summaryrefslogtreecommitdiffstats
path: root/pykolab
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-08-02 16:37:38 +0200
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-08-02 16:37:38 +0200
commit1d6cd67de1f83ac1db4daf37a3c54684db185edd (patch)
treeb6557818114cb27ed2e05c44b6870331e4eca4a3 /pykolab
parent4ff69e9753435b90e8b9eb538dd6fdabcd7282f8 (diff)
downloadpykolab-1d6cd67de1f83ac1db4daf37a3c54684db185edd.tar.gz
Make the default installation refuse anonymous binds, but allow a command-line option to allow anonymous binds.
Add size, search, time and idle limits to the service account
Diffstat (limited to 'pykolab')
-rw-r--r--pykolab/setup/setup_ldap.py23
1 files changed, 18 insertions, 5 deletions
diff --git a/pykolab/setup/setup_ldap.py b/pykolab/setup/setup_ldap.py
index 43ed653..84de47d 100644
--- a/pykolab/setup/setup_ldap.py
+++ b/pykolab/setup/setup_ldap.py
@@ -50,6 +50,14 @@ def cli_options():
help = _("Specify FQDN (overriding defaults).")
)
+ ldap_group.add_option(
+ "--allow-anonymous",
+ dest = "anonymous",
+ action = "store_true",
+ default = False,
+ help = _("Allow anonymous binds (default: no).")
+ )
+
def description():
return _("Setup LDAP.")
@@ -347,6 +355,10 @@ ServerAdminPwd = %(admin_pass)s
attrs['surname'] = "Service"
attrs['cn'] = "Kolab Service"
attrs['userPassword'] = _input['kolab_service_pass']
+ attrs['nslookthroughlimit'] = -1
+ attrs['nssizelimit'] = -1
+ attrs['nstimelimit'] = -1
+ attrs['nsidletimeout'] = -1
# Convert our dict to nice syntax for the add-function using modlist-module
ldif = ldap.modlist.addModlist(attrs)
@@ -418,11 +430,12 @@ ServerAdminPwd = %(admin_pass)s
ldif = ldap.modlist.addModlist(attrs)
auth._auth.ldap.add_s(dn, ldif)
- log.info(_("Disabling anonymous binds"))
- dn = "cn=config"
- modlist = []
- modlist.append((ldap.MOD_REPLACE, "nsslapd-allow-anonymous-access", "off"))
- auth._auth.ldap.modify_s(dn, modlist)
+ if not conf.anonymous:
+ log.info(_("Disabling anonymous binds"))
+ dn = "cn=config"
+ modlist = []
+ modlist.append((ldap.MOD_REPLACE, "nsslapd-allow-anonymous-access", "off"))
+ auth._auth.ldap.modify_s(dn, modlist)
# TODO: Ensure the uid attribute is unique
# TODO^2: Consider renaming the general "attribute uniqueness to "uid attribute uniqueness"