Add OTP patches and patch to fix 389-ds ccache
The OTP patches add basic support for TOTP and Radius. The 389-ds patch sets KRB5CCNAME in /etc/sysconfig/dirsrv so it can get a usable ccache.
This commit is contained in:
parent
5e12d2ddce
commit
12216fc83f
49
0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
Normal file
49
0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From f807909bc12041af67b0051d4085b0ee1bee56d7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||||
|
Date: Thu, 11 Apr 2013 12:30:23 -0400
|
||||||
|
Subject: [PATCH 1/6] Add ipaUserAuthType and ipaUserAuthTypeClass
|
||||||
|
|
||||||
|
This schema addition will be useful for future commits. It allows us to
|
||||||
|
define permitted external authentication methods on both the user and
|
||||||
|
global config. The implementation is generic, but the immediate usage
|
||||||
|
is for otp support.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3365
|
||||||
|
http://freeipa.org/page/V3/OTP
|
||||||
|
---
|
||||||
|
install/share/60basev3.ldif | 2 ++
|
||||||
|
install/updates/10-60basev3.update | 4 ++++
|
||||||
|
2 files changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
|
||||||
|
index 43da2e7..435948f 100644
|
||||||
|
--- a/install/share/60basev3.ldif
|
||||||
|
+++ b/install/share/60basev3.ldif
|
||||||
|
@@ -36,6 +36,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'Fi
|
||||||
|
# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
|
||||||
|
attributeTypes: (2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
|
||||||
|
attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
|
||||||
|
@@ -51,3 +52,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILIARY
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize ) X-ORIGIN 'IPA v3' )
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
|
||||||
|
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
|
||||||
|
+objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
|
||||||
|
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
|
||||||
|
index 62dd472..476fa3b 100644
|
||||||
|
--- a/install/updates/10-60basev3.update
|
||||||
|
+++ b/install/updates/10-60basev3.update
|
||||||
|
@@ -16,3 +16,7 @@ replace:objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST
|
||||||
|
|
||||||
|
# Fix dc syntax (RFC 2247)
|
||||||
|
replace:attributeTypes:"( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2247' )::( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2247' )"
|
||||||
|
+
|
||||||
|
+# Add ipaUserAuthType and ipaUserAuthTypeClass
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
|
||||||
|
+add:objectclasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
|
||||||
|
--
|
||||||
|
1.8.2.1
|
||||||
|
|
288
0002-Add-IPA-OTP-schema-and-ACLs.patch
Normal file
288
0002-Add-IPA-OTP-schema-and-ACLs.patch
Normal file
@ -0,0 +1,288 @@
|
|||||||
|
From edca6946f81e01ddc5f3d5a8389560a704f11d7b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||||
|
Date: Thu, 11 Apr 2013 13:24:46 -0400
|
||||||
|
Subject: [PATCH 2/6] Add IPA OTP schema and ACLs
|
||||||
|
|
||||||
|
This commit adds schema support for two factor authentication via
|
||||||
|
OTP devices, including RADIUS or TOTP. This schema will be used
|
||||||
|
by future patches which will enable two factor authentication
|
||||||
|
directly.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3365
|
||||||
|
http://freeipa.org/page/V3/OTP
|
||||||
|
---
|
||||||
|
install/share/70ipaotp.ldif | 28 +++++++++++++++++++++++
|
||||||
|
install/share/Makefile.am | 1 +
|
||||||
|
install/share/copy-schema-to-ca.py | 1 +
|
||||||
|
install/share/default-aci.ldif | 10 +++++++-
|
||||||
|
install/updates/10-70ipaotp.update | 25 ++++++++++++++++++++
|
||||||
|
install/updates/40-otp.update | 9 ++++++++
|
||||||
|
install/updates/Makefile.am | 4 +++-
|
||||||
|
ipalib/constants.py | 1 +
|
||||||
|
ipaserver/install/dsinstance.py | 3 ++-
|
||||||
|
ipaserver/install/plugins/update_anonymous_aci.py | 25 ++++++++++++++------
|
||||||
|
10 files changed, 97 insertions(+), 10 deletions(-)
|
||||||
|
create mode 100644 install/share/70ipaotp.ldif
|
||||||
|
create mode 100644 install/updates/10-70ipaotp.update
|
||||||
|
create mode 100644 install/updates/40-otp.update
|
||||||
|
|
||||||
|
diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..3cfe872
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/install/share/70ipaotp.ldif
|
||||||
|
@@ -0,0 +1,28 @@
|
||||||
|
+# IPA OTP schema
|
||||||
|
+# BaseOID: 2.16.840.1.113730.3.8.16
|
||||||
|
+# See RFC 4517 for Syntax OID definitions
|
||||||
|
+dn: cn=schema
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP')
|
||||||
|
+objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
|
||||||
|
+objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
|
||||||
|
+objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
|
||||||
|
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||||
|
index f8f9b74..8823723 100644
|
||||||
|
--- a/install/share/Makefile.am
|
||||||
|
+++ b/install/share/Makefile.am
|
||||||
|
@@ -11,6 +11,7 @@ app_DATA = \
|
||||||
|
60ipadns.ldif \
|
||||||
|
61kerberos-ipav3.ldif \
|
||||||
|
65ipasudo.ldif \
|
||||||
|
+ 70ipaotp.ldif \
|
||||||
|
anonymous-vlv.ldif \
|
||||||
|
bootstrap-template.ldif \
|
||||||
|
caJarSigningCert.cfg.template \
|
||||||
|
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
|
||||||
|
index 4e2054e..1888f12 100755
|
||||||
|
--- a/install/share/copy-schema-to-ca.py
|
||||||
|
+++ b/install/share/copy-schema-to-ca.py
|
||||||
|
@@ -31,6 +31,7 @@ SCHEMA_FILENAMES = (
|
||||||
|
"60ipadns.ldif",
|
||||||
|
"61kerberos-ipav3.ldif",
|
||||||
|
"65ipasudo.ldif",
|
||||||
|
+ "70ipaotp.ldif",
|
||||||
|
"05rfc2247.ldif",
|
||||||
|
)
|
||||||
|
|
||||||
|
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
|
||||||
|
index f173f79..18881ec 100644
|
||||||
|
--- a/install/share/default-aci.ldif
|
||||||
|
+++ b/install/share/default-aci.ldif
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
dn: $SUFFIX
|
||||||
|
changetype: modify
|
||||||
|
add: aci
|
||||||
|
-aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||||
|
+aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
|
||||||
|
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
|
||||||
|
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
|
||||||
|
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
|
||||||
|
@@ -96,3 +96,11 @@ dn: cn=ipa,cn=etc,$SUFFIX
|
||||||
|
changetype: modify
|
||||||
|
add: aci
|
||||||
|
aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)
|
||||||
|
+
|
||||||
|
+# Let users manage their own tokens
|
||||||
|
+dn: $SUFFIX
|
||||||
|
+changetype: modify
|
||||||
|
+add: aci
|
||||||
|
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)
|
||||||
|
+aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)
|
||||||
|
+aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)
|
||||||
|
diff --git a/install/updates/10-70ipaotp.update b/install/updates/10-70ipaotp.update
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..600ef9c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/install/updates/10-70ipaotp.update
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+dn: cn=schema
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'Token Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'Optionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Optional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Optional Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DESC 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DESC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User entry that owns this token' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP')
|
||||||
|
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $$ ipatokenOwner $$ ipatokenDisabled $$ ipatokenNotBefore $$ ipatokenNotAfter $$ ipatokenVendor $$ ipatokenModel $$ ipatokenSerial) X-ORIGIN 'IPA OTP')
|
||||||
|
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $$ ipatokenOTPalgorithm $$ ipatokenOTPdigits $$ ipatokenTOTPclockOffset $$ ipatokenTOTPtimeStep) X-ORIGIN 'IPA OTP')
|
||||||
|
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MUST (ipatokenRadiusConfigLink) MAY (ipatokenRadiusUserName) X-ORIGIN 'IPA OTP')
|
||||||
|
+add:objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $$ ipatokenRadiusServer $$ ipatokenRadiusSecret) MAY (description $$ ipatokenRadiusTimeout $$ ipatokenRadiusRetries $$ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP')
|
||||||
|
diff --git a/install/updates/40-otp.update b/install/updates/40-otp.update
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ff36c87
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/install/updates/40-otp.update
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+dn: cn=otp,$SUFFIX
|
||||||
|
+default: objectClass: nsContainer
|
||||||
|
+default: objectClass: top
|
||||||
|
+default: cn: otp
|
||||||
|
+
|
||||||
|
+dn: $SUFFIX
|
||||||
|
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "objectclass || ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can read basic token info"; allow (read, search, compare) userattr = "ipatokenOwner#USERDN";)'
|
||||||
|
+add: aci:'(targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial")(version 3.0; acl "Users can write basic token info"; allow (write) userattr = "ipatokenOwner#USERDN";)'
|
||||||
|
+add: aci:'(targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add TOTP token secrets"; allow (write, search) userattr = "ipatokenOwner#USERDN";)'
|
||||||
|
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||||
|
index ab3f411..787a51c 100644
|
||||||
|
--- a/install/updates/Makefile.am
|
||||||
|
+++ b/install/updates/Makefile.am
|
||||||
|
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
||||||
|
app_DATA = \
|
||||||
|
10-60basev2.update \
|
||||||
|
10-60basev3.update \
|
||||||
|
+ 10-70ipaotp.update \
|
||||||
|
10-RFC2307bis.update \
|
||||||
|
10-RFC4876.update \
|
||||||
|
10-config.update \
|
||||||
|
@@ -13,6 +14,7 @@ app_DATA = \
|
||||||
|
10-ssh.update \
|
||||||
|
10-bind-schema.update \
|
||||||
|
10-uniqueness.update \
|
||||||
|
+ 10-schema_compat.update \
|
||||||
|
19-managed-entries.update \
|
||||||
|
20-aci.update \
|
||||||
|
20-dna.update \
|
||||||
|
@@ -20,7 +22,6 @@ app_DATA = \
|
||||||
|
20-indices.update \
|
||||||
|
20-nss_ldap.update \
|
||||||
|
20-replication.update \
|
||||||
|
- 10-schema_compat.update \
|
||||||
|
20-user_private_groups.update \
|
||||||
|
20-winsync_index.update \
|
||||||
|
21-replicas_container.update \
|
||||||
|
@@ -32,6 +33,7 @@ app_DATA = \
|
||||||
|
40-replication.update \
|
||||||
|
40-dns.update \
|
||||||
|
40-automember.update \
|
||||||
|
+ 40-otp.update \
|
||||||
|
45-roles.update \
|
||||||
|
50-lockout-policy.update \
|
||||||
|
50-groupuuid.update \
|
||||||
|
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||||
|
index ecb9255..de08457 100644
|
||||||
|
--- a/ipalib/constants.py
|
||||||
|
+++ b/ipalib/constants.py
|
||||||
|
@@ -109,6 +109,7 @@ DEFAULT_CONFIG = (
|
||||||
|
('container_dna', DN(('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||||
|
('container_dna_posix_ids', DN(('cn', 'posix-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||||
|
('container_realm_domains', DN(('cn', 'Realm Domains'), ('cn', 'ipa'), ('cn', 'etc'))),
|
||||||
|
+ ('container_otp', DN(('cn', 'otp'))),
|
||||||
|
|
||||||
|
# Ports, hosts, and URIs:
|
||||||
|
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
|
||||||
|
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||||
|
index e6bb054..7c809ec 100644
|
||||||
|
--- a/ipaserver/install/dsinstance.py
|
||||||
|
+++ b/ipaserver/install/dsinstance.py
|
||||||
|
@@ -409,7 +409,8 @@ class DsInstance(service.Service):
|
||||||
|
"60basev3.ldif",
|
||||||
|
"60ipadns.ldif",
|
||||||
|
"61kerberos-ipav3.ldif",
|
||||||
|
- "65ipasudo.ldif"):
|
||||||
|
+ "65ipasudo.ldif",
|
||||||
|
+ "70ipaotp.ldif"):
|
||||||
|
target_fname = schema_dirname(self.serverid) + schema_fname
|
||||||
|
shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname)
|
||||||
|
os.chmod(target_fname, 0440) # read access for dirsrv user/group
|
||||||
|
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
|
||||||
|
index 2b7446a..1e75113 100644
|
||||||
|
--- a/ipaserver/install/plugins/update_anonymous_aci.py
|
||||||
|
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
|
||||||
|
@@ -20,8 +20,6 @@
|
||||||
|
from copy import deepcopy
|
||||||
|
from ipaserver.install.plugins import FIRST, LAST
|
||||||
|
from ipaserver.install.plugins.baseupdate import PostUpdate
|
||||||
|
-#from ipalib.frontend import Updater
|
||||||
|
-#from ipaserver.install.plugins import baseupdate
|
||||||
|
from ipalib import api
|
||||||
|
from ipalib.aci import ACI
|
||||||
|
from ipalib.plugins import aci
|
||||||
|
@@ -37,6 +35,8 @@ class update_anonymous_aci(PostUpdate):
|
||||||
|
aciname = u'Enable Anonymous access'
|
||||||
|
aciprefix = u'none'
|
||||||
|
ldap = self.obj.backend
|
||||||
|
+ targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
|
||||||
|
+ filter = None
|
||||||
|
|
||||||
|
(dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
|
||||||
|
|
||||||
|
@@ -45,6 +45,9 @@ class update_anonymous_aci(PostUpdate):
|
||||||
|
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
|
||||||
|
|
||||||
|
attrs = rawaci.target['targetattr']['expression']
|
||||||
|
+ rawfilter = rawaci.target.get('targetfilter', None)
|
||||||
|
+ if rawfilter is not None:
|
||||||
|
+ filter = rawfilter['expression']
|
||||||
|
|
||||||
|
update_attrs = deepcopy(attrs)
|
||||||
|
|
||||||
|
@@ -54,12 +57,10 @@ class update_anonymous_aci(PostUpdate):
|
||||||
|
needed_attrs.append(attr)
|
||||||
|
|
||||||
|
update_attrs.extend(needed_attrs)
|
||||||
|
- if len(attrs) == len(update_attrs):
|
||||||
|
+ if (len(attrs) == len(update_attrs) and
|
||||||
|
+ filter == targetfilter):
|
||||||
|
root_logger.debug("Anonymous ACI already update-to-date")
|
||||||
|
return (False, False, [])
|
||||||
|
- else:
|
||||||
|
- root_logger.debug("New Anonymous ACI attributes needed: %s",
|
||||||
|
- needed_attrs)
|
||||||
|
|
||||||
|
for tmpaci in acistrs:
|
||||||
|
candidate = ACI(tmpaci)
|
||||||
|
@@ -67,7 +68,17 @@ class update_anonymous_aci(PostUpdate):
|
||||||
|
acistrs.remove(tmpaci)
|
||||||
|
break
|
||||||
|
|
||||||
|
- rawaci.target['targetattr']['expression'] = update_attrs
|
||||||
|
+ if len(attrs) != len(update_attrs):
|
||||||
|
+ root_logger.debug("New Anonymous ACI attributes needed: %s",
|
||||||
|
+ needed_attrs)
|
||||||
|
+
|
||||||
|
+ rawaci.target['targetattr']['expression'] = update_attrs
|
||||||
|
+
|
||||||
|
+ if filter != targetfilter:
|
||||||
|
+ root_logger.debug("New Anonymous ACI targetfilter needed.")
|
||||||
|
+
|
||||||
|
+ rawaci.set_target_filter(targetfilter)
|
||||||
|
+
|
||||||
|
acistrs.append(unicode(rawaci))
|
||||||
|
entry_attrs['aci'] = acistrs
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.2.1
|
||||||
|
|
187
0003-ipa-kdb-Add-OTP-support.patch
Normal file
187
0003-ipa-kdb-Add-OTP-support.patch
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
From 5b15278283d3be6d615c98963807facf34da31eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nathaniel McCallum <npmccallum@redhat.com>
|
||||||
|
Date: Thu, 11 Apr 2013 13:50:42 -0400
|
||||||
|
Subject: [PATCH 3/6] ipa-kdb: Add OTP support
|
||||||
|
|
||||||
|
If OTP is enabled for a user, then:
|
||||||
|
1. Long-term keys are not provided to KDB
|
||||||
|
2. The user string 'otp' is defined to KDB
|
||||||
|
|
||||||
|
Since it is not secure to send radius configuration information
|
||||||
|
over krb5 user strings, we simply set the string to a known default
|
||||||
|
('[]') which enables the default configuration in the KDC.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3561
|
||||||
|
http://freeipa.org/page/V3/OTP
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb.c | 38 +++++++++++++++++++++++++++++++++++-
|
||||||
|
daemons/ipa-kdb/ipa_kdb.h | 13 ++++++++++++
|
||||||
|
daemons/ipa-kdb/ipa_kdb_principals.c | 28 ++++++++++++++++++++++++++
|
||||||
|
3 files changed, 78 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||||
|
index e5c718e..8464264 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||||
|
@@ -173,9 +173,42 @@ done:
|
||||||
|
return base;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static const struct {
|
||||||
|
+ const char *name;
|
||||||
|
+ enum ipadb_user_auth flag;
|
||||||
|
+} userauth_table[] = {
|
||||||
|
+ { "disabled", IPADB_USER_AUTH_DISABLED },
|
||||||
|
+ { "password", IPADB_USER_AUTH_PASSWORD },
|
||||||
|
+ { "radius", IPADB_USER_AUTH_RADIUS },
|
||||||
|
+ { "otp", IPADB_USER_AUTH_OTP },
|
||||||
|
+ { }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||||
|
+ enum ipadb_user_auth *userauth)
|
||||||
|
+{
|
||||||
|
+ struct berval **vals;
|
||||||
|
+ int i, j;
|
||||||
|
+
|
||||||
|
+ *userauth = IPADB_USER_AUTH_EMPTY;
|
||||||
|
+ vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
|
||||||
|
+ if (!vals)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ for (i = 0; vals[i]; i++) {
|
||||||
|
+ for (j = 0; userauth_table[j].name; j++) {
|
||||||
|
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
||||||
|
+ *userauth |= userauth_table[j].flag;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int ipadb_get_global_configs(struct ipadb_context *ipactx)
|
||||||
|
{
|
||||||
|
- char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR, NULL };
|
||||||
|
+ char *attrs[] = { "ipaConfigString", IPA_KRB_AUTHZ_DATA_ATTR,
|
||||||
|
+ IPA_USER_AUTH_TYPE, NULL };
|
||||||
|
struct berval **vals = NULL;
|
||||||
|
LDAPMessage *res = NULL;
|
||||||
|
LDAPMessage *first;
|
||||||
|
@@ -203,6 +236,9 @@ int ipadb_get_global_configs(struct ipadb_context *ipactx)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Check for permitted authentication types. */
|
||||||
|
+ ipadb_get_user_auth(ipactx->lcontext, res, &ipactx->user_auth);
|
||||||
|
+
|
||||||
|
vals = ldap_get_values_len(ipactx->lcontext, first,
|
||||||
|
"ipaConfigString");
|
||||||
|
if (!vals || !vals[0]) {
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
index 9daaab8..54869d8 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
||||||
|
@@ -75,9 +75,18 @@
|
||||||
|
#define IPA_SETUP "ipa-setup-override-restrictions"
|
||||||
|
|
||||||
|
#define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData"
|
||||||
|
+#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
|
||||||
|
|
||||||
|
struct ipadb_mspac;
|
||||||
|
|
||||||
|
+enum ipadb_user_auth {
|
||||||
|
+ IPADB_USER_AUTH_EMPTY = 0,
|
||||||
|
+ IPADB_USER_AUTH_DISABLED = 1 << 0,
|
||||||
|
+ IPADB_USER_AUTH_PASSWORD = 1 << 1,
|
||||||
|
+ IPADB_USER_AUTH_RADIUS = 1 << 2,
|
||||||
|
+ IPADB_USER_AUTH_OTP = 1 << 3,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
struct ipadb_context {
|
||||||
|
char *uri;
|
||||||
|
char *base;
|
||||||
|
@@ -92,6 +101,7 @@ struct ipadb_context {
|
||||||
|
bool disable_last_success;
|
||||||
|
bool disable_lockout;
|
||||||
|
char **authz_data;
|
||||||
|
+ enum ipadb_user_auth user_auth;
|
||||||
|
};
|
||||||
|
|
||||||
|
#define IPA_E_DATA_MAGIC 0x0eda7a
|
||||||
|
@@ -259,3 +269,6 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
||||||
|
krb5_timestamp authtime,
|
||||||
|
krb5_error_code error_code);
|
||||||
|
|
||||||
|
+/* AUTH METHODS */
|
||||||
|
+void ipadb_get_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||||
|
+ enum ipadb_user_auth *user_auth);
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
index 11c155e..3566e1e 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
@@ -64,6 +64,7 @@ static char *std_principal_attrs[] = {
|
||||||
|
"nsaccountlock",
|
||||||
|
"passwordHistory",
|
||||||
|
IPA_KRB_AUTHZ_DATA_ATTR,
|
||||||
|
+ IPA_USER_AUTH_TYPE,
|
||||||
|
|
||||||
|
"objectClass",
|
||||||
|
NULL
|
||||||
|
@@ -228,6 +229,9 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
krb5_db_entry **kentry,
|
||||||
|
uint32_t *polmask)
|
||||||
|
{
|
||||||
|
+ krb5_octet otp_string[] = {'o', 't', 'p', 0, '[', ']', 0 };
|
||||||
|
+ enum ipadb_user_auth user_ua = IPADB_USER_AUTH_EMPTY;
|
||||||
|
+ enum ipadb_user_auth *active_ua = &user_ua;
|
||||||
|
struct ipadb_context *ipactx;
|
||||||
|
LDAP *lcontext;
|
||||||
|
krb5_db_entry *entry;
|
||||||
|
@@ -262,6 +266,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
||||||
|
entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
||||||
|
|
||||||
|
+ /* Get the user's user_auth settings. */
|
||||||
|
+ ipadb_get_user_auth(ipactx->lcontext, lentry, &user_ua);
|
||||||
|
+
|
||||||
|
+ /* TODO: Should we confirm the existence of ipatokenRadiusConfigLink in
|
||||||
|
+ * the case of RADIUS? Existence of a token for OTP? */
|
||||||
|
+
|
||||||
|
+ /* Determine which user_auth policy is active: user or global. */
|
||||||
|
+ if ((ipactx->user_auth & IPADB_USER_AUTH_DISABLED)
|
||||||
|
+ || user_ua == IPADB_USER_AUTH_EMPTY)
|
||||||
|
+ active_ua = &ipactx->user_auth;
|
||||||
|
+
|
||||||
|
/* ignore mask for now */
|
||||||
|
|
||||||
|
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
|
||||||
|
@@ -393,6 +408,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
&res_key_data, &result, &mkvno);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
+ /* Only set a principal's key if password auth should be used. */
|
||||||
|
+ if ((*active_ua & ~IPADB_USER_AUTH_DISABLED) != IPADB_USER_AUTH_EMPTY
|
||||||
|
+ && !(*active_ua & IPADB_USER_AUTH_PASSWORD)) {
|
||||||
|
+ /* This is the same behavior as ENOENT below. */
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
entry->key_data = res_key_data;
|
||||||
|
entry->n_key_data = result;
|
||||||
|
if (mkvno) {
|
||||||
|
@@ -515,6 +537,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
ied->authz_data = authz_data_list;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* If enabled, set the otp user string, enabling otp. */
|
||||||
|
+ if ((*active_ua & (IPADB_USER_AUTH_RADIUS | IPADB_USER_AUTH_OTP)) &&
|
||||||
|
+ !(*active_ua & IPADB_USER_AUTH_DISABLED)) {
|
||||||
|
+ ret = ipadb_set_tl_data(entry, KRB5_TL_STRING_ATTRS,
|
||||||
|
+ sizeof(otp_string), otp_string);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
kerr = 0;
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.2.1
|
||||||
|
|
1998
0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
Normal file
1998
0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
Normal file
File diff suppressed because it is too large
Load Diff
5603
0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch
Normal file
5603
0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch
Normal file
File diff suppressed because it is too large
Load Diff
1711
0006-Add-OTP-support-to-ipa-pwd-extop.patch
Normal file
1711
0006-Add-OTP-support-to-ipa-pwd-extop.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,76 @@
|
|||||||
|
From 1be93108c4c1506ea50879d645c47ab6843a6ee1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Martin Kosek <mkosek@redhat.com>
|
||||||
|
Date: Tue, 14 May 2013 18:36:50 +0200
|
||||||
|
Subject: [PATCH] Set KRB5CCNAME so that dirsrv can work with newer krb5-server
|
||||||
|
|
||||||
|
The DIR ccache format is now the default in krb5-server 1.11.2-4
|
||||||
|
but /run/user/<uid> isn't created for Apache by anything so it
|
||||||
|
has no ccache (and it doesn't have SELinux permissions to write here
|
||||||
|
either).
|
||||||
|
|
||||||
|
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
|
||||||
|
|
||||||
|
https://fedorahosted.org/freeipa/ticket/3628
|
||||||
|
---
|
||||||
|
install/tools/ipa-upgradeconfig | 1 +
|
||||||
|
ipaserver/install/dsinstance.py | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
||||||
|
index 8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0..8e9357f20fe7c9a88908def6a2e3b2104f07d73a 100644
|
||||||
|
--- a/install/tools/ipa-upgradeconfig
|
||||||
|
+++ b/install/tools/ipa-upgradeconfig
|
||||||
|
@@ -919,6 +919,7 @@ def main():
|
||||||
|
http.configure_httpd_ccache()
|
||||||
|
|
||||||
|
ds = dsinstance.DsInstance()
|
||||||
|
+ ds.configure_dirsrv_ccache()
|
||||||
|
|
||||||
|
fix_schema_file_syntax(ds)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||||
|
index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..3b841417e717587675d3ac748ec02182b3e14672 100644
|
||||||
|
--- a/ipaserver/install/dsinstance.py
|
||||||
|
+++ b/ipaserver/install/dsinstance.py
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
import time
|
||||||
|
import tempfile
|
||||||
|
import base64
|
||||||
|
+import stat
|
||||||
|
|
||||||
|
from ipapython.ipa_log_manager import *
|
||||||
|
from ipapython import ipautil, sysrestore, dogtag, ipaldap
|
||||||
|
@@ -213,6 +214,7 @@ def __common_setup(self, enable_ssl=False):
|
||||||
|
self.step("configuring certmap.conf", self.__certmap_conf)
|
||||||
|
self.step("configure autobind for root", self.__root_autobind)
|
||||||
|
self.step("configure new location for managed entries", self.__repoint_managed_entries)
|
||||||
|
+ self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
|
||||||
|
self.step("restarting directory server", self.__restart_instance)
|
||||||
|
|
||||||
|
def __common_post_setup(self):
|
||||||
|
@@ -515,6 +517,22 @@ def __config_lockout_module(self):
|
||||||
|
def __repoint_managed_entries(self):
|
||||||
|
self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)
|
||||||
|
|
||||||
|
+ def configure_dirsrv_ccache(self):
|
||||||
|
+ pent = pwd.getpwnam("dirsrv")
|
||||||
|
+ ccache = '/tmp/krb5cc_%d' % pent.pw_uid
|
||||||
|
+ filepath = '/etc/sysconfig/dirsrv'
|
||||||
|
+ if not os.path.exists(filepath):
|
||||||
|
+ # file doesn't exist; create it with correct ownership & mode
|
||||||
|
+ open(filepath, 'a').close()
|
||||||
|
+ os.chmod(filepath,
|
||||||
|
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
|
||||||
|
+ os.chown(filepath, 0, 0)
|
||||||
|
+
|
||||||
|
+ replacevars = {'KRB5CCNAME': ccache}
|
||||||
|
+ old_values = ipautil.backup_config_and_replace_variables(
|
||||||
|
+ self.fstore, filepath, replacevars=replacevars)
|
||||||
|
+ ipaservices.restore_context(filepath)
|
||||||
|
+
|
||||||
|
def __managed_entries(self):
|
||||||
|
self._ldap_mod("managed-entries.ldif", self.sub_dict)
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
19
freeipa.spec
19
freeipa.spec
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: freeipa
|
Name: freeipa
|
||||||
Version: 3.2.0
|
Version: 3.2.0
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -17,6 +17,14 @@ URL: http://www.freeipa.org/
|
|||||||
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
|
Patch1: 0001-Add-ipaUserAuthType-and-ipaUserAuthTypeClass.patch
|
||||||
|
Patch2: 0002-Add-IPA-OTP-schema-and-ACLs.patch
|
||||||
|
Patch3: 0003-ipa-kdb-Add-OTP-support.patch
|
||||||
|
Patch4: 0004-Add-the-krb5-FreeIPA-RADIUS-companion-daemon.patch
|
||||||
|
Patch5: 0005-Remove-unnecessary-prefixes-from-ipa-pwd-extop-files.patch
|
||||||
|
Patch6: 0006-Add-OTP-support-to-ipa-pwd-extop.patch
|
||||||
|
Patch7: freeipa-mkosek-407-set-krb5ccname-so-that-dirsrv-can-work-with-newer-kr.patch
|
||||||
|
|
||||||
%if ! %{ONLY_CLIENT}
|
%if ! %{ONLY_CLIENT}
|
||||||
BuildRequires: 389-ds-base-devel >= 1.3.1.0
|
BuildRequires: 389-ds-base-devel >= 1.3.1.0
|
||||||
BuildRequires: svrcore-devel
|
BuildRequires: svrcore-devel
|
||||||
@ -74,6 +82,8 @@ BuildRequires: m2crypto
|
|||||||
BuildRequires: check
|
BuildRequires: check
|
||||||
BuildRequires: libsss_idmap-devel
|
BuildRequires: libsss_idmap-devel
|
||||||
BuildRequires: java-1.7.0-openjdk
|
BuildRequires: java-1.7.0-openjdk
|
||||||
|
BuildRequires: libverto-devel
|
||||||
|
BuildRequires: systemd
|
||||||
|
|
||||||
# Find out Kerberos middle version to infer ABI changes in DAL driver
|
# Find out Kerberos middle version to infer ABI changes in DAL driver
|
||||||
# We cannot load DAL driver into KDC with wrong ABI.
|
# We cannot load DAL driver into KDC with wrong ABI.
|
||||||
@ -689,6 +699,7 @@ fi
|
|||||||
%{_sbindir}/ipa-upgradeconfig
|
%{_sbindir}/ipa-upgradeconfig
|
||||||
%{_sbindir}/ipa-compliance
|
%{_sbindir}/ipa-compliance
|
||||||
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
|
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
|
||||||
|
%{_libexecdir}/ipa-otpd
|
||||||
%{_sysconfdir}/cron.d/ipa-compliance
|
%{_sysconfdir}/cron.d/ipa-compliance
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
|
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
|
||||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||||||
@ -701,6 +712,8 @@ fi
|
|||||||
%{_libexecdir}/freeipa-systemd-upgrade
|
%{_libexecdir}/freeipa-systemd-upgrade
|
||||||
# Fedora spec file only: END
|
# Fedora spec file only: END
|
||||||
# END
|
# END
|
||||||
|
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
|
||||||
|
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
|
||||||
%dir %{python_sitelib}/ipaserver
|
%dir %{python_sitelib}/ipaserver
|
||||||
%dir %{python_sitelib}/ipaserver/install
|
%dir %{python_sitelib}/ipaserver/install
|
||||||
%dir %{python_sitelib}/ipaserver/install/plugins
|
%dir %{python_sitelib}/ipaserver/install/plugins
|
||||||
@ -906,6 +919,10 @@ fi
|
|||||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
|
||||||
|
- Add OTP patches
|
||||||
|
- Add patch to set KRB5CCNAME for 389-ds-base
|
||||||
|
|
||||||
* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
|
* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
|
||||||
- Update to upstream 3.2.0 GA
|
- Update to upstream 3.2.0 GA
|
||||||
- ipa-client-install fails if /etc/ipa does not exist (#961483)
|
- ipa-client-install fails if /etc/ipa does not exist (#961483)
|
||||||
|
Loading…
Reference in New Issue
Block a user