rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0127-install-support-KRA-update.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   a809a6539cddb3ebdbc0e23d662e2aca0fa7d982
  2.   SOURCES
  3.   0127-install-support-KRA-update.patch
Blob History Raw
590d18 
From 78eaf8b944f1b8f177aedabeaaeaa72c1dc4091e Mon Sep 17 00:00:00 2001
590d18 
From: Jan Cholasta <jcholast@redhat.com>
590d18 
Date: Mon, 14 Sep 2015 07:56:44 +0200
590d18 
Subject: [PATCH] install: support KRA update
590d18
590d18 
https://fedorahosted.org/freeipa/ticket/5250
590d18
590d18 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
590d18 
---
590d18 
 freeipa.spec.in                  |  1 -
590d18 
 install/share/Makefile.am        |  2 +-
590d18 
 install/share/vault.ldif         | 29 +++++++++++++++++++++++++++++
590d18 
 install/share/vault.update       | 38 --------------------------------------
590d18 
 install/updates/40-vault.update  | 23 +++++++++++++++++++++++
590d18 
 install/updates/Makefile.am      |  1 +
590d18 
 ipaplatform/base/paths.py        |  1 -
590d18 
 ipaserver/install/krainstance.py |  7 ++++++-
590d18 
 8 files changed, 60 insertions(+), 42 deletions(-)
590d18 
 create mode 100644 install/share/vault.ldif
590d18 
 delete mode 100644 install/share/vault.update
590d18 
 create mode 100644 install/updates/40-vault.update
590d18
590d18 
diff --git a/freeipa.spec.in b/freeipa.spec.in
590d18 
index e9ba596fec1f8d179d4f834485e35a4814db898d..d8e24a5af47fbfca89ccb9c3d07dcfca5a8073d9 100644
590d18 
--- a/freeipa.spec.in
590d18 
+++ b/freeipa.spec.in
590d18 
@@ -746,7 +746,6 @@ fi
590d18 
 %{_usr}/share/ipa/copy-schema-to-ca.py*
590d18 
 %{_usr}/share/ipa/*.ldif
590d18 
 %{_usr}/share/ipa/*.uldif
590d18 
-%{_usr}/share/ipa/*.update
590d18 
 %{_usr}/share/ipa/*.template
590d18 
 %dir %{_usr}/share/ipa/advise
590d18 
 %dir %{_usr}/share/ipa/advise/legacy
590d18 
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
590d18 
index 80e959a751a0800c4d56c379a73b68a2f12570d7..d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e 100644
590d18 
--- a/install/share/Makefile.am
590d18 
+++ b/install/share/Makefile.am
590d18 
@@ -83,7 +83,7 @@ app_DATA =				\
590d18 
 	copy-schema-to-ca.py		\
590d18 
 	sasl-mapping-fallback.ldif	\
590d18 
 	schema-update.ldif		\
590d18 
-	vault.update			\
590d18 
+	vault.ldif			\
590d18 
 	kdcproxy.conf			\
590d18 
 	kdcproxy-enable.uldif		\
590d18 
 	kdcproxy-disable.uldif		\
590d18 
diff --git a/install/share/vault.ldif b/install/share/vault.ldif
590d18 
new file mode 100644
590d18 
index 0000000000000000000000000000000000000000..06dd83c5c45bd3143b8374965b9a02d311afdb42
590d18 
--- /dev/null
590d18 
+++ b/install/share/vault.ldif
590d18 
@@ -0,0 +1,29 @@
590d18 
+dn: cn=kra,$SUFFIX
590d18 
+changetype: add
590d18 
+objectClass: top
590d18 
+objectClass: nsContainer
590d18 
+cn: kra
590d18 
+
590d18 
+dn: cn=vaults,cn=kra,$SUFFIX
590d18 
+changetype: add
590d18 
+objectClass: top
590d18 
+objectClass: ipaVaultContainer
590d18 
+cn: vaults
590d18 
+
590d18 
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
590d18 
+changetype: add
590d18 
+objectClass: top
590d18 
+objectClass: ipaVaultContainer
590d18 
+cn: services
590d18 
+
590d18 
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
590d18 
+changetype: add
590d18 
+objectClass: top
590d18 
+objectClass: ipaVaultContainer
590d18 
+cn: shared
590d18 
+
590d18 
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
590d18 
+changetype: add
590d18 
+objectClass: top
590d18 
+objectClass: ipaVaultContainer
590d18 
+cn: users
590d18 
diff --git a/install/share/vault.update b/install/share/vault.update
590d18 
deleted file mode 100644
590d18 
index 4f0023840b34c2d2bae4e362e34be1764c430ad1..0000000000000000000000000000000000000000
590d18 
--- a/install/share/vault.update
590d18 
+++ /dev/null
590d18 
@@ -1,38 +0,0 @@
590d18 
-dn: cn=kra,$SUFFIX
590d18 
-default: objectClass: top
590d18 
-default: objectClass: nsContainer
590d18 
-default: cn: kra
590d18 
-
590d18 
-dn: cn=vaults,cn=kra,$SUFFIX
590d18 
-default: objectClass: top
590d18 
-default: objectClass: ipaVaultContainer
590d18 
-default: cn: vaults
590d18 
-default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18 
-default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
590d18 
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
590d18 
-
590d18 
-dn: cn=services,cn=vaults,cn=kra,$SUFFIX
590d18 
-default: objectClass: top
590d18 
-default: objectClass: ipaVaultContainer
590d18 
-default: cn: services
590d18 
-
590d18 
-dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
590d18 
-default: objectClass: top
590d18 
-default: objectClass: ipaVaultContainer
590d18 
-default: cn: shared
590d18 
-
590d18 
-dn: cn=users,cn=vaults,cn=kra,$SUFFIX
590d18 
-default: objectClass: top
590d18 
-default: objectClass: ipaVaultContainer
590d18 
-default: cn: users
590d18 
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
590d18 
new file mode 100644
590d18 
index 0000000000000000000000000000000000000000..3daea5b1988333d4d482463af0eec4163e4f0760
590d18 
--- /dev/null
590d18 
+++ b/install/updates/40-vault.update
590d18 
@@ -0,0 +1,23 @@
590d18 
+dn: cn=vaults,cn=kra,$SUFFIX
590d18 
+remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
590d18 
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
590d18 
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
590d18 
+addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18 
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
590d18 
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
590d18 
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
590d18 
index 1f4a91c9bb4222f99ad7a7ad16e376aeef7f525b..26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598 100644
590d18 
--- a/install/updates/Makefile.am
590d18 
+++ b/install/updates/Makefile.am
590d18 
@@ -34,6 +34,7 @@ app_DATA =				\
590d18 
 	40-automember.update		\
590d18 
 	40-certprofile.update		\
590d18 
 	40-otp.update			\
590d18 
+	40-vault.update			\
590d18 
 	41-caacl.update			\
590d18 
 	45-roles.update			\
590d18 
 	50-7_bit_check.update	        \
590d18 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
590d18 
index ff75e0d7a5a0250ce71e67b0302bbaab64c5e935..3930c93fcba06959dd34507ecc29f92e33637775 100644
590d18 
--- a/ipaplatform/base/paths.py
590d18 
+++ b/ipaplatform/base/paths.py
590d18 
@@ -251,7 +251,6 @@ class BasePathNamespace(object):
590d18 
     SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
590d18 
     IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
590d18 
     UPDATES_DIR = "/usr/share/ipa/updates/"
590d18 
-    VAULT_UPDATE = "/usr/share/ipa/vault.update"
590d18 
     PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
590d18 
     CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
590d18 
     VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
590d18 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
590d18 
index 958fe6fb095e69f83342ce8299d1586b8bbacd47..48268b0be5331cced1aee6b7f3358333b65de6dd 100644
590d18 
--- a/ipaserver/install/krainstance.py
590d18 
+++ b/ipaserver/install/krainstance.py
590d18 
@@ -124,6 +124,7 @@ class KRAInstance(DogtagInstance):
590d18 
         self.step("configure HTTP to proxy connections",
590d18 
                   self.http_proxy)
590d18 
         self.step("add vault container", self.__add_vault_container)
590d18 
+        self.step("apply LDAP updates", self.__apply_updates)
590d18
590d18 
         self.start_creation(runtime=126)
590d18
590d18 
@@ -313,13 +314,17 @@ class KRAInstance(DogtagInstance):
590d18 
         conn.disconnect()
590d18
590d18 
     def __add_vault_container(self):
590d18 
+        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
590d18 
+        self.ldap_disconnect()
590d18 
+
590d18 
+    def __apply_updates(self):
590d18 
         sub_dict = {
590d18 
             'SUFFIX': self.suffix,
590d18 
         }
590d18
590d18 
         ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
590d18 
                                    sub_dict=sub_dict)
590d18 
-        ld.update([paths.VAULT_UPDATE])
590d18 
+        ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
590d18
590d18 
     @staticmethod
590d18 
     def update_cert_config(nickname, cert, dogtag_constants=None):
590d18 
--
590d18 
2.4.3
590d18

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation