Description of problem: Rich gave me this clue> Configure Pass Thru Auth should really be called "set up ds instance to be managed by the console". This includes setting up pass through auth to o=NetscapeRoot, and some additional acis added to cn=schema, cn=config and cn=monitor to allow the console admin access to those subtrees (i.e. the aci stuff from cfg_sspt.c and configure_instance.cpp).
Created attachment 157336 [details] cvs diff 01nsroot.ldif.tmpl 20asdata.ldif.tmpl Files: adminserver/admserv/schema/ldif/ 01nsroot.ldif.tmpl 20asdata.ldif.tmpl Changes: Adding ACIs to allow the Admin users to access substrees under the o=NetscapeRoot
Ok. Will there be another bug/diff for the pass through auth config and acis that need to be added to the directory server in order for it to be managed by the configuration ds?
(In reply to comment #2) > Ok. > Will there be another bug/diff for the pass through auth config and acis that > need to be added to the directory server in order for it to be managed by the > configuration ds? Thank you, Rich. Actually, this is just the beginning. More changes are coming... :) Nathan and I are working together to make the Admin Server start as root/nobody combination. And this change was needed immediately.
Created attachment 157497 [details] cvs diffs Modified Files: ldapserver/ldap/admin/src/scripts/Util.pm.in adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl 01nsroot.ldif.tmpl 20asdata.ldif.tmpl New Files: adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl 13dsschema.mod.tmpl Description: 1) updated check_and_add_entry to support ldifmodify format. plus added minor fixes for comparing entries 2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin CGIs/Console to access the server configuration info. Note: it still gives the access right to the SIE Group on o=netscaperoot, cn=config, and cn=schema: aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) Can we just remove the ACI? Could it occur any problems to the Admin CGIs/Console?
(In reply to comment #4) > Created an attachment (id=157497) [edit] > cvs diffs > > Modified Files: > ldapserver/ldap/admin/src/scripts/Util.pm.in > adminserver/admserv/schema/ldif/00nsroot_backend.ldif.tmpl > 01nsroot.ldif.tmpl > 20asdata.ldif.tmpl > New Files: > adminserver/admserv/schema/ldif/12dsconfig.mod.tmpl > 13dsschema.mod.tmpl > > Description: > 1) updated check_and_add_entry to support ldifmodify format. > plus added minor fixes for comparing entries > 2) adding ACIs to o=netscaperoot, cn=config, and cn=schema to allow the Admin > CGIs/Console to access the server configuration info. Ok. It looks like it would be very useful to add LDIF change record support to perldap LDIF.pm > > Note: it still gives the access right to the SIE Group on o=netscaperoot, > cn=config, and cn=schema: > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > Can we just remove the ACI? Could it occur any problems to the Admin > CGIs/Console? I think we should leave it. Note that you could use this ACI for delegated administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that group, I can give that user access to things with that ACI. So, even though the SIE is no longer a user with a password, it can still be a group used for delegated admin.
(In reply to comment #5) > (In reply to comment #4) > [...] > > Ok. It looks like it would be very useful to add LDIF change record support to > perldap LDIF.pm I think so, too. First, I simply passed the modify entry to the perldap update method, then it added changetype: modfy add: aci to the entry! :) I think adding the support to PerlDAP should not be difficult. > > Note: it still gives the access right to the SIE Group on o=netscaperoot, > > cn=config, and cn=schema: > > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > Can we just remove the ACI? Could it occur any problems to the Admin > > CGIs/Console? > > I think we should leave it. Note that you could use this ACI for delegated > administration e.g. if I add uid=rmeggins,ou=people,dc=example,dc=com to that > group, I can give that user access to things with that ACI. So, even though the > SIE is no longer a user with a password, it can still be a group used for > delegated admin. Ah, I see. That's a good use case. Thanks!
Created attachment 157506 [details] cvs commit message (comment #1 and #4) Reviewed by Rich (Thank you!!) Checked in into HEAD.
Created attachment 157508 [details] cvs diffs Files: adminserver Makefile.am configure.ac admserv/newinst/src/admin.inf.in admserv/newinst/src/adminserver.map.in admserv/newinst/src/configdsroot.map.in admserv/newinst/src/dirserver.map.in admserv/newinst/src/register_param.map.in admserv/newinst/src/setup.inf.in ldapserver Makefile.am configure.ac ldap/admin/src/slapd.inf.in Description: Introducing BaseVersion (*.inf files) via PACKAGE_BASE_VERSION (configure.ac) to generate #.# format version number from #.#.#. The #.# format version number is used in the jar file names: e.g., nsClassname: com.netscape.admin.dirserv.roledit.ResEditorRoleInfo@fedora-ds-1. 1.jar nsClassname: com.netscape.management.admserv.task.Restart.j ar@cn=admin-serv-laputa, cn=Fedora Administration Server, cn=Server Group, c n=laputa.sfbay.redhat.com, ou=sfbay.redhat.com, o=NetscapeRoot Nathan; do you think we should use the Base Version (1.1) for this ou value, too? dn: ou=1.1.0, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=Netscape Root objectClass: top objectClass: organizationalunit objectClass: extensibleObject nsmerge: ADD_IF_EMPTY ou: 1.1.0
Created attachment 157554 [details] cvs diff adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl File: adminserver/admserv/schema/ldif/02globalpreferences.ldif.tmpl Description: replaced "ou=%as_version%" with "ou=%as_baseversion%". Now the ou value has 2 digits. dn: ou=1.1, ou=Admin, ou=Global Preferences, ou=sfbay.redhat.com, o=NetscapeRo ot objectClass: top objectClass: organizationalunit objectClass: extensibleObject nsmerge: ADD_IF_EMPTY ou: 1.1
Created attachment 157578 [details] cvs commit message (ldapserver) Reviewed by Nathan (Thank you!) Checked in into HEAD.
Created attachment 157579 [details] cvs commit message (adminserver) Reviewed by Nathan (Thank you!!) Checked in into HEAD. Note: this fix includes the change made in configure.ac. AC_PREFIX_DEFAULT fails to substitute $variable nor @variable@. $variable becomes empty string in Makefile; @variable@ is handled in Makefile, but not in configure (which is referred in mod_restartd and mod_admserv). @@ -59,9 +59,12 @@ PACKAGE_BASE_NAME=`echo $PACKAGE_NAME | sed -e s/-admin//` AC_SUBST(PACKAGE_BASE_NAME) # the default prefix - override with --prefix or --with-fhs or --with-fhs-opt -AC_PREFIX_DEFAULT([/opt/@PACKAGE_BASE_NAME@]) +AC_PREFIX_DEFAULT([/opt/fedora-ds]) +
Created attachment 157588 [details] cvs diff tmpl files Files: 01nsroot.ldif.tmpl 02globalpreferences.ldif.tmpl 10dsdata.ldif.tmpl 20asdata.ldif.tmpl Description: some more ACIs are being added.
Created attachment 157662 [details] cvs diffs (adminserver) Files: admserv/newinst/src/adminserver.map.in admserv/newinst/src/dirserver.map.in admserv/newinst/src/register_param.map.in admserv/schema/ldif/01nsroot.ldif.tmpl admserv/schema/ldif/02globalpreferences.ldif.tmpl admserv/schema/ldif/10dsdata.ldif.tmpl admserv/schema/ldif/20asdata.ldif.tmpl Changes: Adding timestamp for installationTimeStamp.
Created attachment 157664 [details] cvs commit message (comment #12, #13) Reviewed by Nathan (Thank you!!) Checked in into HEAD.
Created attachment 157671 [details] cvs diff admserv/newinst/src/{AdminUtil.pm.in, configdsroot.map.in} Files: admserv/newinst/src/AdminUtil.pm.in admserv/newinst/src/configdsroot.map.in Changes: Adding ACIs cn=config and cn=schema Note: These ACIs are needed on the each Directory Server instance (not just the Configuration Directory Server) as 10dsdata and 11dstasks are.
Created attachment 157769 [details] cvs commit (comment #15) Reviewed by Rich (Thank you!!) Checked in into HEAD.
Created attachment 157772 [details] cvs diffs Files: newinst/src/adminserver.map.in newinst/src/configdsroot.map.in newinst/src/dirserver.map.in newinst/src/register_param.map.in schema/ldif/01nsroot.ldif.tmpl schema/ldif/10dsdata.ldif.tmpl schema/ldif/20asdata.ldif.tmpl Description: Removing ServerRoot, InstalledLocation and ConfigRoot from o=netscaperoot.
Created attachment 157779 [details] cvs commit (comment #17) Reviewed by Nathan (Thank you!!) Checked in into HEAD.
Fix Description: use %domain% instead of real domain name /share/adminserver/adminserver/admserv/schema/ldif>cvs ci 10dsdata.ldif.tmpl Checking in 10dsdata.ldif.tmpl; /cvs/dirsec/adminserver/admserv/schema/ldif/10dsdata.ldif.tmpl,v <-- 10dsdata.ldif.tmpl new revision: 1.8; previous revision: 1.7 done
Created attachment 157978 [details] cvs diffs (adminserver) Files: Makefile.am admserv/newinst/src/AdminUtil.pm.in admserv/newinst/src/dirserver.map.in admserv/newinst/src/register_param.map.in admserv/schema/ldif/14dsmonitor.mod.tmpl admserv/schema/ldif/15dspta.ldif.tmpl.in Description: 1) this time, really adding "pass thru auth" to the subordinative DS instances. (see createSubDS in AdminUtil.pm) 2) adding ACI to cn=monitor
Comment on attachment 157978 [details] cvs diffs (adminserver) Found cn=Pass Through Authentication is taken care in create_instance.c. I'm backing off the 15dspta related code and just checking in the code which adds cn=monitor aci.
Created attachment 158034 [details] cvs diffs and commit message (comment #20, #21) Reviewed by Rich (Thank you!!) Checked in into HEAD.
(In reply to comment #21) > (From update of attachment 157978 [details] [edit]) > Found cn=Pass Through Authentication is taken care in create_instance.c. > > I'm backing off the 15dspta related code and just checking in the code which > adds cn=monitor aci. create_instance.c adds the cn=Pass Through Authentication plugin entry, but it is disabled. In order for the console to work, the pta plugin needs to be enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and it needs the url of the config ds.
(In reply to comment #23) > (In reply to comment #21) > > (From update of attachment 157978 [details] [edit] [edit]) > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > I'm backing off the 15dspta related code and just checking in the code which > > adds cn=monitor aci. > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > is disabled. In order for the console to work, the pta plugin needs to be > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > it needs the url of the config ds. > > First, I thought so, too. But it looks it enables the plugin if these conditions are satisfied: SlapdConfigForMC= No UseExistingMC= yes ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ Otherwise, it's off. Smart, isn't it? ;) I verified on my second DS instance that the plugin is enabled and pointing the right Configuration DS url: dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/lib/fedora-ds/plugins/libpassthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://<fqdn>:<config_port>/o%3DNetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 1.1.0a3 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: pass through authentication plugin
(In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #21) > > > (From update of attachment 157978 [details] [edit] [edit] [edit]) > > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > > > I'm backing off the 15dspta related code and just checking in the code which > > > adds cn=monitor aci. > > > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > > is disabled. In order for the console to work, the pta plugin needs to be > > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > > it needs the url of the config ds. > > > > > First, I thought so, too. But it looks it enables the plugin if these > conditions are satisfied: > SlapdConfigForMC= No > UseExistingMC= yes > ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ > Otherwise, it's off. Smart, isn't it? ;) Hm - that's wrong. create_instance.c should not know or care about anything having to do with o=NetscapeRoot or the config ds. But we can worry about that later.
(In reply to comment #25) > (In reply to comment #24) > > (In reply to comment #23) > > > (In reply to comment #21) > > > > (From update of attachment 157978 [details] [edit] [edit] [edit] [edit]) > > > > Found cn=Pass Through Authentication is taken care in create_instance.c. > > > > > > > > I'm backing off the 15dspta related code and just checking in the code which > > > > adds cn=monitor aci. > > > > > > create_instance.c adds the cn=Pass Through Authentication plugin entry, but it > > > is disabled. In order for the console to work, the pta plugin needs to be > > > enabled, and it needs to have the o=NetscapeRoot suffix as the pta suffix, and > > > it needs the url of the config ds. > > > > > > > > First, I thought so, too. But it looks it enables the plugin if these > > conditions are satisfied: > > SlapdConfigForMC= No > > UseExistingMC= yes > > ConfigDirectoryLdapURL= ldap://<fqdn>:<port>/ > > Otherwise, it's off. Smart, isn't it? ;) > > Hm - that's wrong. create_instance.c should not know or care about anything > having to do with o=NetscapeRoot or the config ds. But we can worry about that > later. Oops, that's true. I was forgetting the ground rule... :p I can get rid of the code from create_instance.c and add the changes in the Comment #20... It'd be easy.
Created attachment 158070 [details] cvs diffs (adminserver) Files: Makefile.am admserv/newinst/src/AdminUtil.pm.in admserv/newinst/src/dirserver.map.in admserv/newinst/src/register_param.map.in admserv/newinst/src/setup-ds-admin.pl.in admserv/schema/ldif/15dspta.ldif.tmpl.in Description: resurrected the code adding cn=Pass Through Authentication for o=netscape. In addition to the one in comment #20, adding the calling code to admserv/newinst/src/setup-ds-admin.pl.in in case the new server is non-configuration DS.
Created attachment 158071 [details] cvs diff (ldapserver) Files: ldap/admin/src/create_instance.[ch] Description: 1) removing the dependency on the config_ds 2) ds_newinst always adds "cn=Pass Through Authentication" with the nsslapd-pluginEnabled value off.
Created attachment 158140 [details] cvs commit message (comment #27, #28) Reviewed by Rich (Thank you!!) Checked in into HEAD.
Created attachment 158148 [details] cvs commit dspta.ldif.tmpl Sorry, I missed adding and committing 15dspta.ldif.tmpl in my previous commit. Checked in into HEAD.
Verification test: PASS Test machine: cypher.dsdev.sjc.redhat.com Test steps: 1. install DS, ADMIN and console in cypher 2. login as "admin" with desired password expect: user "admin" can lunch DS Config panel, and has all permission to modify/change/delete as user "cn=directory manager" Test result: PASS