Get superuser creation working with FreeIPA

[cswingler]

On further review, it might make more sense to just get ps1auth to recognize members of the admin_and_board group as superusers. I wonder how much work that is...

Attempting to create a superuser results in:

(venv) vagrant@ps1auth-server:/vagrant$ ./manage.py createsuperuser
Username: superuser
Password:
Password (again):
Traceback (most recent call last):
  File "./manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/core/management/__init__.py", line 385, in execute_from_command_line
    utility.execute()
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/core/management/__init__.py", line 377, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/core/management/base.py", line 288, in run_from_argv
    self.execute(*args, **options.__dict__)
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/contrib/auth/management/commands/createsuperuser.py", line 55, in execute
    return super(Command, self).execute(*args, **options)
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/core/management/base.py", line 338, in execute
    output = self.handle(*args, **options)
  File "/home/vagrant/venv/lib/python3.4/site-packages/django/contrib/auth/management/commands/createsuperuser.py", line 160, in handle
    self.UserModel._default_manager.db_manager(database).create_superuser(**user_data)
  File "/vagrant/accounts/models.py", line 79, in create_superuser
    user = self.create_user(object_guid, email=email, password=password)
  File "/vagrant/accounts/models.py", line 50, in create_user
    guid_bytes = response[0]['attributes']['objectGUID'][0]
IndexError: list index out of range

And this gets logged on the LDAP server:

[25/Apr/2015:02:11:28 +0000] conn=45 fd=83 slot=83 connection from 10.0.2.2 to 10.0.2.15
[25/Apr/2015:02:11:28 +0000] conn=45 op=0 BIND dn="uid=admin,cn=users,cn=accounts,dc=example,dc=org" method=128 version=3
[25/Apr/2015:02:11:28 +0000] conn=45 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=org"
[25/Apr/2015:02:11:28 +0000] conn=45 op=1 UNBIND
[25/Apr/2015:02:11:28 +0000] conn=45 op=1 fd=83 closed - U1
[25/Apr/2015:02:12:52 +0000] conn=11 op=10 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[25/Apr/2015:02:12:52 +0000] conn=11 op=10 RESULT err=32 tag=101 nentries=0 etime=0
[25/Apr/2015:02:13:26 +0000] conn=46 fd=83 slot=83 connection from 192.168.65.5 to 192.168.65.4
[25/Apr/2015:02:13:26 +0000] conn=46 op=0 BIND dn="uid=admin,cn=users,cn=accounts,dc=example,dc=org" method=128 version=3
[25/Apr/2015:02:13:26 +0000] conn=46 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=org"
[25/Apr/2015:02:13:26 +0000] conn=46 op=1 ADD dn="CN=superuser,CN=Users,DC=example,DC=org"
[25/Apr/2015:02:13:26 +0000] conn=46 op=1 RESULT err=65 tag=105 nentries=0 etime=0
[25/Apr/2015:02:13:26 +0000] conn=46 op=2 SRCH base="CN=superuser,CN=Users,DC=example,DC=org" scope=0 filter="(objectClass=*)" attrs="objectguid"
[25/Apr/2015:02:13:26 +0000] conn=46 op=2 RESULT err=32 tag=101 nentries=0 etime=0
[25/Apr/2015:02:13:26 +0000] conn=46 op=-1 fd=83 closed - B1

[cswingler]

Okay, so that ADD command:

[25/Apr/2015:02:13:26 +0000] conn=46 op=1 ADD dn="CN=superuser,CN=Users,DC=example,DC=org"

is totally wrong for FreeIPA.

The dn that should be added is:

dn=superuser,cn=users,cn=accounts,dc=example,dc=org

[cswingler]

The mis-scoped ADD is fixed in 6fdb858, though that doesn't fix the root cause - the class of account that's being created is incorrect.

In the error log on the LDAP server, you'll find:

[25/Apr/2015:02:37:19 +0000] - Entry "CN=superuser1,cn=users,cn=accounts,dc=example,dc=org" has unknown object class "user"

[cswingler]

LDAP object class "user" is an AD-ism. https://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx

There's no "user" in 389 (or most LDAPs), "person" is probably the closest. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Schema_Reference/index.html#person

For reference, adding a user in FreeIPA attaches them to all of these object classes:

inetorgperson (structural)
inetuser (auxiliary)
ipaobject (auxiliary)
ipaSshGroupOfPubKeys (abstract)
ipasshuser (auxiliary)
krbprincipalaux (auxiliary)
krbticketpolicyaux (auxiliary)
mepOriginEntry (auxiliary)
organizationalperson (structural)
person (structural)
posixaccount (auxiliary)
top (abstract)

[r4v5]

That's... a lotta classes, most of which we probably don't want to create for everyone who registers until after some kind of approval process ("I created a user, now I have a shell") unless there's no other way. What the hell is a mep?