In order for ipactl to function even when anonymous access is disabled we need to authenticate. Use sASL/EXTERNAL to let root get access as a very low privileged special user.
Ticket #795 This patch is a replacement of 0061 where I was using SASL/GSSAPI Simo. -- Simo Sorce * Red Hat, Inc * New York
>From e15af881c47f6ce837006805b2f6977fa7354ba9 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Wed, 19 Jan 2011 15:17:25 -0500 Subject: [PATCH] Allow SASL/EXTERNAL authentication for the root user This gives the root user low privileges so that when anonymous searches are denied the init scripts can still search the directory via ldapi to get the list of serevices to start. Fixes: https://fedorahosted.org/freeipa/ticket/795 --- install/share/Makefile.am | 1 + install/share/root-autobind.ldif | 24 ++++++++++++++++++++++++ install/tools/ipactl | 5 ++++- ipaserver/install/dsinstance.py | 5 +++++ 4 files changed, 34 insertions(+), 1 deletions(-) create mode 100644 install/share/root-autobind.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 0fb5c8961fa787f4686e93b4f073d954f78d08b1..4527a922c3c7408ff2563dac6a5db9a2657ae1ba 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -47,6 +47,7 @@ app_DATA = \ uuid-ipauniqueid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ + root-autobind.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif new file mode 100644 index 0000000000000000000000000000000000000000..e7bbc8dbe430a48d53078cbd585cd479388450de --- /dev/null +++ b/install/share/root-autobind.ldif @@ -0,0 +1,24 @@ +# root-autobind, config +dn: cn=root-autobind,cn=config +changetype: add +objectClass: extensibleObject +objectClass: top +cn: root-autobind +uidNumber: 0 +gidNumber: 0 + +dn: cn=config +changetype: modify +replace: nsslapd-ldapiautobind +nsslapd-ldapiautobind: on + +dn: cn=config +changetype: modify +replace: nsslapd-ldapimaptoentries +nsslapd-ldapimaptoentries: on + +dn: cn=config +changetype: modify +replace: nsslapd-ldapientrysearchbase +nsslapd-ldapientrysearchbase: cn=config + diff --git a/install/tools/ipactl b/install/tools/ipactl index 0254a2762580fc83503510d387b3e36d67d514de..fc652c9754cf63e8d9d46a3b20866b94df3ab698 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -26,6 +26,7 @@ try: from ipalib import api, errors import logging import ldap + import ldap.sasl import socket except ImportError: print >> sys.stderr, """\ @@ -36,6 +37,8 @@ error was: """ % sys.exc_value sys.exit(1) +SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL') + def parse_options(): usage = "%prog start|stop|restart|status\n" parser = config.IPAOptionParser(usage=usage, @@ -60,7 +63,7 @@ def get_config(): try: con = ldap.initialize(api.env.ldap_uri) - con.simple_bind() + con.sasl_interactive_bind_s('', SASL_EXTERNAL) res = con.search_st(base, ldap.SCOPE_SUBTREE, filterstr=srcfilter, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8..5da9d17d4417031920495254ff566ee235234bfb 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -208,6 +208,7 @@ class DsInstance(service.Service): self.step("creating indices", self.__create_indices) self.step("configuring ssl for ds instance", self.__enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) + self.step("configure autobind for root", self.__root_autobind) self.step("restarting directory server", self.__restart_instance) def __common_post_setup(self): @@ -729,3 +730,7 @@ class DsInstance(service.Service): def __tuning(self): self.tune_nofile(8192) + + def __root_autobind(self): + self._ldap_mod("root-autobind.ldif") + -- 1.7.3.4
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
