Bump pre-release

author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> 2012-04-17 10:00:18 +0100
committer: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> 2012-04-17 10:00:18 +0100
commit: 3527dc014a687c16c3794fcdb20c7e5f076f450f (patch)
tree: f77704253f351582312bc3037a9cb8d741ca6f49 /pykolab/setup/setup_ldap.py
parent: 73776a82589d28257f06ab84bb872ab89c83ef7c (diff)
download: pykolab-3527dc014a687c16c3794fcdb20c7e5f076f450f.tar.gz
1 files changed, 88 insertions, 18 deletions
diff --git a/pykolab/setup/setup_ldap.py b/pykolab/setup/setup_ldap.py
index bf1d47a..9619e1a 100644
--- a/pykolab/setup/setup_ldap.py
+++ b/pykolab/setup/setup_ldap.py
@@ -112,21 +112,26 @@ ServerAdminPwd = %(admin_pass)s
 
     (stdoutdata, stderrdata) = setup_389.communicate()
 
-    # Copy in kolab schema
-    #
-    shutil.copy(
-            '/usr/share/doc/kolab-schema-3.0/kolab2.ldif',
-            '/etc/dirsrv/slapd-%s/schema/99kolab2.ldif' % (_input['hostname'])
-        )
+    # Find the kolab schema. It's installed as %doc in the kolab-schema package.
+    # TODO: Chown nobody, nobody, chmod 440
+    schema_file = None
+    for root, directories, filenames in os.walk('/usr/share/doc/'):
+        for filename in filenames:
+            if filename == 'kolab2.ldif':
+                schema_file = os.path.join(root,filename)
+
+    if not schema_file == None:
+        shutil.copy(
+                schema_file,
+                '/etc/dirsrv/slapd-%s/schema/99kolab2.ldif' % (
+                        _input['hostname']
+                    )
+            )
+    else:
+        log.warning(_("Could not find the Kolab schema file"))
 
     subprocess.call(['service', 'dirsrv@%s' % (_input['hostname']), 'restart'])
 
-    # Write out kolab configuration
-    conf.command_set('kolab', 'primary_domain', _input['domain'])
-    conf.command_set('ldap', 'base_dn', _input['rootdn'])
-    conf.command_set('ldap', 'bind_dn', 'cn=Directory Manager')
-    conf.command_set('ldap', 'bind_pw', _input['dirmgr_pass'])
-
     _input['cyrus_admin_pass'] = utils.ask_question(
             _("Cyrus Administrator password"),
             default=utils.generate_password(),
@@ -139,6 +144,14 @@ ServerAdminPwd = %(admin_pass)s
             password=True
         )
 
+    # Write out kolab configuration
+    conf.command_set('kolab', 'primary_domain', _input['domain'])
+    conf.command_set('ldap', 'base_dn', _input['rootdn'])
+    conf.command_set('ldap', 'bind_dn', 'cn=Directory Manager')
+    conf.command_set('ldap', 'bind_pw', _input['dirmgr_pass'])
+    conf.command_set('ldap', 'service_bind_dn', 'uid=kolab-service,ou=Special Users,%s' % (_input['rootdn']))
+    conf.command_set('ldap', 'service_bind_pw', _input['kolab_service_pass'])
+
     # Insert service users
     auth = pykolab.auth
     auth.connect()
@@ -181,11 +194,6 @@ ServerAdminPwd = %(admin_pass)s
     # Do the actual synchronous add-operation to the ldapserver
     auth._auth.ldap.add_s(dn, ldif)
 
-    #dn: cn=kolab,cn=config
-    #objectClass: top
-    #objectClass: extensibleObject
-    #cn: kolab
-
     dn = 'cn=kolab,cn=config'
 
     # A dict to help build the "body" of the object
@@ -206,5 +214,67 @@ ServerAdminPwd = %(admin_pass)s
         )
 
     # TODO: Add the primary domain to cn=kolab,cn=config
-    # TODO: Make sure 'uid' is unique
+    dn = "associateddomain=%s,cn=kolab,cn=config" % (domainname)
+    attrs = {}
+    attrs['objectclass'] = ['top','domainrelatedobject']
+    attrs['associateddomain'] = '%s' % (domainname)
+
+    ldif = ldap.modlist.addModlist(attrs)
+
+    auth._auth.ldap.add_s(dn, ldif)
+
+    # TODO: Allow no anonymous binds
+    dn = "cn=config"
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "nsslapd-allow-anonymous-access", "off"))
+    auth._auth.ldap.modify_s(dn, modlist)
+
+    # TODO: Ensure the uid attribute is unique
+    # TODO^2: Consider renaming the general "attribute uniqueness to "uid attribute uniqueness"
+    dn = "cn=attribute uniqueness,cn=plugins,cn=config"
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "nsslapd-pluginEnabled", "on"))
+    auth._auth.ldap.modify_s(dn, modlist)
+
     # TODO: Enable referential integrity plugin
+    dn = "cn=referential integrity postoperation,cn=plugins,cn=config"
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "nsslapd-pluginEnabled", "on"))
+    auth._auth.ldap.modify_s(dn, modlist)
+
+    # TODO: Enable account policy plugin
+    dn = "cn=Account Policy Plugin,cn=plugins,cn=config"
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "nsslapd-pluginEnabled", "on"))
+    modlist.append((ldap.MOD_ADD, "nsslapd-pluginarg0", "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"))
+    auth._auth.ldap.modify_s(dn, modlist)
+
+    dn = "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "alwaysrecordlogin", "yes"))
+    modlist.append((ldap.MOD_ADD, "stateattrname", "lastLoginTime"))
+    modlist.append((ldap.MOD_ADD, "altstateattrname", "createTimestamp"))
+    auth._auth.ldap.modify_s(dn, modlist)
+
+    # TODO: Add kolab-admin role
+    dn = "cn=kolab-admin,%s" % (_input['rootdn'])
+    attrs = {}
+    attrs['description'] = "Kolab Administrator"
+    attrs['objectClass'] = ['top','ldapsubentry','nsroledefinition','nssimpleroledefinition','nsmanagedroledefinition']
+    attrs['cn'] = "kolab-admin"
+    ldif = ldap.modlist.addModlist(attrs)
+
+    auth._auth.ldap.add_s(dn, ldif)
+
+    # TODO: User writeable attributes on root_dn
+    dn = _input['rootdn']
+    aci = []
+    aci.append('(targetattr = "homePhone || preferredDeliveryMethod || jpegPhoto || postalAddress || carLicense || userPassword || mobile || kolabAllowSMTPRecipient || displayName || kolabDelegate || description || labeledURI || homePostalAddress || postOfficeBox || registeredAddress || postalCode || photo || title || street || kolabInvitationPolicy || pager || o || l || initials || kolabAllowSMTPSender || telephoneNumber || preferredLanguage || facsimileTelephoneNumber") (version 3.0;acl "Enable self write for common attributes";allow (read,compare,search,write)(userdn = "ldap:///self");)')
+    aci.append('(targetattr = "*") (version 3.0;acl "Directory Administrators Group";allow (all)(groupdn = "ldap:///cn=Directory Administrators,%(rootdn)s" or roledn = "ldap:///cn=kolab-admin,%(rootdn)s");)' % (_input))
+    aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)')
+    aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)')
+    aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' %(_input))
+    aci.append('(targetattr = "*") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
+    modlist = []
+    modlist.append((ldap.MOD_REPLACE, "aci", aci))
+    auth._auth.ldap.modify_s(dn, modlist)
author	Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>	2012-04-17 10:00:18 +0100
committer	Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>	2012-04-17 10:00:18 +0100
commit	3527dc014a687c16c3794fcdb20c7e5f076f450f (patch)
tree	f77704253f351582312bc3037a9cb8d741ca6f49 /pykolab/setup/setup_ldap.py
parent	73776a82589d28257f06ab84bb872ab89c83ef7c (diff)
download	pykolab-3527dc014a687c16c3794fcdb20c7e5f076f450f.tar.gz