This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns? -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From a22df9e17b22298c1409ec4f7830161364fedccd Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 13 Jan 2015 18:09:17 +0100 Subject: [PATCH 1/2] Allow PassSync user to locate and update NT users Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. https://fedorahosted.org/freeipa/ticket/4837 --- install/updates/40-delegation.update | 8 ++++++ ipalib/plugins/user.py | 12 +++++++++ ipaserver/install/plugins/Makefile.am | 1 + ipaserver/install/plugins/update_passsync.py | 37 ++++++++++++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 ipaserver/install/plugins/update_passsync.py diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 988de5e1962fabc6787f5914522b8f133e71a8ff..97de2abcaf04ca0a06b2bbdfadd81b371b8c8150 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -184,3 +184,11 @@ dn: cn=IPA Masters dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Masters"; allow (read, search, compare) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)' add:aci:'(targetfilter = "(objectClass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Modify IPA Masters"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;)' + +# PassSync +dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: PassSync Service +default:description: PassSync Service diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e206289248dfe9ae79bd87271ff2c7672fb98b4f..56585b9f86593c0c5879139103bc71707b88e15f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -373,10 +373,12 @@ class user(LDAPObject): 'replaces': [ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)', '(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX";;)', ], 'default_privileges': { 'User Administrators', 'Modify Users and Reset passwords', + 'PassSync Service', }, }, 'System: Manage User SSH Public Keys': { @@ -446,6 +448,16 @@ class user(LDAPObject): 'homedirectory', 'loginshell', }, }, + 'System: Read User NT Attributes': { + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires', + 'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff', + 'ntuserlastlogon', + }, + 'default_privileges': {'PassSync Service'}, + }, } label = _('Users') diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index d651297ac141b0f05831e7fabbb9b561cdd239c7..ead1d8f7d972c1b016bac8f2b8f7fd1f9a71b563 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -14,6 +14,7 @@ app_PYTHON = \ update_referint.py \ ca_renewal_master.py \ update_uniqueness.py \ + update_passsync.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py new file mode 100644 index 0000000000000000000000000000000000000000..56c7f5253061087a2f59d2ed416d3db2f2c7dbec --- /dev/null +++ b/ipaserver/install/plugins/update_passsync.py @@ -0,0 +1,37 @@ +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +from ipaserver.install.plugins import LAST +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import api, errors +from ipapython.dn import DN +from ipapython.ipa_log_manager import root_logger + +class update_passsync(PostUpdate): + """ + Add PassSync user as a member of PassSync privilege, if it exists + """ + + order = LAST + + def execute(self, **options): + root_logger.debug("Add PassSync user as a member of PassSync privilege") + ldap = self.obj.backend + passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'), + api.env.basedn) + passsync_privilege_dn = DN(('cn','PassSync Service'), + self.api.env.container_privilege, + self.api.env.basedn) + + try: + entry = ldap.get_entry(passsync_dn, ['']) + except errors.NotFound: + root_logger.debug("PassSync user not found") + return False, False, [] + update = {'dn': passsync_privilege_dn, + 'updates': ["add:member:'%s'" % passsync_dn]} + updates = {passsync_privilege_dn: update} + return (False, True, [updates]) + +api.register(update_passsync) -- 1.9.3
From c021d2eee986135383aaf63dd286df057cf63804 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Tue, 13 Jan 2015 18:10:46 +0100 Subject: [PATCH 2/2] Allow Replication Administrators to manipulate Winsync Agreements Replication Administrators members were not able to set up changelog5 in cn=config or list winsync agreements. https://fedorahosted.org/freeipa/ticket/4836 --- install/updates/20-aci.update | 2 +- ipaserver/install/plugins/update_managed_permissions.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 9bbb7e4bb8d51b3d957d1f63d2c889e793276598..b920ef83d8580911d9a9c577e3ed6a9356da69e2 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -26,7 +26,7 @@ dn: add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)' dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX -add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)' +remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)' # Read access to masters and their services dn: cn=masters,cn=ipa,cn=etc,$SUFFIX diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 032485aac5b84b12b91464f16870c9940b18bc2d..9ceb856f5eb10bc0bc08a2e601461dc9cb4b4616 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -248,6 +248,20 @@ 'nsds5replicabackoffmax', }, }, + 'System: Read LDBM database config': { + 'ipapermlocation': DN('cn=config'), + 'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'default_privileges': {'Replication Administrators'}, + 'ipapermdefaultattr': {'*'}, + }, + 'System: Add configuration sub-entries': { + 'ipapermlocation': DN('cn=config'), + 'ipapermbindruletype': 'permission', + 'ipapermright': {'add'}, + 'default_privileges': {'Replication Administrators'}, + }, 'System: Read AD Domains': { 'replaces_global_anonymous_aci': True, 'ipapermlocation': DN('cn=etc', api.env.basedn), -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
