Hi, the attached patches fix <https://fedorahosted.org/freeipa/ticket/5399>.
My patches 523-525 are required for this: <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00312.html>.
Honza -- Jan Cholasta
From 4bcb399365501265ee062020ff9ef80fd6235a66 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 9 Dec 2015 10:31:18 +0100 Subject: [PATCH 1/2] aci: merge domain and CA suffix replication agreement ACIs https://fedorahosted.org/freeipa/ticket/5399 --- install/share/ca-topology.uldif | 6 ------ install/share/replica-acis.ldif | 6 +++--- install/updates/20-aci.update | 10 ++++++++++ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif index 7ce3cb1..fea591b 100644 --- a/install/share/ca-topology.uldif +++ b/install/share/ca-topology.uldif @@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf default: ipaReplTopoConfRoot: o=ipaca default: cn: ca -# Update CA replication settings -dn: cn=o\3Dipaca,cn=mapping tree,cn=config -add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif index 8c0bc8e..6735130 100644 --- a/install/share/replica-acis.ldif +++ b/install/share/replica-acis.ldif @@ -1,16 +1,16 @@ # Replica administration -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -dn: cn="$SUFFIX",cn=mapping tree,cn=config +dn: cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index ca4c0df..b06f569 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea dn: cn=mapping tree,cn=config add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +dn: cn="$SUFFIX",cn=mapping tree,cn=config +remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = " + +dn: cn=o\3Dipaca,cn=mapping tree,cn=config +remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' -- 2.4.3
From d7a267de24b1953122cc005a676c52dfaab04ff0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 10 Dec 2015 08:17:11 +0100 Subject: [PATCH 2/2] ca install: use host credentials in domain level 1 https://fedorahosted.org/freeipa/ticket/5399 --- install/tools/ipa-ca-install | 76 +++++++++++++++++++++++++++++--------------- 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 0b8f28c..f2f32bd 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -107,21 +107,19 @@ def get_dirman_password(): def install_replica(safe_options, options, filename): - domain_level = dsinstance.get_domain_level(api) - if domain_level > DOMAIN_LEVEL_0: - options.promote = True + if options.promote: if filename is not None: sys.exit("Too many parameters provided. " "No replica file is required") else: - options.promote = False if filename is None: sys.exit("A replica file is required") if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) - # Check if we have admin creds already, otherwise acquire them - check_creds(options, api.env.realm) + if not options.promote: + # Check if we have admin creds already, otherwise acquire them + check_creds(options, api.env.realm) # get the directory manager password dirman_password = options.password @@ -135,8 +133,8 @@ def install_replica(safe_options, options, filename): if dirman_password is None: sys.exit("Directory Manager password required") - if not options.admin_password and not options.skip_conncheck and \ - options.unattended: + if (not options.promote and not options.admin_password and + not options.skip_conncheck and options.unattended): sys.exit('admin password required') if options.promote: @@ -229,6 +227,46 @@ def install_master(safe_options, options): ca.install(True, None, options) +def install(safe_options, options, filename): + options.promote = False + + try: + if filename is None: + install_master(safe_options, options) + else: + install_replica(safe_options, options, filename) + + finally: + # Clean up if we created custom credentials + created_ccache_file = getattr(options, 'created_ccache_file', None) + if created_ccache_file is not None: + try: + os.unlink(created_ccache_file) + except OSError: + pass + + +def promote(safe_options, options, filename): + options.promote = True + + with ipautil.private_ccache(): + ccache = os.environ['KRB5CCNAME'] + + ipautil.kinit_keytab( + 'host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) + + conn = api.Backend.ldap2 + conn.connect(ccache=ccache) + ca_host = service.find_providing_server('CA', conn) + conn.disconnect() + if ca_host is None: + install_master(safe_options, options) + else: + install_replica(safe_options, options, filename) + + def main(): safe_options, options, filename = parse_options() @@ -251,24 +289,12 @@ def main(): api.bootstrap(in_server=True, ra_plugin='dogtag') api.finalize() - try: - conn = api.Backend.ldap2 - conn.connect(autobind=True) - ca_host = service.find_providing_server('CA', conn) - conn.disconnect() - if ca_host is None: - install_master(safe_options, options) - else: - install_replica(safe_options, options, filename) + domain_level = dsinstance.get_domain_level(api) + if domain_level > DOMAIN_LEVEL_0: + promote(safe_options, options, filename) + else: + install(safe_options, options, filename) - finally: - # Clean up if we created custom credentials - created_ccache_file = getattr(options, 'created_ccache_file', None) - if created_ccache_file is not None: - try: - os.unlink(created_ccache_file) - except OSError: - pass fail_message = ''' Your system may be partly configured. -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
