Author: rhafer Date: Fri Sep 5 14:25:57 2008 New Revision: 50743 URL: http://svn.opensuse.org/viewcvs/yast?rev=50743&view=rev Log: Streamlined ACL managment a bit. Get rid of ".access" path in agent Modified: trunk/ldap-server/src/LdapServer.pm trunk/ldap-server/src/agent/SlapdConfigAgent.cc trunk/ldap-server/src/lib/slapd-config.cpp Modified: trunk/ldap-server/src/LdapServer.pm URL: http://svn.opensuse.org/viewcvs/yast/trunk/ldap-server/src/LdapServer.pm?rev=50743&r1=50742&r2=50743&view=diff ============================================================================== --- trunk/ldap-server/src/LdapServer.pm (original) +++ trunk/ldap-server/src/LdapServer.pm Fri Sep 5 14:25:57 2008 @@ -54,7 +54,86 @@ my $ldapi_interfaces = ""; my $ldaps_interfaces = ""; my $ldap_interfaces = ""; +my $defaultDbAcls = [ + { + 'target' => { + 'attrs' => "userPassword" + }, + 'access' => [ + { + 'level' => 'write', + 'type' => 'self' + },{ + 'type' => '*', + 'level' => 'auth' + } + ] + },{ + 'target' => { + 'attrs' => "shadowLastChange" + }, + 'access' => [ + { + 'type' => 'self', + 'level' => 'write' + },{ + 'type' => '*', + 'level' => 'read' + } + ] + },{ + 'target' => { + 'attrs' => "userPKCS12" + }, + 'access' => [ + { + 'type' => 'self', + 'level' => 'read' + },{ + 'type' => '*', + 'level' => 'none' + } + ] + },{ + 'target' => {}, + 'access' => [ + { + 'type' => '*', + 'level' => 'read' + } + ] + } + ]; +my $defaultGlobalAcls = [ + { + 'target' => { + 'dn' => { + 'style' => 'base', + 'value' => '' + } + }, + 'access' => [ + { + 'type' => '*', + 'level' => 'read' + } + ] + },{ + 'target' => { + 'dn' => { + 'style' => 'base', + 'value' => 'cn=Subschema' + } + }, + 'access' => [ + { + 'type' => '*', + 'level' => 'read' + } + ] + } + ]; my @defaultIndexes = ( { "name" => "objectclass", "eq" => YaST::YCP::Boolean(1) @@ -102,44 +181,6 @@ my @schema = (); -my @globalAcl = ( - { 'what' => - { 'filter' => undef, - 'attr' => undef, - 'dn' => - { - 'style' => "base", - 'dn' => "" - } - }, - 'who' => - [ - { 'whotype' => "all", - 'whovalue' => undef, - 'level' => "read", - 'priv' => undef - } - ] - }, - { 'what' => - { 'filter' => undef, - 'attr' => undef, - 'dn' => - { 'style' => "base", - 'dn' => "cn=Subschema" - } - }, - 'who' => - [ - { 'whotype' => "all", - 'whovalue' => undef, - 'level' => "read", - 'priv' => undef - } - ] - } -); - my @added_databases = (); ## @@ -1054,15 +1095,7 @@ my $cfgdatabase = { 'type' => 'config', 'rootdn' => 'cn=config' }; - my $frontenddb = { 'type' => 'frontend', - 'access' => [ - 'to dn.base="" by * read', - 'to dn.base="cn=Subschema" by * read', - 'to attrs=userPassword,userPKCS12 by self write by * auth', - # 'to attrs=shadowLastChange by self write by * read', - 'to * by * read' - ] - }; + my $frontenddb = { 'type' => 'frontend' }; $self->InitGlobals(); SCR->Execute('.ldapserver.initSchema' ); @@ -1110,6 +1143,9 @@ $self->ChangeDatabaseIndex(1, $idx ); } } + # add default ACLs + $rc = SCR->Write(".ldapserver.database.{-1}.acl", $defaultGlobalAcls ); + $rc = SCR->Write(".ldapserver.database.{1}.acl", $defaultDbAcls ); push @added_databases, { suffix => $dbDefaults{'suffix'}, rootdn => $dbDefaults{'rootdn'}, rootpw => $dbDefaults{'rootpw_clear'} }; @@ -1505,19 +1541,13 @@ $self->ChangeDatabaseIndex($index, $idx ); } - # add some default ACLs - my @acls = ('to dn.subtree="'. $db->{'suffix'} .'" attrs=userPassword by self write by * auth', - # 'to attrs=shadowLastChange by self write by * read', - 'to dn.subtree="'. $db->{'suffix'} .'" by * read'); - foreach my $acl (@acls ) - { - $rc = SCR->Write(".ldapserver.database.{$index}.access", $acl ); - if(! $rc ) { - my $err = SCR->Error(".ldapserver"); - y2error("Adding default ACLs failed: ".$err->{'summary'}." ".$err->{'description'}); - $self->SetError( $err->{'summary'}, $err->{'description'} ); - return 0; - } + # add default ACLs + $rc = SCR->Write(".ldapserver.database.{$index}.acl", $defaultDbAcls ); + if(! $rc ) { + my $err = SCR->Error(".ldapserver"); + y2error("Adding default ACLs failed: ".$err->{'summary'}." ".$err->{'description'}); + $self->SetError( $err->{'summary'}, $err->{'description'} ); + return 0; } # add some defaults to DB_CONFIG Modified: trunk/ldap-server/src/agent/SlapdConfigAgent.cc URL: http://svn.opensuse.org/viewcvs/yast/trunk/ldap-server/src/agent/SlapdConfigAgent.cc?rev=50743&r1=50742&r2=50743&view=diff ============================================================================== --- trunk/ldap-server/src/agent/SlapdConfigAgent.cc (original) +++ trunk/ldap-server/src/agent/SlapdConfigAgent.cc Fri Sep 5 14:25:57 2008 @@ -265,15 +265,6 @@ db->setRootPw( j.value()->asString()->value_cstr() ); continue; } - else if (std::string("access") == j.key()->asString()->value_cstr() ) - { - YCPList aclList = j.value()->asList(); - for ( int k=0 ; k < aclList.size(); k++ ) - { - db->addStringValue( "olcAccess", aclList.value(k)->asString()->value_cstr() ); - } - continue; - } if ( dbtype == "bdb" || dbtype == "hdb" ) { boost::shared_ptr<OlcBdbDatabase> bdb = @@ -981,15 +972,6 @@ db->setRootPw( j.value()->asString()->value_cstr() ); continue; } - else if (std::string("access") == j.key()->asString()->value_cstr() ) - { - YCPList aclList = j.value()->asList(); - for ( int k=0 ; k < aclList.size(); k++ ) - { - db->addStringValue( "olcAccess", aclList.value(k)->asString()->value_cstr() ); - } - continue; - } if ( dbtype == "bdb" || dbtype == "hdb" ) { boost::shared_ptr<OlcBdbDatabase> bdb = @@ -1189,12 +1171,6 @@ } ret = true; } - else if ( dbComponent == "access" ) - { - y2milestone("adding ACL rule: %s", arg->asString()->value_cstr() ); - (*i)->addAccessControl(arg->asString()->value_cstr()); - ret = true; - } else if ( dbComponent == "acl" ) { YCPList argList = arg->asList(); Modified: trunk/ldap-server/src/lib/slapd-config.cpp URL: http://svn.opensuse.org/viewcvs/yast/trunk/ldap-server/src/lib/slapd-config.cpp?rev=50743&r1=50742&r2=50743&view=diff ============================================================================== --- trunk/ldap-server/src/lib/slapd-config.cpp (original) +++ trunk/ldap-server/src/lib/slapd-config.cpp Fri Sep 5 14:25:57 2008 @@ -704,7 +704,7 @@ } else { - if ( ! m_dn_value.empty() ) + if ( ! m_dn_type.empty() ) { aclString << " " << m_dn_type << "=\"" << m_dn_value << "\""; } -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org