[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] [PATCH] 0064 Fix authentication for init scripts



In order for ipactl to function even when anonymous access is disabled
we need to authenticate.
Use sASL/EXTERNAL to let root get access as a very low privileged
special user.

Ticket #795

This patch is a replacement of 0061 where I was using SASL/GSSAPI

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From e15af881c47f6ce837006805b2f6977fa7354ba9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce redhat com>
Date: Wed, 19 Jan 2011 15:17:25 -0500
Subject: [PATCH] Allow SASL/EXTERNAL authentication for the root user

This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.

Fixes: https://fedorahosted.org/freeipa/ticket/795
---
 install/share/Makefile.am        |    1 +
 install/share/root-autobind.ldif |   24 ++++++++++++++++++++++++
 install/tools/ipactl             |    5 ++++-
 ipaserver/install/dsinstance.py  |    5 +++++
 4 files changed, 34 insertions(+), 1 deletions(-)
 create mode 100644 install/share/root-autobind.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 0fb5c8961fa787f4686e93b4f073d954f78d08b1..4527a922c3c7408ff2563dac6a5db9a2657ae1ba 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -47,6 +47,7 @@ app_DATA =				\
 	uuid-ipauniqueid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
+	root-autobind.ldif		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..e7bbc8dbe430a48d53078cbd585cd479388450de
--- /dev/null
+++ b/install/share/root-autobind.ldif
@@ -0,0 +1,24 @@
+# root-autobind, config
+dn: cn=root-autobind,cn=config
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+cn: root-autobind
+uidNumber: 0
+gidNumber: 0
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapiautobind
+nsslapd-ldapiautobind: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapimaptoentries
+nsslapd-ldapimaptoentries: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapientrysearchbase
+nsslapd-ldapientrysearchbase: cn=config
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762580fc83503510d387b3e36d67d514de..fc652c9754cf63e8d9d46a3b20866b94df3ab698 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -26,6 +26,7 @@ try:
     from ipalib import api, errors
     import logging
     import ldap
+    import ldap.sasl
     import socket
 except ImportError:
     print >> sys.stderr, """\
@@ -36,6 +37,8 @@ error was:
 """ % sys.exc_value
     sys.exit(1)
 
+SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
+
 def parse_options():
     usage = "%prog start|stop|restart|status\n"
     parser = config.IPAOptionParser(usage=usage,
@@ -60,7 +63,7 @@ def get_config():
 
     try:
         con = ldap.initialize(api.env.ldap_uri)
-        con.simple_bind()
+        con.sasl_interactive_bind_s('', SASL_EXTERNAL)
         res = con.search_st(base,
                             ldap.SCOPE_SUBTREE,
                             filterstr=srcfilter,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8..5da9d17d4417031920495254ff566ee235234bfb 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -208,6 +208,7 @@ class DsInstance(service.Service):
         self.step("creating indices", self.__create_indices)
         self.step("configuring ssl for ds instance", self.__enable_ssl)
         self.step("configuring certmap.conf", self.__certmap_conf)
+        self.step("configure autobind for root", self.__root_autobind)
         self.step("restarting directory server", self.__restart_instance)
 
     def __common_post_setup(self):
@@ -729,3 +730,7 @@ class DsInstance(service.Service):
 
     def __tuning(self):
         self.tune_nofile(8192)
+
+    def __root_autobind(self):
+        self._ldap_mod("root-autobind.ldif")
+
-- 
1.7.3.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]