From ssorce at redhat.com Fri Jun 29 16:20:05 2007 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2007 12:20:05 -0400 Subject: [Freeipa-devel] patch to add krb instance init Message-ID: <1183134005.25772.25.camel@localhost.localdomain> The patch contains also a few clean ups. If there are no objections I'll do an hg push to commit this stuff to the main repo, sometimes around 2pm-4pm Default DIT is not yet finalized, I'd like comments on that. Right now the kadmin is not activcate automatically, that means no way to add krb principals using kadmin.local or kadmind yet. I am not sure I want to enable kadmind at all, as it is not able to fill up an existing user but just crate an independent entry in cn=kerberos. We need to be able to create service ticket though, so next step will be to make it possible to use kadmin.local To create a user right now you need to add stuff manually using ldif files and ldapmodify. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-install-krb.patch Type: text/x-patch Size: 29247 bytes Desc: not available URL: From prowley at redhat.com Fri Jun 29 17:44:46 2007 From: prowley at redhat.com (Pete Rowley) Date: Fri, 29 Jun 2007 10:44:46 -0700 Subject: [Freeipa-devel] patch to add krb instance init In-Reply-To: <1183134005.25772.25.camel@localhost.localdomain> References: <1183134005.25772.25.camel@localhost.localdomain> Message-ID: <4685450E.4000804@redhat.com> Simo Sorce wrote: > The patch contains also a few clean ups. > > If there are no objections I'll do an hg push to commit this stuff to > the main repo, sometimes around 2pm-4pm > > Looks good, some comments below. > Default DIT is not yet finalized, I'd like comments on that. I actually don't like the "default" thing. We should probably discuss the purpose of that and how it would work - it is obviously anticipatory so we need to work through what it is anticipating. > > diff -r daf5da216c98 ipa-install/share/default-aci.ldif > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > +++ b/ipa-install/share/default-aci.ldif Thu Jun 28 17:23:26 2007 -0400 > @@ -0,0 +1,8 @@ > +# $SUFFIX (base entry) > +dn: $SUFFIX > +changetype: modify > +replace: aci > +aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) > This aci should specify the attributes that anonymous can read, search, compare, rather than specifying those anonymous cannot otherwise it is very easy to accidentally allow access to sensitive information. We should identify the set of attributes that are probably common "anon" access attributes and set up the aci for that. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jun 29 18:31:54 2007 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2007 14:31:54 -0400 Subject: [Freeipa-devel] patch to add krb instance init In-Reply-To: <4685450E.4000804@redhat.com> References: <1183134005.25772.25.camel@localhost.localdomain> <4685450E.4000804@redhat.com> Message-ID: <1183141914.25772.36.camel@localhost.localdomain> On Fri, 2007-06-29 at 10:44 -0700, Pete Rowley wrote: > Simo Sorce wrote: > > The patch contains also a few clean ups. > > > > If there are no objections I'll do an hg push to commit this stuff to > > the main repo, sometimes around 2pm-4pm > > > > > Looks good, some comments below. > > Default DIT is not yet finalized, I'd like comments on that. > I actually don't like the "default" thing. We should probably discuss > the purpose of that and how it would work - it is obviously anticipatory > so we need to work through what it is anticipating. I don't like the name either, but the function is to have one level between users/groups/whatever and the base object. The reason is that this way we can have OUs that can be easily excluded from the most common searches. Eg. I assume people can configure things like nss-ldap ro ou=default,nasedn with subtree searches, so that it will spare any searches on OUs at the same level as ou=default One of the possible idea was to have a ou=posix at the same level of ou=default, and under ou=posix to have the classic ou=people/ou=group/ou=hosts view for legacy systems with the posix group translation plug-in operating only there. This need discussion as well, but it is a possibility. Same for kerberos kldap module searches, the current patch still references the whole tree in the krbContainer but I'd like to change that to point to cn=kerberos and ou=default only, not the whole DIT). > > diff -r daf5da216c98 ipa-install/share/default-aci.ldif > > --- /dev/null Thu Jan 01 00:00:00 1970 +0000 > > +++ b/ipa-install/share/default-aci.ldif Thu Jun 28 17:23:26 2007 -0400 > > @@ -0,0 +1,8 @@ > > +# $SUFFIX (base entry) > > +dn: $SUFFIX > > +changetype: modify > > +replace: aci > > +aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) > > > This aci should specify the attributes that anonymous can read, search, > compare, rather than specifying those anonymous cannot otherwise it is > very easy to accidentally allow access to sensitive information. We > should identify the set of attributes that are probably common "anon" > access attributes and set up the aci for that. Yeah, ACIs need a lot more thining, here I just expanded the default ACI shipped with fedora-ds-base. The problem is that such attributes should be denied to anyone not just anonymous. Only self (perhaps) and account admins (perhaps) should be able to retrieve them. But right now it does the job, so I'd go on with the knowledge we will change this stuff during development. Simo From ssorce at redhat.com Fri Jun 29 20:25:43 2007 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 29 Jun 2007 16:25:43 -0400 Subject: [Freeipa-devel] password change operations slapi plugin Message-ID: <1183148743.25772.44.camel@localhost.localdomain> Attached the patch with the current code of the password change slapi plugin The plugin is still a bit rough, but it works. See TODOs if you want to help out enhancing it. The biggest missing feature is thta it does not manage password policies at all. We need to define a container and format for these policies and a way to intercept any change made to them and obey the new policies as soon as they change. That said I think the code is mature enough to be exposes so that others can start working on it as well. If there are no objections I'll push this change into the repository soon. Simo. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa_pwd_extop.patch Type: text/x-patch Size: 42944 bytes Desc: not available URL: