This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 244749 - Configure Pass Thru Auth
Configure Pass Thru Auth
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Admin (Show other bugs)
1.0.4
All Linux
low Severity low
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2007-06-18 17:27 EDT by Noriko Hosoi
Modified: 2015-12-07 11:40 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:40:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
cvs diff 01nsroot.ldif.tmpl 20asdata.ldif.tmpl (4.30 KB, patch)
2007-06-18 17:56 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (14.36 KB, patch)
2007-06-20 17:23 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (comment #1 and #4) (3.03 KB, text/plain)
2007-06-20 19:53 EDT, Noriko Hosoi
no flags Details
cvs diffs (9.87 KB, patch)
2007-06-20 21:51 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl (4.49 KB, patch)
2007-06-21 12:28 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (ldapserver) (1.35 KB, text/plain)
2007-06-21 18:03 EDT, Noriko Hosoi
no flags Details
cvs commit message (adminserver) (3.31 KB, text/plain)
2007-06-21 18:08 EDT, Noriko Hosoi
no flags Details
cvs diff tmpl files (6.96 KB, patch)
2007-06-21 21:34 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs (adminserver) (11.59 KB, patch)
2007-06-22 18:01 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (comment #12, #13) (2.09 KB, text/plain)
2007-06-22 18:27 EDT, Noriko Hosoi
no flags Details
cvs diff admserv/newinst/src/{AdminUtil.pm.in, configdsroot.map.in} (1.59 KB, patch)
2007-06-22 21:52 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit (comment #15) (759 bytes, text/plain)
2007-06-25 13:15 EDT, Noriko Hosoi
no flags Details
cvs diffs (7.83 KB, text/plain)
2007-06-25 14:07 EDT, Noriko Hosoi
no flags Details
cvs commit (comment #17) (1.91 KB, text/plain)
2007-06-25 14:24 EDT, Noriko Hosoi
no flags Details
cvs diffs (adminserver) (7.74 KB, patch)
2007-06-26 22:23 EDT, Noriko Hosoi
no flags Details | Diff
cvs diffs and commit message (comment #20, #21) (4.26 KB, text/plain)
2007-06-27 14:34 EDT, Noriko Hosoi
no flags Details
cvs diffs (adminserver) (7.56 KB, patch)
2007-06-27 17:57 EDT, Noriko Hosoi
no flags Details | Diff
cvs diff (ldapserver) (5.23 KB, patch)
2007-06-27 18:01 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit message (comment #27, #28) (2.43 KB, patch)
2007-06-28 12:26 EDT, Noriko Hosoi
no flags Details | Diff
cvs commit dspta.ldif.tmpl (708 bytes, text/plain)
2007-06-28 14:43 EDT, Noriko Hosoi
no flags Details

  None (edit)
Description Noriko Hosoi 2007-06-18 17:27:51 EDT
Description of problem:
Rich gave me this clue>
Configure Pass Thru Auth should really be called "set up ds instance to be
managed by the console".  This includes setting up pass through auth to
o=NetscapeRoot, and some additional acis added to cn=schema, cn=config and
cn=monitor to allow the console admin access to those subtrees (i.e. the aci
stuff from cfg_sspt.c and configure_instance.cpp).
Comment 1 Noriko Hosoi 2007-06-18 17:56:45 EDT
Created attachment 157336 [details]
cvs diff 01nsroot.ldif.tmpl 20asdata.ldif.tmpl

Files:
  adminserver/admserv/schema/ldif/
      01nsroot.ldif.tmpl
      20asdata.ldif.tmpl

Changes:
Adding ACIs to allow the Admin users to access substrees under the
o=NetscapeRoot
Comment 2 Rich Megginson 2007-06-18 18:33:40 EDT
Ok.
Will there be another bug/diff for the pass through auth config and acis that
need to be added to the directory server in order for it to be managed by the
configuration ds?
Comment 3 Noriko Hosoi 2007-06-18 19:17:21 EDT
(In reply to comment #2)
> Ok.
> Will there be another bug/diff for the pass through auth config and acis that
> need to be added to the directory server in order for it to be managed by the
> configuration ds?

Thank you, Rich.  Actually, this is just the beginning. More changes are
coming...  :)  Nathan and I are working together to make the Admin Server start
as root/nobody combination.  And this change was needed immediately.
Comment 4 Noriko Hosoi 2007-06-20 17:23:34 EDT
Created attachment 157497 [details]
cvs diffs

Modified Files:
  ldapserver/ldap/admin/src/scripts/Util.pm.in
  adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl
				  01nsroot.ldif.tmpl
				  20asdata.ldif.tmpl
New Files:
  adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl
				  13dsschema.mod.tmpl

Description:
1) updated check_and_add_entry to support ldifmodify format.
plus added minor fixes for comparing entries
2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin
CGIs/Console to access the server configuration info.

Note: it still gives the access right to the SIE Group on o=netscaperoot,
cn=config, and cn=schema:
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
"ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
Can we just remove the ACI?  Could it occur any problems to the Admin
CGIs/Console?
Comment 5 Rich Megginson 2007-06-20 17:42:13 EDT
(In reply to comment #4)
> Created an attachment (id=157497) [edit]
> cvs diffs
> 
> Modified Files:
>   ldapserver/ldap/admin/src/scripts/Util.pm.in
>   adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl
> 				  01nsroot.ldif.tmpl
> 				  20asdata.ldif.tmpl
> New Files:
>   adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl
> 				  13dsschema.mod.tmpl
> 
> Description:
> 1) updated check_and_add_entry to support ldifmodify format.
> plus added minor fixes for comparing entries
> 2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin
> CGIs/Console to access the server configuration info.

Ok.  It looks like it would be very useful to add LDIF change record support to
perldap LDIF.pm

> 
> Note: it still gives the access right to the SIE Group on o=netscaperoot,
> cn=config, and cn=schema:
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
> "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
> cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
> Can we just remove the ACI?  Could it occur any problems to the Admin
> CGIs/Console?

I think we should leave it.  Note that you could use this ACI for delegated
administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that
group, I can give that user access to things with that ACI.  So, even though the
SIE is no longer a user with a password, it can still be a group used for
delegated admin.
Comment 6 Noriko Hosoi 2007-06-20 19:31:11 EDT
(In reply to comment #5)
> (In reply to comment #4)
> [...]
> 
> Ok.  It looks like it would be very useful to add LDIF change record support to
> perldap LDIF.pm

I think so, too.  First, I simply passed the modify entry to the perldap update
method, then it added
   changetype: modfy
   add: aci
to the entry! :)  I think adding the support to PerlDAP should not be difficult.

> > Note: it still gives the access right to the SIE Group on o=netscaperoot,
> > cn=config, and cn=schema:
> > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
> > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
> > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
> > Can we just remove the ACI?  Could it occur any problems to the Admin
> > CGIs/Console?
> 
> I think we should leave it.  Note that you could use this ACI for delegated
> administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that
> group, I can give that user access to things with that ACI.  So, even though the
> SIE is no longer a user with a password, it can still be a group used for
> delegated admin.

Ah, I see.  That's a good use case.  Thanks!
Comment 7 Noriko Hosoi 2007-06-20 19:53:57 EDT
Created attachment 157506 [details]
cvs commit message (comment #1 and #4)

Reviewed by Rich (Thank you!!)

Checked in into HEAD.
Comment 8 Noriko Hosoi 2007-06-20 21:51:06 EDT
Created attachment 157508 [details]
cvs diffs

Files:
 adminserver
  Makefile.am
  configure.ac
  admserv/newinst/src/admin.inf.in
  admserv/newinst/src/adminserver.map.in
  admserv/newinst/src/configdsroot.map.in
  admserv/newinst/src/dirserver.map.in
  admserv/newinst/src/register_param.map.in
  admserv/newinst/src/setup.inf.in

 ldapserver
  Makefile.am
  configure.ac
  ldap/admin/src/slapd.inf.in

Description: Introducing BaseVersion (*.inf files) via PACKAGE_BASE_VERSION
(configure.ac) to generate #.# format version number from #.#.#.  The #.#
format version number is used in the jar file names: e.g.,
nsClassname: com.netscape.admin.dirserv.roledit.ResEditorRoleInfo@fedora-ds-1.
 1.jar
nsClassname: com.netscape.management.admserv.task.Restart@fedora-admserv-1.1.j
 ar@cn=admin-serv-laputa, cn=Fedora Administration Server, cn=Server Group, c
 n=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot

Nathan; do you think we should use the Base Version (1.1) for this ou value,
too?
dn: ou=1.1.0, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=Netscape
 Root
objectClass: top
objectClass: organizationalunit
objectClass: extensibleObject
nsmerge: ADD_IF_EMPTY
ou: 1.1.0
Comment 9 Noriko Hosoi 2007-06-21 12:28:32 EDT
Created attachment 157554 [details]
cvs diff adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl

File: adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl

Description: replaced "ou=%as_version%" with "ou=%as_baseversion%".
Now the ou value has 2 digits.
dn: ou=1.1, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=NetscapeRo
 ot
objectClass: top
objectClass: organizationalunit
objectClass: extensibleObject
nsmerge: ADD_IF_EMPTY
ou: 1.1
Comment 10 Noriko Hosoi 2007-06-21 18:03:25 EDT
Created attachment 157578 [details]
cvs commit message (ldapserver)

Reviewed by Nathan (Thank you!)

Checked in into HEAD.
Comment 11 Noriko Hosoi 2007-06-21 18:08:53 EDT
Created attachment 157579 [details]
cvs commit message (adminserver)

Reviewed by Nathan (Thank you!!)

Checked in into HEAD.

Note: this fix includes the change made in configure.ac.
AC_PREFIX_DEFAULT fails to substitute $variable nor @variable@.
$variable becomes empty string in Makefile; @variable@ is handled in Makefile,
but not in configure (which is referred in mod_restartd and mod_admserv).
@@ -59,9 +59,12 @@
 PACKAGE_BASE_NAME=`echo $PACKAGE_NAME | sed -e s/-admin//`
 AC_SUBST(PACKAGE_BASE_NAME)
 # the default prefix - override with --prefix or --with-fhs or --with-fhs-opt
-AC_PREFIX_DEFAULT([/opt/@PACKAGE_BASE_NAME@])
+AC_PREFIX_DEFAULT([/opt/fedora-ds])
+
Comment 12 Noriko Hosoi 2007-06-21 21:34:21 EDT
Created attachment 157588 [details]
cvs diff tmpl files

Files:
 01nsroot.ldif.tmpl
 02globalpreferences.ldif.tmpl
 10dsdata.ldif.tmpl
 20asdata.ldif.tmpl

Description: some more ACIs are being added.
Comment 13 Noriko Hosoi 2007-06-22 18:01:45 EDT
Created attachment 157662 [details]
cvs diffs (adminserver)

Files:
 admserv/newinst/src/adminserver.map.in
 admserv/newinst/src/dirserver.map.in
 admserv/newinst/src/register_param.map.in
 admserv/schema/ldif/01nsroot.ldif.tmpl
 admserv/schema/ldif/02globalpreferences.ldif.tmpl
 admserv/schema/ldif/10dsdata.ldif.tmpl
 admserv/schema/ldif/20asdata.ldif.tmpl

Changes:
Adding timestamp for installationTimeStamp.
Comment 14 Noriko Hosoi 2007-06-22 18:27:37 EDT
Created attachment 157664 [details]
cvs commit message (comment #12, #13)

Reviewed by Nathan (Thank you!!)

Checked in into HEAD.
Comment 15 Noriko Hosoi 2007-06-22 21:52:25 EDT
Created attachment 157671 [details]
cvs diff admserv/newinst/src/{AdminUtil.pm.in, configdsroot.map.in}

Files:
  admserv/newinst/src/AdminUtil.pm.in
  admserv/newinst/src/configdsroot.map.in

Changes:
Adding ACIs cn=config and cn=schema

Note: These ACIs are needed on the each Directory Server instance (not just the
Configuration Directory Server) as 10dsdata and 11dstasks are.
Comment 16 Noriko Hosoi 2007-06-25 13:15:28 EDT
Created attachment 157769 [details]
cvs commit (comment #15)

Reviewed by Rich (Thank you!!)

Checked in into HEAD.
Comment 17 Noriko Hosoi 2007-06-25 14:07:45 EDT
Created attachment 157772 [details]
cvs diffs 

Files:
 newinst/src/adminserver.map.in
 newinst/src/configdsroot.map.in
 newinst/src/dirserver.map.in
 newinst/src/register_param.map.in
 schema/ldif/01nsroot.ldif.tmpl
 schema/ldif/10dsdata.ldif.tmpl
 schema/ldif/20asdata.ldif.tmpl

Description:
Removing ServerRoot, InstalledLocation and ConfigRoot from o=netscaperoot.
Comment 18 Noriko Hosoi 2007-06-25 14:24:58 EDT
Created attachment 157779 [details]
cvs commit (comment #17)

Reviewed by Nathan (Thank you!!)

Checked in into HEAD.
Comment 19 Rich Megginson 2007-06-26 15:50:14 EDT
Fix Description: use %domain% instead of real domain name
/share/adminserver/adminserver/admserv/schema/ldif>cvs ci 10dsdata.ldif.tmpl
Checking in 10dsdata.ldif.tmpl;
/cvs/dirsec/adminserver/admserv/schema/ldif/10dsdata.ldif.tmpl,v  <-- 
10dsdata.ldif.tmpl
new revision: 1.8; previous revision: 1.7
done
Comment 20 Noriko Hosoi 2007-06-26 22:23:01 EDT
Created attachment 157978 [details]
cvs diffs (adminserver)

Files:
 Makefile.am
 admserv/newinst/src/AdminUtil.pm.in
 admserv/newinst/src/dirserver.map.in
 admserv/newinst/src/register_param.map.in
 admserv/schema/ldif/14dsmonitor.mod.tmpl
 admserv/schema/ldif/15dspta.ldif.tmpl.in

Description:
1) this time, really adding "pass thru auth" to the subordinative DS instances.

   (see createSubDS in AdminUtil.pm)
2) adding ACI to cn=monitor
Comment 21 Noriko Hosoi 2007-06-27 14:18:44 EDT
Comment on attachment 157978 [details]
cvs diffs (adminserver)

Found cn=Pass Through Authentication is taken care in create_instance.c.

I'm backing off the 15dspta related code and just checking in the code which
adds cn=monitor aci.
Comment 22 Noriko Hosoi 2007-06-27 14:34:31 EDT
Created attachment 158034 [details]
cvs diffs and commit message (comment #20, #21)

Reviewed by Rich (Thank you!!)

Checked in into HEAD.
Comment 23 Rich Megginson 2007-06-27 14:45:48 EDT
(In reply to comment #21)
> (From update of attachment 157978 [details] [edit])
> Found cn=Pass Through Authentication is taken care in create_instance.c.
> 
> I'm backing off the 15dspta related code and just checking in the code which
> adds cn=monitor aci.

create_instance.c adds the cn=Pass Through Authentication plugin entry, but it
is disabled.  In order for the console to work, the pta plugin needs to be
enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and
it needs the url of the config ds.

Comment 24 Noriko Hosoi 2007-06-27 14:59:25 EDT
(In reply to comment #23)
> (In reply to comment #21)
> > (From update of attachment 157978 [details] [edit] [edit])
> > Found cn=Pass Through Authentication is taken care in create_instance.c.
> > 
> > I'm backing off the 15dspta related code and just checking in the code which
> > adds cn=monitor aci.
> 
> create_instance.c adds the cn=Pass Through Authentication plugin entry, but it
> is disabled.  In order for the console to work, the pta plugin needs to be
> enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and
> it needs the url of the config ds.
> 
> 
First, I thought so, too.  But it looks it enables the plugin if these
conditions are satisfied:
  SlapdConfigForMC=   No
  UseExistingMC=   yes
  ConfigDirectoryLdapURL=   ldap://<fqdn>:<port>/
Otherwise, it's off.  Smart, isn't it? ;)

I verified on my second DS instance that the plugin is enabled and pointing the
right Configuration DS url:
dn: cn=Pass Through Authentication,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Pass Through Authentication
nsslapd-pluginPath: /usr/lib/fedora-ds/plugins/libpassthru-plugin.so
nsslapd-pluginInitfunc: passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: ldap://<fqdn>:<config_port>/o%3DNetscapeRoot
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: passthruauth
nsslapd-pluginVersion: 1.1.0a3
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: pass through authentication plugin
Comment 25 Rich Megginson 2007-06-27 15:17:25 EDT
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #21)
> > > (From update of attachment 157978 [details] [edit] [edit] [edit])
> > > Found cn=Pass Through Authentication is taken care in create_instance.c.
> > > 
> > > I'm backing off the 15dspta related code and just checking in the code which
> > > adds cn=monitor aci.
> > 
> > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it
> > is disabled.  In order for the console to work, the pta plugin needs to be
> > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and
> > it needs the url of the config ds.
> > 
> > 
> First, I thought so, too.  But it looks it enables the plugin if these
> conditions are satisfied:
>   SlapdConfigForMC=   No
>   UseExistingMC=   yes
>   ConfigDirectoryLdapURL=   ldap://<fqdn>:<port>/
> Otherwise, it's off.  Smart, isn't it? ;)

Hm - that's wrong.  create_instance.c should not know or care about anything
having to do with o=NetscapeRoot or the config ds.  But we can worry about that
later.
Comment 26 Noriko Hosoi 2007-06-27 16:32:57 EDT
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > (In reply to comment #21)
> > > > (From update of attachment 157978 [details] [edit] [edit] [edit] [edit])
> > > > Found cn=Pass Through Authentication is taken care in create_instance.c.
> > > > 
> > > > I'm backing off the 15dspta related code and just checking in the code which
> > > > adds cn=monitor aci.
> > > 
> > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it
> > > is disabled.  In order for the console to work, the pta plugin needs to be
> > > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and
> > > it needs the url of the config ds.
> > > 
> > > 
> > First, I thought so, too.  But it looks it enables the plugin if these
> > conditions are satisfied:
> >   SlapdConfigForMC=   No
> >   UseExistingMC=   yes
> >   ConfigDirectoryLdapURL=   ldap://<fqdn>:<port>/
> > Otherwise, it's off.  Smart, isn't it? ;)
> 
> Hm - that's wrong.  create_instance.c should not know or care about anything
> having to do with o=NetscapeRoot or the config ds.  But we can worry about that
> later.
Oops, that's true.  I was forgetting the ground rule... :p  I can get rid of the
code from create_instance.c and add the changes in the Comment #20...  It'd be easy.
Comment 27 Noriko Hosoi 2007-06-27 17:57:33 EDT
Created attachment 158070 [details]
cvs diffs (adminserver)

Files:
 Makefile.am
 admserv/newinst/src/AdminUtil.pm.in
 admserv/newinst/src/dirserver.map.in
 admserv/newinst/src/register_param.map.in
 admserv/newinst/src/setup-ds-admin.pl.in
 admserv/schema/ldif/15dspta.ldif.tmpl.in

Description: resurrected the code adding cn=Pass Through Authentication for
o=netscape.  In addition to the one in comment #20, adding the calling code to
admserv/newinst/src/setup-ds-admin.pl.in in case the new server is
non-configuration DS.
Comment 28 Noriko Hosoi 2007-06-27 18:01:00 EDT
Created attachment 158071 [details]
cvs diff (ldapserver)

Files:
  ldap/admin/src/create_instance.[ch]

Description: 
1) removing the dependency on the config_ds
2) ds_newinst always adds "cn=Pass Through Authentication" with the
nsslapd-pluginEnabled value off.
Comment 29 Noriko Hosoi 2007-06-28 12:26:13 EDT
Created attachment 158140 [details]
cvs commit message (comment #27, #28)

Reviewed by Rich (Thank you!!)

Checked in into HEAD.
Comment 30 Noriko Hosoi 2007-06-28 14:43:38 EDT
Created attachment 158148 [details]
cvs commit dspta.ldif.tmpl

Sorry, I missed adding and committing 15dspta.ldif.tmpl in my previous commit.

Checked in into HEAD.
Comment 31 Yi Zhang 2007-12-03 17:47:54 EST
Verification test: PASS
Test machine: cypher.dsdev.sjc.redhat.com

Test steps:
1. install DS, ADMIN and console in cypher
2. login as "admin" with desired password
expect: user "admin" can lunch DS Config panel, and has all permission to
modify/change/delete as user "cn=directory manager"
Test result: PASS 

Note You need to log in before you can comment on or make changes to this bug.