Hello community, here is the log from the commit of package yast2-auth-server for openSUSE:Factory checked in at 2014-03-21 12:14:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-auth-server (Old) and /work/SRC/openSUSE:Factory/.yast2-auth-server.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-auth-server" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-auth-server/yast2-auth-server.changes 2014-02-21 13:48:18.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-auth-server.new/yast2-auth-server.changes 2014-03-21 12:14:07.000000000 +0100 @@ -1,0 +2,14 @@ +Fri Mar 14 11:10:21 UTC 2014 - [email protected] + +- use same password for LDAP and Kerberos stash +- 3.1.6 + +------------------------------------------------------------------- +Thu Mar 13 15:41:40 UTC 2014 - [email protected] + +- kerberos: use ldapi for communication +- add SUSE objects to the database +- fix LDAP ACLs +- 3.1.5 + +------------------------------------------------------------------- @@ -12,0 +27,2 @@ + +------------------------------------------------------------------- Old: ---- yast2-auth-server-3.1.4.tar.bz2 New: ---- yast2-auth-server-3.1.6.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-auth-server.spec ++++++ --- /var/tmp/diff_new_pack.I5it16/_old 2014-03-21 12:14:08.000000000 +0100 +++ /var/tmp/diff_new_pack.I5it16/_new 2014-03-21 12:14:08.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-auth-server -Version: 3.1.4 +Version: 3.1.6 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-auth-server-3.1.4.tar.bz2 -> yast2-auth-server-3.1.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.4/package/yast2-auth-server.changes new/yast2-auth-server-3.1.6/package/yast2-auth-server.changes --- old/yast2-auth-server-3.1.4/package/yast2-auth-server.changes 2014-02-14 13:30:05.000000000 +0100 +++ new/yast2-auth-server-3.1.6/package/yast2-auth-server.changes 2014-03-14 13:34:39.000000000 +0100 @@ -1,4 +1,18 @@ ------------------------------------------------------------------- +Fri Mar 14 11:10:21 UTC 2014 - [email protected] + +- use same password for LDAP and Kerberos stash +- 3.1.6 + +------------------------------------------------------------------- +Thu Mar 13 15:41:40 UTC 2014 - [email protected] + +- kerberos: use ldapi for communication +- add SUSE objects to the database +- fix LDAP ACLs +- 3.1.5 + +------------------------------------------------------------------- Fri Feb 14 10:39:49 UTC 2014 - [email protected] - adapt to ldap.conf SCR agent namechange @@ -11,6 +25,8 @@ - rename ldap-server.rnc autoyast profile to auth-server.rnc - replace deprecated Service calls +------------------------------------------------------------------- + Fri Jan 31 23:44:25 UTC 2014 - [email protected] - Fix the requirement yast2-ldap-client -> yast2-ldap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.4/package/yast2-auth-server.spec new/yast2-auth-server-3.1.6/package/yast2-auth-server.spec --- old/yast2-auth-server-3.1.4/package/yast2-auth-server.spec 2014-02-14 13:30:05.000000000 +0100 +++ new/yast2-auth-server-3.1.6/package/yast2-auth-server.spec 2014-03-14 13:34:39.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-auth-server -Version: 3.1.4 +Version: 3.1.6 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.4/src/include/auth-server/dialogs.rb new/yast2-auth-server-3.1.6/src/include/auth-server/dialogs.rb --- old/yast2-auth-server-3.1.4/src/include/auth-server/dialogs.rb 2014-02-14 13:30:05.000000000 +0100 +++ new/yast2-auth-server-3.1.6/src/include/auth-server/dialogs.rb 2014-03-14 13:34:39.000000000 +0100 @@ -501,18 +501,6 @@ Opt(:hstretch), _("R&ealm"), AuthServer.ReadKerberosRealm - ), - Password( - Id(:pw1), - Opt(:hstretch), - Label.Password, - AuthServer.ReadKerberosPassword - ), - Password( - Id(:pw2), - Opt(:hstretch), - Label.ConfirmPassword, - AuthServer.ReadKerberosPassword ) ) ), @@ -564,29 +552,7 @@ AuthServer.WriteKerberosDBvalue("key_stash_file", newstash) end - # --------------------------------- password checks - pw1 = Convert.to_string(UI.QueryWidget(Id(:pw1), :Value)) - pw2 = Convert.to_string(UI.QueryWidget(Id(:pw2), :Value)) - - if pw1 != pw2 - # The two user password information do not match - # error popup - Report.Error(_("The passwords do not match.\nTry again.")) - UI.SetFocus(Id(:pw1)) - next - end - AuthServer.WriteKerberosRealm(realm) - AuthServer.WriteKerberosPassword(pw1) - - if AuthServer.ReadKerberosEnabled - if ret == :next && pw1 == "" - # Error popup - Report.Error(_("Empty password is not allowed.")) - UI.SetFocus(Id(:pw1)) - next - end - end break elsif ret == :rb_yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-3.1.4/src/modules/AuthServer.pm new/yast2-auth-server-3.1.6/src/modules/AuthServer.pm --- old/yast2-auth-server-3.1.4/src/modules/AuthServer.pm 2014-02-14 13:30:05.000000000 +0100 +++ new/yast2-auth-server-3.1.6/src/modules/AuthServer.pm 2014-03-14 13:34:39.000000000 +0100 @@ -67,6 +67,70 @@ my $ldapi_interfaces = ""; my $ldaps_interfaces = ""; my $ldap_interfaces = ""; + +my $suseObjects = [ + {"ou=group" => { + "objectClass" => [ "organizationalUnit", "top" ], + "ou" => "group" + }}, + {"ou=people" => { + "objectClass" => [ "organizationalUnit", "top" ], + "ou" => "people" + }}, + {"ou=ldapconfig" => { + "objectClass" => [ "organizationalUnit", "top" ], + "ou" => "ldapconfig" + }}, + {"cn=userconfiguration,ou=ldapconfig" => { + "objectClass" => [ + "top", + "suseModuleConfiguration", + "suseUserConfiguration" + ], + "suseSearchFilter" => ["objectClass=posixAccount"], + "susePasswordHash" => ["SSHA"], + "suseSkelDir" => ["/etc/skel"], + "suseMinUniqueId" => ["1000"], + "suseNextUniqueId" => ["1000"], + "suseMaxUniqueId" => ["60000"], + "suseMinPasswordLength" => ["5"], + "suseMaxPasswordLength" => ["8"] + }}, + {"cn=groupconfiguration,ou=ldapconfig" => { + "objectClass" => [ + "top", + "suseModuleConfiguration", + "suseGroupConfiguration" + ], + "suseSearchFilter" => ["objectClass=posixGroup"], + "suseMinUniqueId" => ["1000"], + "suseNextUniqueId" => ["1000"], + "suseMaxUniqueId" => ["60000"] + }}, + {"cn=usertemplate,ou=ldapconfig" => { + "objectClass" => [ + "top", + "suseObjectTemplate", + "suseUserTemplate" + ], + "suseNamingAttribute" => ["uid"], + "suseDefaultValue" => [ + "homeDirectory=/home/%uid", + "loginShell=/bin/bash" + ], + "susePlugin" => ["UsersPluginLDAPAll"] + }}, + {"cn=grouptemplate,ou=ldapconfig" => { + "objectClass" => [ + "top", + "suseObjectTemplate", + "suseGroupTemplate" + ], + "suseNamingAttribute" => ["cn"], + "susePlugin" => ["UsersPluginLDAPAll"] + }} +]; + my $defaultDbAcls = [ { 'target' => { @@ -258,7 +322,6 @@ my $foundDB = 0; my $dbtype = "ldap"; my $dbrealm = undef; -my $dbPassword = undef; my $kerberosDB = {}; my @schema = (); @@ -722,19 +785,7 @@ { my $self = shift; - if ( $self->ReadProtocolListenerEnabled("ldaps") ) - { - $self->WriteKerberosLdapDBvalue("ldap_servers", "ldaps://"); - } - elsif ( $self->ReadProtocolListenerEnabled("ldapi") ) - { - $self->WriteKerberosLdapDBvalue("ldap_servers", "ldapi://"); - } - elsif ( $self->ReadProtocolListenerEnabled("ldap") ) - { - $self->WriteKerberosLdapDBvalue("ldap_servers", "ldap://";); - } - + $self->WriteKerberosLdapDBvalue("ldap_servers", "ldapi://"); $self->WriteKerberosLdapDBvalue("ldap_kerberos_container_dn", "cn=krbContainer,".$dbDefaults{'suffix'}); $self->WriteKerberosLdapDBvalue("ldap_kdc_dn", $dbDefaults{'rootdn'}); $self->WriteKerberosLdapDBvalue("ldap_kadmind_dn", $dbDefaults{'rootdn'}); @@ -1170,6 +1221,42 @@ return 1; } +sub CreateSUSEObjects() +{ + my $self = shift; + my $ldapERR; + my $useKerberos = $self->ReadKerberosEnabled(); + + foreach my $db (@added_databases ) + { + y2milestone("creating SUSE objects for ". $db ); + + my $db_auth = $self->ReadAuthInfo( $db ); + if (! SCR->Execute(".ldap.bind", {"bind_dn" => $db_auth->{'bind_dn'}, + "bind_pw" => $db_auth->{'bind_pw'}}) ) { + $ldapERR = SCR->Read(".ldap.error"); + y2error( "LDAP bind failed" ); + y2error( $ldapERR->{'code'}." : ".$ldapERR->{'msg'}); + return 0; + } + + foreach my $object (@{$suseObjects}) + { + my ($key, $value) = each(%$object); + if ($key =~ /cn=usertemplate/ && $useKerberos) + { + push (@{$value->{'susePlugin'}}, 'UsersPluginKerberos'); + } + if (! SCR->Write(".ldap.add", { dn => "$key,$db" } , $value)) { + $ldapERR = SCR->Read(".ldap.error"); + y2error("Can not add $key entry."); + y2error( $ldapERR->{'code'}." : ".$ldapERR->{'msg'}); + } + } + } + return; +} + sub CreateBaseObjects() { my $self = shift; @@ -1641,6 +1728,7 @@ SCR->Write(".ldap_conf", "force" ); } $self->CreateBaseObjects(); + $self->CreateSUSEObjects(); if ( $setupSyncreplMaster ) { $self->CreateSyncReplAccount(); @@ -1834,6 +1922,7 @@ Progress->Finish(); return 0; } + $self->CreateSUSEObjects(); Progress->NextStage(); if ( ! $self->CreatePpolicyObjects() ) { @@ -2817,11 +2906,12 @@ # add default ACLs $rc = SCR->Write(".ldapserver.database.{-1}.acl", $defaultGlobalAcls ); - $rc = SCR->Write(".ldapserver.database.{1}.acl", $defaultDbAcls ); if ( $self->ReadKerberosEnabled() ) { - $rc = SCR->Write(".ldapserver.database.{1}.acl", $krb5acl ); - } + $rc = SCR->Write(".ldapserver.database.{1}.acl", [ @$krb5acl, @$defaultDbAcls] ); + } else { + $rc = SCR->Write(".ldapserver.database.{1}.acl", $defaultDbAcls ); + } push @added_databases, $dbDefaults{'suffix'}; $self->WriteAuthInfo( $dbDefaults{'suffix'}, { bind_dn => $dbDefaults{'rootdn'}, @@ -3099,23 +3189,6 @@ $kerberosDB->{$key} = $value; } -BEGIN { $TYPEINFO {ReadKerberosPassword} = ["function", "string"]; } -sub ReadKerberosPassword -{ - if(defined $dbPassword) - { - return $dbPassword; - } - return ""; -} - -BEGIN { $TYPEINFO {WriteKerberosPassword} = ["function", "void", "string"]; } -sub WriteKerberosPassword -{ - my $self = shift; - $dbPassword = shift; -} - BEGIN { $TYPEINFO {ReadKdbvalue} = ["function", "string", "string"]; } sub ReadKdbvalue { @@ -3397,9 +3470,10 @@ return 0; }; + # use same password for LDAP and Kerberos stash print IN "$ldapkadmpw\n"; # LDAP Administrator Password - print IN "$dbPassword\n"; # stash password - print IN "$dbPassword\n"; # verify stash password + print IN "$ldapkadmpw\n"; # stash password + print IN "$ldapkadmpw\n"; # verify stash password close IN; my $out = ""; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
