From 5acc4e48630e806be4b88264eadd8e6e1ba2aa1c Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Nov 27 2018 20:16:11 +0000 Subject: Issue 49984 - Add an empty domain creation to the dscreate Description: Create an empty domain with basic ACIs while creating an instance without sample_entries but with a backend. https://pagure.io/389-ds-base/issue/49984 Reviewed by: mreynolds, vashirov (Thanks!) --- diff --git a/src/lib389/lib389/configurations/config_001003006.py b/src/lib389/lib389/configurations/config_001003006.py index 42f5f30..d04caaa 100644 --- a/src/lib389/lib389/configurations/config_001003006.py +++ b/src/lib389/lib389/configurations/config_001003006.py @@ -6,12 +6,9 @@ # See LICENSE for details. # --- END COPYRIGHT BLOCK --- -from ldap import dn - from .config import baseconfig, configoperation -from .sample import sampleentries +from .sample import sampleentries, create_base_domain -from lib389.idm.domain import Domain from lib389.idm.organizationalunit import OrganizationalUnits from lib389.idm.group import UniqueGroups, UniqueGroup @@ -25,17 +22,9 @@ class c001003006_sample_entries(sampleentries): # All the checks are done, apply them. def _apply(self): # Create the base domain object - domain = Domain(self._instance, dn=self._basedn) - # Explode the dn to get the first bit. - avas = dn.str2dn(self._basedn) - dc_ava = avas[0][0][1] + domain = create_base_domain(self._instance, self._basedn) + domain.add('aci' , '(targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators,{BASEDN}");)'.format(BASEDN=self._basedn)) - domain.create(properties={ - # I think in python 2 this forces unicode return ... - 'dc': dc_ava, - 'description': self._basedn, - 'aci' : '(targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators,{BASEDN}");)'.format(BASEDN=self._basedn) - }) # Create the OUs ous = OrganizationalUnits(self._instance, self._basedn) ous.create(properties = { diff --git a/src/lib389/lib389/configurations/config_001004000.py b/src/lib389/lib389/configurations/config_001004000.py index 13fa933..697a911 100644 --- a/src/lib389/lib389/configurations/config_001004000.py +++ b/src/lib389/lib389/configurations/config_001004000.py @@ -6,12 +6,9 @@ # See LICENSE for details. # --- END COPYRIGHT BLOCK --- -from ldap import dn - from .config import baseconfig, configoperation -from .sample import sampleentries +from .sample import sampleentries, create_base_domain -from lib389.idm.domain import Domain from lib389.idm.organizationalunit import OrganizationalUnits from lib389.idm.group import Groups from lib389.idm.posixgroup import PosixGroups @@ -28,22 +25,13 @@ class c001004000_sample_entries(sampleentries): # All checks done, apply! def _apply(self): # Create the base domain object - domain = Domain(self._instance, dn=self._basedn) - # Explode the dn to get the first bit. - avas = dn.str2dn(self._basedn) - dc_ava = avas[0][0][1] - - domain.create(properties={ - # I think in python 2 this forces unicode return ... - 'dc': dc_ava, - 'description': self._basedn, - 'aci': [ - # Allow reading the base domain object - '(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)', - # Allow reading the ou - '(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)' - ] - }) + domain = create_base_domain(self._instance, self._basedn) + domain.add('aci', [ + # Allow reading the base domain object + '(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)', + # Allow reading the ou + '(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)' + ]) # Create the 389 service container # This could also move to be part of core later .... diff --git a/src/lib389/lib389/configurations/sample.py b/src/lib389/lib389/configurations/sample.py index a2292f5..25a1b32 100644 --- a/src/lib389/lib389/configurations/sample.py +++ b/src/lib389/lib389/configurations/sample.py @@ -6,8 +6,12 @@ # See LICENSE for details. # --- END COPYRIGHT BLOCK --- +from ldap import dn + +from lib389.idm.domain import Domain from lib389.utils import ensure_str + class sampleentries(object): def __init__(self, instance, basedn): self._instance = instance @@ -19,3 +23,22 @@ class sampleentries(object): def _apply(self): raise Exception('Not implemented') + + +def create_base_domain(instance, basedn): + """Create the base domain object""" + + domain = Domain(instance, dn=basedn) + # Explode the dn to get the first bit. + avas = dn.str2dn(basedn) + dc_ava = avas[0][0][1] + + domain.create(properties={ + # I think in python 2 this forces unicode return ... + 'dc': dc_ava, + 'description': basedn, + }) + # ACI can be added later according to your needs + + return domain + diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py index 0f4a257..d6acb1e 100644 --- a/src/lib389/lib389/instance/setup.py +++ b/src/lib389/lib389/instance/setup.py @@ -22,6 +22,7 @@ from lib389.properties import * from lib389.passwd import password_hash, password_generate from lib389.nss_ssl import NssSsl from lib389.configurations import get_config +from lib389.configurations.sample import create_base_domain from lib389.instance.options import General2Base, Slapd2Base, Backend2Base from lib389.paths import Paths from lib389.saslmap import SaslMappings @@ -672,7 +673,6 @@ class SetupDs(object): if len(backends) > 0: ds_suffix = backends[0]['nsslapd-suffix'] - # Create certdb in sysconfidir if self.verbose: self.log.info("ACTION: Creating certificate database is %s", slapd['cert_dir']) @@ -785,7 +785,17 @@ class SetupDs(object): # Create the backends as listed # Load example data if needed. for backend in backends: + is_sample_entries_in_props = "sample_entries" in backend ds_instance.backends.create(properties=backend) + if not is_sample_entries_in_props: + domain = create_base_domain(ds_instance, backend['nsslapd-suffix']) + # Set basic ACI + domain.add('aci', [ + # Allow reading the base domain object + '(targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)', + # Allow reading the ou + '(targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)' + ]) # Initialise ldapi socket information. IPA expects this .... ldapi_path = os.path.join(slapd['local_state_dir'], "run/slapd-%s.socket" % slapd['instance_name'])