Just like the krbPrincipalName attribute, we want to let the KDC read
the krbCanonicalName, if it's set, and we want it to be unique as well.

Nalin
>From ff32dfe1f68a3ec20d247adbe042307eeb919e6b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin.dahyab...@pobox.com>
Date: Thu, 4 Feb 2010 11:02:49 -0500
Subject: [PATCH 1/2] - allow the KDC to read krbCanonicalName

---
 install/share/default-aci.ldif |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 9c058ae..3f74690 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -10,7 +10,7 @@ aci: (targetattr = "userPassword || krbPrincipalKey || 
sambaLMPassword || sambaN
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || 
sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service 
can read/write passwords"; allow (read, write) 
userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration 
|| sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl 
"KDC System Account can access passwords"; allow (all) 
userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || 
krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some 
fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
-aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbMKey || 
krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || 
krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange 
|| krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || 
krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC 
System Account has access to kerberos material"; allow (read, search, compare) 
userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
+aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || 
krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || 
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || 
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || 
krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 
3.0; acl "Only the KDC System Account has access to kerberos material"; allow 
(read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 aci: (targetfilter = 
"(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr
 != "aci || userPassword || krbPrincipalKey || sambaLMPassword || 
sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can 
manage Users and Groups"; allow (add, delete, read, write) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife 
|| krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || 
krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; 
allow (read, search, compare, write) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "givenName || sn || cn || displayName || title || initials 
|| loginShell || gecos || homePhone || mobile || pager || 
facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st 
|| postalCode || manager || secretary || description || carLicense || 
labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory 
|| ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)
@@ -35,7 +35,7 @@ aci: (targetfilter = 
"(objectClass=radiusprofile)")(targetattr != "aci || userPa
 dn: cn=services,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || 
krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || 
krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange 
|| krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; 
allow (read, search, compare, write) 
userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
+aci: (targetattr="krbPrincipalName || krbCanonicalName || krbUPEnabled || 
krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || 
krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || 
krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || 
krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, 
compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 
 # Define which hosts can edit services
 dn: cn=services,cn=accounts,$SUFFIX
-- 
1.6.6.1

>From 6edabfa2ccc3ca9216108e301f553da83c9aa9ad Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin.dahyab...@pobox.com>
Date: Thu, 4 Feb 2010 11:07:48 -0500
Subject: [PATCH 2/2] - also ensure that krbCanonicalName is unique

---
 install/share/unique-attributes.ldif |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/install/share/unique-attributes.ldif 
b/install/share/unique-attributes.ldif
index 764c632..7cc684d 100644
--- a/install/share/unique-attributes.ldif
+++ b/install/share/unique-attributes.ldif
@@ -16,6 +16,24 @@ nsslapd-pluginVersion: 1.1.0
 nsslapd-pluginVendor: Fedora Project
 nsslapd-pluginDescription: Enforce unique attribute values
 
+dn: cn=krbCanonicalName uniqueness,cn=plugins,cn=config
+changetype: add
+objectClass: top
+objectClass: nsSlapdPlugin
+objectClass: extensibleObject
+cn: krbCanonicalName uniqueness
+nsslapd-pluginPath: libattr-unique-plugin
+nsslapd-pluginInitfunc: NSUniqueAttr_Init
+nsslapd-pluginType: preoperation
+nsslapd-pluginEnabled: on
+nsslapd-pluginarg0: krbCanonicalName
+nsslapd-pluginarg1: $SUFFIX
+nsslapd-plugin-depends-on-type: database
+nsslapd-pluginId: NSUniqueAttr
+nsslapd-pluginVersion: 1.1.0
+nsslapd-pluginVendor: Fedora Project
+nsslapd-pluginDescription: Enforce unique attribute values
+
 dn: cn=netgroup uniqueness,cn=plugins,cn=config
 changetype: add
 objectClass: top
-- 
1.6.6.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to