In order for ipactl to function even when anonymous access is disabled
we need to authenticate.
Use sASL/EXTERNAL to let root get access as a very low privileged
special user.
Ticket #795
This patch is a replacement of 0061 where I was using SASL/GSSAPI
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From e15af881c47f6ce837006805b2f6977fa7354ba9 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 19 Jan 2011 15:17:25 -0500
Subject: [PATCH] Allow SASL/EXTERNAL authentication for the root user
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
---
install/share/Makefile.am|1 +
install/share/root-autobind.ldif | 24
install/tools/ipactl |5 -
ipaserver/install/dsinstance.py |5 +
4 files changed, 34 insertions(+), 1 deletions(-)
create mode 100644 install/share/root-autobind.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 0fb5c8961fa787f4686e93b4f073d954f78d08b1..4527a922c3c7408ff2563dac6a5db9a2657ae1ba 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -47,6 +47,7 @@ app_DATA =\
uuid-ipauniqueid.ldif \
modrdn-krbprinc.ldif \
entryusn.ldif \
+ root-autobind.ldif \
$(NULL)
EXTRA_DIST =\
diff --git a/install/share/root-autobind.ldif b/install/share/root-autobind.ldif
new file mode 100644
index ..e7bbc8dbe430a48d53078cbd585cd479388450de
--- /dev/null
+++ b/install/share/root-autobind.ldif
@@ -0,0 +1,24 @@
+# root-autobind, config
+dn: cn=root-autobind,cn=config
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+cn: root-autobind
+uidNumber: 0
+gidNumber: 0
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapiautobind
+nsslapd-ldapiautobind: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapimaptoentries
+nsslapd-ldapimaptoentries: on
+
+dn: cn=config
+changetype: modify
+replace: nsslapd-ldapientrysearchbase
+nsslapd-ldapientrysearchbase: cn=config
+
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762580fc83503510d387b3e36d67d514de..fc652c9754cf63e8d9d46a3b20866b94df3ab698 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -26,6 +26,7 @@ try:
from ipalib import api, errors
import logging
import ldap
+import ldap.sasl
import socket
except ImportError:
print sys.stderr, \
@@ -36,6 +37,8 @@ error was:
% sys.exc_value
sys.exit(1)
+SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
+
def parse_options():
usage = %prog start|stop|restart|status\n
parser = config.IPAOptionParser(usage=usage,
@@ -60,7 +63,7 @@ def get_config():
try:
con = ldap.initialize(api.env.ldap_uri)
-con.simple_bind()
+con.sasl_interactive_bind_s('', SASL_EXTERNAL)
res = con.search_st(base,
ldap.SCOPE_SUBTREE,
filterstr=srcfilter,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8..5da9d17d4417031920495254ff566ee235234bfb 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -208,6 +208,7 @@ class DsInstance(service.Service):
self.step(creating indices, self.__create_indices)
self.step(configuring ssl for ds instance, self.__enable_ssl)
self.step(configuring certmap.conf, self.__certmap_conf)
+self.step(configure autobind for root, self.__root_autobind)
self.step(restarting directory server, self.__restart_instance)
def __common_post_setup(self):
@@ -729,3 +730,7 @@ class DsInstance(service.Service):
def __tuning(self):
self.tune_nofile(8192)
+
+def __root_autobind(self):
+self._ldap_mod(root-autobind.ldif)
+
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
