Re: [Freeipa-devel] [PATCHES 529-530] ca install: use host credentials in domain level 1

Sun, 13 Dec 2015 22:53:45 -0800 

On 11.12.2015 17:24, Martin Basti wrote:



On 11.12.2015 15:00, Jan Cholasta wrote:

On 10.12.2015 09:51, Jan Cholasta wrote:

Hi,

the attached patches fix <https://fedorahosted.org/freeipa/ticket/5399>.

My patches 523-525 are required for this:
<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00312.html>.



Honza


Rebased patches attached.


Patch works for me, but can you provide explanations (and update commit
message) why the ACI change is needed:

* why it is moved three ACIs from 'cn="$SUFFIX",cn=mapping
tree,cn=config' to 'cn=mapping tree,cn=config'


So that they apply to all replication agreements.


* why you removed completely 'dn: cn=o\3Dipaca,cn=mapping tree,cn=config'


I didn't, they were moved to cn=mapping tree,cn=config as well.

Updated patches attached.

--
Jan Cholasta

From 730b9c2f5693020272a7458b9540366bca56b430 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 9 Dec 2015 10:31:18 +0100
Subject: [PATCH 1/2] aci: merge domain and CA suffix replication agreement
 ACIs

Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.

https://fedorahosted.org/freeipa/ticket/5399
---
 install/share/ca-topology.uldif |  6 ------
 install/share/replica-acis.ldif |  6 +++---
 install/updates/20-aci.update   | 10 ++++++++++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 7ce3cb1..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -10,11 +10,5 @@ default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: o=ipaca
 default: cn: ca
 
-# Update CA replication settings
-dn: cn=o\3Dipaca,cn=mapping tree,cn=config
-add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 8c0bc8e..6735130 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,16 +1,16 @@
 # Replica administration
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
-dn: cn="$SUFFIX",cn=mapping tree,cn=config
+dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
 aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 5b9741d..cef842b 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -66,6 +66,16 @@ add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (rea
 dn: cn=mapping tree,cn=config
 add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 
+dn: cn="$SUFFIX",cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "
+
+dn: cn=o\3Dipaca,cn=mapping tree,cn=config
+remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+
 # Removal of obsolete ACIs
 dn: cn=config
 # Replaced by 'System: Read Replication Agreements'
-- 
2.4.3


From ab9244f7c6c37a6873a0bf9dca1bc801cd674fa5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 10 Dec 2015 08:17:11 +0100
Subject: [PATCH 2/2] ca install: use host credentials in domain level 1

https://fedorahosted.org/freeipa/ticket/5399
---
 install/tools/ipa-ca-install | 76 +++++++++++++++++++++++++++++---------------
 1 file changed, 51 insertions(+), 25 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 0b8f28c..f2f32bd 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -107,21 +107,19 @@ def get_dirman_password():
 
 
 def install_replica(safe_options, options, filename):
-    domain_level = dsinstance.get_domain_level(api)
-    if domain_level > DOMAIN_LEVEL_0:
-        options.promote = True
+    if options.promote:
         if filename is not None:
             sys.exit("Too many parameters provided. "
                      "No replica file is required")
     else:
-        options.promote = False
         if filename is None:
             sys.exit("A replica file is required")
         if not ipautil.file_exists(filename):
             sys.exit("Replica file %s does not exist" % filename)
 
-    # Check if we have admin creds already, otherwise acquire them
-    check_creds(options, api.env.realm)
+    if not options.promote:
+        # Check if we have admin creds already, otherwise acquire them
+        check_creds(options, api.env.realm)
 
     # get the directory manager password
     dirman_password = options.password
@@ -135,8 +133,8 @@ def install_replica(safe_options, options, filename):
         if dirman_password is None:
             sys.exit("Directory Manager password required")
 
-    if not options.admin_password and not options.skip_conncheck and \
-            options.unattended:
+    if (not options.promote and not options.admin_password and
+            not options.skip_conncheck and options.unattended):
         sys.exit('admin password required')
 
     if options.promote:
@@ -229,6 +227,46 @@ def install_master(safe_options, options):
     ca.install(True, None, options)
 
 
+def install(safe_options, options, filename):
+    options.promote = False
+
+    try:
+        if filename is None:
+            install_master(safe_options, options)
+        else:
+            install_replica(safe_options, options, filename)
+
+    finally:
+        # Clean up if we created custom credentials
+        created_ccache_file = getattr(options, 'created_ccache_file', None)
+        if created_ccache_file is not None:
+            try:
+                os.unlink(created_ccache_file)
+            except OSError:
+                pass
+
+
+def promote(safe_options, options, filename):
+    options.promote = True
+
+    with ipautil.private_ccache():
+        ccache = os.environ['KRB5CCNAME']
+
+        ipautil.kinit_keytab(
+            'host/{env.host}@{env.realm}'.format(env=api.env),
+            paths.KRB5_KEYTAB,
+            ccache)
+
+        conn = api.Backend.ldap2
+        conn.connect(ccache=ccache)
+        ca_host = service.find_providing_server('CA', conn)
+        conn.disconnect()
+        if ca_host is None:
+            install_master(safe_options, options)
+        else:
+            install_replica(safe_options, options, filename)
+
+
 def main():
     safe_options, options, filename = parse_options()
 
@@ -251,24 +289,12 @@ def main():
     api.bootstrap(in_server=True, ra_plugin='dogtag')
     api.finalize()
 
-    try:
-        conn = api.Backend.ldap2
-        conn.connect(autobind=True)
-        ca_host = service.find_providing_server('CA', conn)
-        conn.disconnect()
-        if ca_host is None:
-            install_master(safe_options, options)
-        else:
-            install_replica(safe_options, options, filename)
+    domain_level = dsinstance.get_domain_level(api)
+    if domain_level > DOMAIN_LEVEL_0:
+        promote(safe_options, options, filename)
+    else:
+        install(safe_options, options, filename)
 
-    finally:
-        # Clean up if we created custom credentials
-        created_ccache_file = getattr(options, 'created_ccache_file', None)
-        if created_ccache_file is not None:
-            try:
-                os.unlink(created_ccache_file)
-            except OSError:
-                pass
 
 fail_message = '''
 Your system may be partly configured.
-- 
2.4.3


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to