Bug 244749
Description
Noriko Hosoi
2007-06-18 21:27:51 UTC
Created attachment 157336 [details]
cvs diff 01nsroot.ldif.tmpl 20asdata.ldif.tmpl
Files:
adminserver/admserv/schema/ldif/
01nsroot.ldif.tmpl
20asdata.ldif.tmpl
Changes:
Adding ACIs to allow the Admin users to access substrees under the
o=NetscapeRoot
Ok. Will there be another bug/diff for the pass through auth config and acis that need to be added to the directory server in order for it to be managed by the configuration ds? (In reply to comment #2) > Ok. > Will there be another bug/diff for the pass through auth config and acis that > need to be added to the directory server in order for it to be managed by the > configuration ds? Thank you, Rich. Actually, this is just the beginning. More changes are coming... :) Nathan and I are working together to make the Admin Server start as root/nobody combination. And this change was needed immediately. Created attachment 157497 [details]
cvs diffs
Modified Files:
ldapserver/ldap/admin/src/scripts/Util.pm.in
adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl
01nsroot.ldif.tmpl
20asdata.ldif.tmpl
New Files:
adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl
13dsschema.mod.tmpl
Description:
1) updated check_and_add_entry to support ldifmodify format.
plus added minor fixes for comparing entries
2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin
CGIs/Console to access the server configuration info.
Note: it still gives the access right to the SIE Group on o=netscaperoot,
cn=config, and cn=schema:
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
"ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
Can we just remove the ACI? Could it occur any problems to the Admin
CGIs/Console?
(In reply to comment #4) > Created an attachment (id=157497) [edit] > cvs diffs > > Modified Files: > ldapserver/ldap/admin/src/scripts/Util.pm.in > adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl > 01nsroot.ldif.tmpl > 20asdata.ldif.tmpl > New Files: > adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl > 13dsschema.mod.tmpl > > Description: > 1) updated check_and_add_entry to support ldifmodify format. > plus added minor fixes for comparing entries > 2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin > CGIs/Console to access the server configuration info. Ok. It looks like it would be very useful to add LDIF change record support to perldap LDIF.pm > > Note: it still gives the access right to the SIE Group on o=netscaperoot, > cn=config, and cn=schema: > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > Can we just remove the ACI? Could it occur any problems to the Admin > CGIs/Console? I think we should leave it. Note that you could use this ACI for delegated administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that group, I can give that user access to things with that ACI. So, even though the SIE is no longer a user with a password, it can still be a group used for delegated admin. (In reply to comment #5) > (In reply to comment #4) > [...] > > Ok. It looks like it would be very useful to add LDIF change record support to > perldap LDIF.pm I think so, too. First, I simply passed the modify entry to the perldap update method, then it added changetype: modfy add: aci to the entry! :) I think adding the support to PerlDAP should not be difficult. > > Note: it still gives the access right to the SIE Group on o=netscaperoot, > > cn=config, and cn=schema: > > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > Can we just remove the ACI? Could it occur any problems to the Admin > > CGIs/Console? > > I think we should leave it. Note that you could use this ACI for delegated > administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that > group, I can give that user access to things with that ACI. So, even though the > SIE is no longer a user with a password, it can still be a group used for > delegated admin. Ah, I see. That's a good use case. Thanks! Created attachment 157506 [details] cvs commit message (comment #1 and #4) Reviewed by Rich (Thank you!!) Checked in into HEAD. Created attachment 157508 [details]
cvs diffs
Files:
adminserver
Makefile.am
configure.ac
admserv/newinst/src/admin.inf.in
admserv/newinst/src/adminserver.map.in
admserv/newinst/src/configdsroot.map.in
admserv/newinst/src/dirserver.map.in
admserv/newinst/src/register_param.map.in
admserv/newinst/src/setup.inf.in
ldapserver
Makefile.am
configure.ac
ldap/admin/src/slapd.inf.in
Description: Introducing BaseVersion (*.inf files) via PACKAGE_BASE_VERSION
(configure.ac) to generate #.# format version number from #.#.#. The #.#
format version number is used in the jar file names: e.g.,
nsClassname: com.netscape.admin.dirserv.roledit.ResEditorRoleInfo@fedora-ds-1.
1.jar
nsClassname: com.netscape.management.admserv.task.Restart.j
ar@cn=admin-serv-laputa, cn=Fedora Administration Server, cn=Server Group, c
n=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot
Nathan; do you think we should use the Base Version (1.1) for this ou value,
too?
dn: ou=1.1.0, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=Netscape
Root
objectClass: top
objectClass: organizationalunit
objectClass: extensibleObject
nsmerge: ADD_IF_EMPTY
ou: 1.1.0
Created attachment 157554 [details]
cvs diff adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl
File: adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl
Description: replaced "ou=%as_version%" with "ou=%as_baseversion%".
Now the ou value has 2 digits.
dn: ou=1.1, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=NetscapeRo
ot
objectClass: top
objectClass: organizationalunit
objectClass: extensibleObject
nsmerge: ADD_IF_EMPTY
ou: 1.1
Created attachment 157578 [details]
cvs commit message (ldapserver)
Reviewed by Nathan (Thank you!)
Checked in into HEAD.
Created attachment 157579 [details]
cvs commit message (adminserver)
Reviewed by Nathan (Thank you!!)
Checked in into HEAD.
Note: this fix includes the change made in configure.ac.
AC_PREFIX_DEFAULT fails to substitute $variable nor @variable@.
$variable becomes empty string in Makefile; @variable@ is handled in Makefile,
but not in configure (which is referred in mod_restartd and mod_admserv).
@@ -59,9 +59,12 @@
PACKAGE_BASE_NAME=`echo $PACKAGE_NAME | sed -e s/-admin//`
AC_SUBST(PACKAGE_BASE_NAME)
# the default prefix - override with --prefix or --with-fhs or --with-fhs-opt
-AC_PREFIX_DEFAULT([/opt/@PACKAGE_BASE_NAME@])
+AC_PREFIX_DEFAULT([/opt/fedora-ds])
+
Created attachment 157588 [details]
cvs diff tmpl files
Files:
01nsroot.ldif.tmpl
02globalpreferences.ldif.tmpl
10dsdata.ldif.tmpl
20asdata.ldif.tmpl
Description: some more ACIs are being added.
Created attachment 157662 [details]
cvs diffs (adminserver)
Files:
admserv/newinst/src/adminserver.map.in
admserv/newinst/src/dirserver.map.in
admserv/newinst/src/register_param.map.in
admserv/schema/ldif/01nsroot.ldif.tmpl
admserv/schema/ldif/02globalpreferences.ldif.tmpl
admserv/schema/ldif/10dsdata.ldif.tmpl
admserv/schema/ldif/20asdata.ldif.tmpl
Changes:
Adding timestamp for installationTimeStamp.
Created attachment 157664 [details] cvs commit message (comment #12, #13) Reviewed by Nathan (Thank you!!) Checked in into HEAD. Created attachment 157671 [details]
cvs diff admserv/newinst/src/{AdminUtil.pm.in, configdsroot.map.in}
Files:
admserv/newinst/src/AdminUtil.pm.in
admserv/newinst/src/configdsroot.map.in
Changes:
Adding ACIs cn=config and cn=schema
Note: These ACIs are needed on the each Directory Server instance (not just the
Configuration Directory Server) as 10dsdata and 11dstasks are.
Created attachment 157769 [details] cvs commit (comment #15) Reviewed by Rich (Thank you!!) Checked in into HEAD. Created attachment 157772 [details]
cvs diffs
Files:
newinst/src/adminserver.map.in
newinst/src/configdsroot.map.in
newinst/src/dirserver.map.in
newinst/src/register_param.map.in
schema/ldif/01nsroot.ldif.tmpl
schema/ldif/10dsdata.ldif.tmpl
schema/ldif/20asdata.ldif.tmpl
Description:
Removing ServerRoot, InstalledLocation and ConfigRoot from o=netscaperoot.
Created attachment 157779 [details] cvs commit (comment #17) Reviewed by Nathan (Thank you!!) Checked in into HEAD. Fix Description: use %domain% instead of real domain name /share/adminserver/adminserver/admserv/schema/ldif>cvs ci 10dsdata.ldif.tmpl Checking in 10dsdata.ldif.tmpl; /cvs/dirsec/adminserver/admserv/schema/ldif/10dsdata.ldif.tmpl,v <-- 10dsdata.ldif.tmpl new revision: 1.8; previous revision: 1.7 done Created attachment 157978 [details]
cvs diffs (adminserver)
Files:
Makefile.am
admserv/newinst/src/AdminUtil.pm.in
admserv/newinst/src/dirserver.map.in
admserv/newinst/src/register_param.map.in
admserv/schema/ldif/14dsmonitor.mod.tmpl
admserv/schema/ldif/15dspta.ldif.tmpl.in
Description:
1) this time, really adding "pass thru auth" to the subordinative DS instances.
(see createSubDS in AdminUtil.pm)
2) adding ACI to cn=monitor
Comment on attachment 157978 [details]
cvs diffs (adminserver)
Found cn=Pass Through Authentication is taken care in create_instance.c.
I'm backing off the 15dspta related code and just checking in the code which
adds cn=monitor aci.
Created attachment 158034 [details] cvs diffs and commit message (comment #20, #21) Reviewed by Rich (Thank you!!) Checked in into HEAD. (In reply to comment #21) > (From update of attachment 157978 [details] [edit]) > Found cn=Pass Through Authentication is taken care in create_instance.c. > > I'm backing off the 15dspta related code and just checking in the code which > adds cn=monitor aci. create_instance.c adds the cn=Pass Through Authentication plugin entry, but it is disabled. In order for the console to work, the pta plugin needs to be enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and it needs the url of the config ds. (In reply to comment #23) > (In reply to comment #21) > > (From update of attachment 157978 [details] [edit] [edit]) > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > I'm backing off the 15dspta related code and just checking in the code which > > adds cn=monitor aci. > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > is disabled. In order for the console to work, the pta plugin needs to be > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > it needs the url of the config ds. > > First, I thought so, too. But it looks it enables the plugin if these conditions are satisfied: SlapdConfigForMC= No UseExistingMC= yes ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ Otherwise, it's off. Smart, isn't it? ;) I verified on my second DS instance that the plugin is enabled and pointing the right Configuration DS url: dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/lib/fedora-ds/plugins/libpassthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://<fqdn>:<config_port>/o%3DNetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.1.0a3 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin (In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #21) > > > (From update of attachment 157978 [details] [edit] [edit] [edit]) > > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > > > I'm backing off the 15dspta related code and just checking in the code which > > > adds cn=monitor aci. > > > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > > is disabled. In order for the console to work, the pta plugin needs to be > > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > > it needs the url of the config ds. > > > > > First, I thought so, too. But it looks it enables the plugin if these > conditions are satisfied: > SlapdConfigForMC= No > UseExistingMC= yes > ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ > Otherwise, it's off. Smart, isn't it? ;) Hm - that's wrong. create_instance.c should not know or care about anything having to do with o=NetscapeRoot or the config ds. But we can worry about that later. (In reply to comment #25) > (In reply to comment #24) > > (In reply to comment #23) > > > (In reply to comment #21) > > > > (From update of attachment 157978 [details] [edit] [edit] [edit] [edit]) > > > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > > > > > I'm backing off the 15dspta related code and just checking in the code which > > > > adds cn=monitor aci. > > > > > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > > > is disabled. In order for the console to work, the pta plugin needs to be > > > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > > > it needs the url of the config ds. > > > > > > > > First, I thought so, too. But it looks it enables the plugin if these > > conditions are satisfied: > > SlapdConfigForMC= No > > UseExistingMC= yes > > ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ > > Otherwise, it's off. Smart, isn't it? ;) > > Hm - that's wrong. create_instance.c should not know or care about anything > having to do with o=NetscapeRoot or the config ds. But we can worry about that > later. Oops, that's true. I was forgetting the ground rule... :p I can get rid of the code from create_instance.c and add the changes in the Comment #20... It'd be easy. Created attachment 158070 [details] cvs diffs (adminserver) Files: Makefile.am admserv/newinst/src/AdminUtil.pm.in admserv/newinst/src/dirserver.map.in admserv/newinst/src/register_param.map.in admserv/newinst/src/setup-ds-admin.pl.in admserv/schema/ldif/15dspta.ldif.tmpl.in Description: resurrected the code adding cn=Pass Through Authentication for o=netscape. In addition to the one in comment #20, adding the calling code to admserv/newinst/src/setup-ds-admin.pl.in in case the new server is non-configuration DS. Created attachment 158071 [details]
cvs diff (ldapserver)
Files:
ldap/admin/src/create_instance.[ch]
Description:
1) removing the dependency on the config_ds
2) ds_newinst always adds "cn=Pass Through Authentication" with the
nsslapd-pluginEnabled value off.
Created attachment 158140 [details] cvs commit message (comment #27, #28) Reviewed by Rich (Thank you!!) Checked in into HEAD. Created attachment 158148 [details]
cvs commit dspta.ldif.tmpl
Sorry, I missed adding and committing 15dspta.ldif.tmpl in my previous commit.
Checked in into HEAD.
Verification test: PASS Test machine: cypher.dsdev.sjc.redhat.com Test steps: 1. install DS, ADMIN and console in cypher 2. login as "admin" with desired password expect: user "admin" can lunch DS Config panel, and has all permission to modify/change/delete as user "cn=directory manager" Test result: PASS |