The first patch is preparation. As for the second two, this is how the bulk of the transition will look.
-- PetrĀ³
From 979ef3e1a8e37b8ad6ad60027993f3c8de6a3d98 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Thu, 12 Jun 2014 09:46:36 +0200 Subject: [PATCH] Add $REALM to variables supported by the managed permission updater This will allow converting password policy permissions Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ipaserver/install/plugins/update_managed_permissions.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 7b1405a1974826fd90acd0d5082f51d8b25034cd..f68faf262da5bcfbd4167213dff33db4676f7b2e 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -343,6 +343,7 @@ def update_permission(self, ldap, obj, name, template, anonymous_read_aci): if 'replaces' in template: sub_dict = { 'SUFFIX': str(self.api.env.basedn), + 'REALM': str(self.api.env.realm), } legacy_acistrs = [ipautil.template_str(r, sub_dict) for r in template['replaces']] -- 1.9.0
From 0b9cd3c194a8d80405cb754e5cbbf39c9d6f0579 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Wed, 4 Jun 2014 17:39:10 +0200 Subject: [PATCH] Convert COSTemplate default permissions to managed Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ACI.txt | 6 ++++++ install/updates/40-delegation.update | 24 ------------------------ ipalib/plugins/pwpolicy.py | 22 ++++++++++++++++++++++ 3 files changed, 28 insertions(+), 24 deletions(-) diff --git a/ACI.txt b/ACI.txt index 2ceaacc077467b6ef54e09d0aa7d3d5695c8fd40..5573da2fa733955789377be8c3fcbfb2f821ed9c 100644 --- a/ACI.txt +++ b/ACI.txt @@ -8,6 +8,12 @@ dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=exa aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";;) dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";;) +dn: cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 7c3a284b8d2a0592240e56d8118c821a25fc7798..36a0ad020699f6391251d03bd664f55af90500f4 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -170,27 +170,6 @@ dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX default:cn: Password Policy Administrator default:description: Password Policy Administrator -dn: cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Add Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Delete Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Modify Group Password Policy costemplate -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX default:objectClass: groupofnames default:objectClass: ipapermission @@ -213,9 +192,6 @@ dn: cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index a0850ccf4c535c715da88a54d20a8be24885f6dc..5057093badf0ad905d0b79f3989d4454b14b639c 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -96,6 +96,28 @@ class cosentry(LDAPObject): 'Password Policy Administrator', }, }, + 'System: Add Group Password Policy costemplate': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=Add Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Delete Group Password Policy costemplate': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy costemplate";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Modify Group Password Policy costemplate': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'cospriority'}, + 'replaces': [ + '(targetattr = "cospriority")(target = "ldap:///cn=*,cn=costemplates,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Group Password Policy costemplate";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy costemplate,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, } takes_params = ( -- 1.9.0
From 9a1e846b777f6f10106f287de2a43ed6c3e129f8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Wed, 4 Jun 2014 17:39:10 +0200 Subject: [PATCH] Convert Password Policy default permissions to managed Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 --- ACI.txt | 6 ++++++ install/updates/40-delegation.update | 26 -------------------------- ipalib/plugins/pwpolicy.py | 26 ++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 26 deletions(-) diff --git a/ACI.txt b/ACI.txt index 5573da2fa733955789377be8c3fcbfb2f821ed9c..24b62c1fc1afe08964f93f296dbff906a105c453 100644 --- a/ACI.txt +++ b/ACI.txt @@ -50,6 +50,12 @@ dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "businesscategory || cn || description || member || memberhost || memberof || memberuser || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 36a0ad020699f6391251d03bd664f55af90500f4..2ee47d4ad2b3e864c1889f711a4e853e562f31b8 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -170,32 +170,6 @@ dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX default:cn: Password Policy Administrator default:description: Password Policy Administrator -dn: cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Add Group Password Policy -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Delete Group Password Policy -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: groupofnames -default:objectClass: ipapermission -default:objectClass: top -default:cn: Modify Group Password Policy -default:member: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' -add:aci: '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)' - # Allow an admin to enroll a host that has a one-time password. # When a host is created with a password no krbPrincipalName is set. # This will let it be added if the client ends up enrolling with diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 5057093badf0ad905d0b79f3989d4454b14b639c..1976675c56000cff14b211e115fda28105107c15 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -237,6 +237,32 @@ class pwpolicy(LDAPObject): 'Password Policy Administrator', }, }, + 'System: Add Group Password Policy': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Add Group Password Policy";allow (add) groupdn = "ldap:///cn=Add Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Delete Group Password Policy': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=Delete Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, + 'System: Modify Group Password Policy': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'krbmaxpwdlife', 'krbminpwdlife', 'krbpwdfailurecountinterval', + 'krbpwdhistorylength', 'krbpwdlockoutduration', + 'krbpwdmaxfailure', 'krbpwdmindiffchars', 'krbpwdminlength' + }, + 'replaces': [ + '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdhistorylength || krbpwdmindiffchars || krbpwdminlength || krbpwdmaxfailure || krbpwdfailurecountinterval || krbpwdlockoutduration")(target = "ldap:///cn=*,cn=$REALM,cn=kerberos,$SUFFIX";)(version 3.0;acl "permission:Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=Modify Group Password Policy,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Password Policy Administrator'}, + }, } MIN_KRB5KDC_WITH_LOCKOUT = "1.8" -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
