 2007 -0400
> @@ -4,55 +4,78 @@ objectClass: pilotObject
>  objectClass: pilotObject
>  info: IPA V1.0
>  
> -# default, $REALM
> -dn: ou=default,$SUFFIX
> +dn: cn=accounts,$SUFFIX
>  changetype: add
> -objectClass: organizationalUnit
>  objectClass: top
> -ou: default
> +objectClass: nsContainer
> +cn: accounts
>  
> -# users, default, $REALM
> -dn: ou=users,ou=default,$SUFFIX
> +dn: cn=users,cn=accounts,$SUFFIX
>  changetype: add
> -objectClass: organizationalUnit
>  objectClass: top
> -ou: users
> +objectClass: nsContainer
> +cn: users
>  
> -# groups, default, $REALM
> -dn: ou=groups,ou=default,$SUFFIX
> +dn: cn=groups,ou=accounts,$SUFFIX
>  changetype: add
> -objectClass: organizationalUnit
>  objectClass: top
> -ou: groups
> +objectClass: nsContainer
> +cn: groups
>  
> -# computers, default, $REALM
> -#dn: ou=computers,ou=default,$SUFFIX
> -#objectClass: organizationalUnit
> +#dn: cn=computers,cn=accounts,$SUFFIX
>  #objectClass: top
> -#ou: computers
> +#objectClass: nsContainer
> +#cn: computers
>  
> -dn: ou=special,$SUFFIX
> +dn: cn=etc,$SUFFIX
>  changetype: add
> -objectClass: organizationalUnit
> +objectClass: nsContainer
>  objectClass: top
> -ou: special
> +cn: etc
>  
> -dn: uid=webservice,ou=special,$SUFFIX
> +dn: cn=sysaccounts,cn=etc,$SUFFIX
>  changetype: add
> +objectClass: nsContainer
> +objectClass: top
> +cn: sysaccounts
> +
> +dn: uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: account
>  uid: webservice
> -objectClass: account
> +
> +dn: uid=admin,cn=users,cn=accounts,$SUFFIX
>   
#PARPAR: I think this should be in cn=sysaccounts, cn=etc
> +changetype: add
>  objectClass: top
> +objectClass: person
> +objectClass: organizationalPerson
>   
#PARPAR: I also think it should _not_ be an organizationalPerson (or 
person), this is truly an account unrelated to meat space
>  objectClass: inetOrgPerson
> -objectClass: organizationalPerson
> -objectClass: person
> -cn: Web Service
> -sn: Service
> +objectClass: posixAccount
> +objectClass: KrbPrincipalAux
> +uid: admin
> +krbPrincipalName: admin@$REALM
> +cn: Administrator
> +sn: Administrator
> +uidNumber: 1000
> +gidNumber: 1001
> +homeDirectory: /home/admin
> +loginShell: /bin/bash
> +gecos: Administrator
>  
> -dn: cn=admin,ou=groups,ou=default,$SUFFIX
> +dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
>  changetype: add
> -description: ou=users administrators
>   
#PARPAR: description: Account administrator group
>  objectClass: top
>  objectClass: groupofuniquenames
>  objectClass: posixGroup
> -gidNumber: 500
> -cn: admin
> +cn: admins
>   
#PARPAR: Account Admins?
> +gidNumber: 1001
> +uniqueMember: uid=admin,cn=sysaccounts,cn=etc,$SUFFIX
>   
#PARPAR: strictly speaking this admin doesn't need to be here - it's the 
uber acount
> +
> +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
> +changetype: add
> +objectClass: top
> +objectClass: groupofuniquenames
> +objectClass: posixGroup
> +gidNumber: 1002
> +cn: ipausers
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/default-aci.ldif
> --- a/ipa-server/ipa-install/share/default-aci.ldif	Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/default-aci.ldif	Wed Aug 29 18:07:05 2007 -0400
> @@ -3,12 +3,9 @@ changetype: modify
>  changetype: modify
>  replace: aci
>  aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
#PARPAR: I think the anonymous aci should be limited to the cn=accounts 
entry and we need to look through the current schema and whitelist 
things that seem less sensitive and/or are required for common systems 
like email to work rather than this blacklist a few approach.
> -aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
> -aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
> -aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
> -aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (all) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
> -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
> -aci: (target="ldap:///uid=*,ou=users,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
> -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";)
> -aci: (target="ldap:///cn=*,ou=groups,ou=default,$SUFFIX")(targetattr="*")(version 3.0; acl "admins can write entries"; allow(add,delete,write)groupdn="ldap:///cn=admin,ou=groups,ou=default,$SUFFIX";) 
> -aci: (targetattr="userPrincipal")(version 3.0; acl "allow webservice to find users by kerberos principal name"; allow (read, search) userdn="ldap:///uid=webservice,ou=special,$SUFFIX";) 
> +aci: (targetattr=*)(version 3.0; acl "Admin has mighty powers"; allow (all) userdn="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX";)
>   
#PARPAR: mighty they may be but "Admin can do anything" is more descriptive
> +aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, search, compare, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
>   
#PARPAR: hmm, skeptical about allowing anything to search on a password 
- why is this needed?
> +aci: (targetfilter="(&(objectClass=krbPrincipalAux)(|(objectClass=person)(objectClass=posixAccount)))")(targetattr="*")(version 3.0; acl "allowproxy-webservice"; allow (proxy) userdn="ldap:///uid=webservice,cn=sysaccounts,cn=etc,$SUFFIX";)
> +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "admins can write entries"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>   
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/share/kerberos.ldif
> --- a/ipa-server/ipa-install/share/kerberos.ldif	Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/share/kerberos.ldif	Wed Aug 29 18:07:05 2007 -0400
> @@ -1,26 +1,35 @@
> +#kerberos user
> +dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
> +changetype: add
> +objectclass: account
> +objectclass: simplesecurityobject
> +uid: kdc
> +userPassword: $PASSWORD
> +
>  #kerberos base object
>  dn: cn=kerberos,$SUFFIX
>  changetype: add
>  objectClass: krbContainer
>  objectClass: top
>  cn: kerberos
> -aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
> -
> -#kerberos user
> -dn: uid=kdc,cn=kerberos,$SUFFIX
> -changetype: add
> -objectclass: account
> -objectclass: simplesecurityobject
> -uid: kdc
> -userPassword: $PASSWORD
> +aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>  
>  #sasl mapping
> -dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
> +dn: cn=fullprinc,cn=mapping,cn=sasl,cn=config
>   
#PARPAR: cn=full principal more descriptive
>  changetype: add
>  objectclass: top
>  objectclass: nsSaslMapping
> -cn: kerberos
> +cn: fullprinc
>  nsSaslMapRegexString: \(.*\)@\(.*\)
>  nsSaslMapBaseDNTemplate: $SUFFIX
>  nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
>  
> +dn: cn=justname,cn=mapping,cn=sasl,cn=config
>   
#PARPAR: cn=name only?
> +changetype: add
> +objectclass: top
> +objectclass: nsSaslMapping
> +cn: justname
> +nsSaslMapRegexString: \(.*\)
> +nsSaslMapBaseDNTemplate: $SUFFIX
> +nsSaslMapFilterTemplate: (krbPrincipalName=\1@$REALM)
> +
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/ipa-install/test/test-users-template.ldif
> --- a/ipa-server/ipa-install/test/test-users-template.ldif	Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/ipa-install/test/test-users-template.ldif	Wed Aug 29 18:07:05 2007 -0400
> @@ -1,30 +1,22 @@
>  # test, users, default, $REALM
> -dn: uid=test,ou=users,ou=default,$SUFFIX
> +dn: uid=test,cn=users,cn=accounts,$SUFFIX
>  changetype: add
> -uidNumber: 1001
> +uidNumber: 1003
>  uid: test
>  gecos: test
>  homeDirectory: /home/test
>  loginShell: /bin/bash
> -shadowMin: 0
> -shadowWarning: 7
> -shadowMax: 99999
> -shadowExpire: -1
> -shadowInactive: -1
> -shadowLastChange: 13655
> -shadowFlag: -1
> -gidNumber: 100
> +gidNumber: 1002
>  objectclass: krbPrincipalAux
>  objectclass: inetOrgPerson
>  objectClass: posixAccount
> -objectClass: shadowAccount
>  objectClass: account
>  objectClass: top
>  cn: Test User
>  sn: User
>  krbPrincipalName: test@$REALM
>  
> -dn: cn=admin,ou=groups,ou=default,$SUFFIX
> +dn: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
>  changetype: modify
>  add: uniqueMember
> -uniqueMember: uid=test,ou=users,ou=default,$SUFFIX
> +uniqueMember: uid=test,cn=users,cn=accounts,$SUFFIX
> diff -r 7aba398c4d98 -r ded52fae8158 ipa-server/xmlrpc-server/funcs.py
> --- a/ipa-server/xmlrpc-server/funcs.py	Tue Aug 28 10:46:03 2007 -0400
> +++ b/ipa-server/xmlrpc-server/funcs.py	Wed Aug 29 18:07:05 2007 -0400
> @@ -37,8 +37,8 @@ import re
>  # Need a global to store this between requests
>  _LDAPPool = None
>  
> -DefaultUserContainer = "ou=users,ou=default"
> -DefaultGroupContainer = "ou=groups,ou=default"
> +DefaultUserContainer = "cn=users,cn=accounts"
> +DefaultGroupContainer = "cn=groups,cn=accounts"
>  
>  #
>  # Apache runs in multi-process mode so each process will have its own
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070829/381fd675/attachment.bin>

More information about the Freeipa-devel mailing list