2015-01-22 05:47:13 -06:00
|
|
|
#!/usr/bin/python2
|
2014-10-19 10:04:40 -05:00
|
|
|
#
|
|
|
|
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
|
|
|
|
#
|
|
|
|
|
|
|
|
import sys
|
|
|
|
import ldap
|
|
|
|
import ldapurl
|
|
|
|
import logging
|
|
|
|
import os
|
|
|
|
import signal
|
|
|
|
import systemd.journal
|
|
|
|
import time
|
|
|
|
|
|
|
|
from ipalib import api
|
|
|
|
from ipapython.dn import DN
|
|
|
|
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
|
|
|
|
from ipapython import ipaldap
|
|
|
|
from ipapython import ipautil
|
|
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
|
|
|
|
from ipapython.dnssec.keysyncer import KeySyncer
|
|
|
|
|
|
|
|
DAEMONNAME = 'ipa-dnskeysyncd'
|
|
|
|
PRINCIPAL = None # not initialized yet
|
|
|
|
WORKDIR = '/tmp' # private temp
|
|
|
|
KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB
|
|
|
|
|
|
|
|
# Shutdown handler
|
|
|
|
def commenceShutdown(signum, stack):
|
|
|
|
# Declare the needed global variables
|
|
|
|
global watcher_running, ldap_connection, log
|
|
|
|
log.info('Signal %s received: Shutting down!', signum)
|
|
|
|
|
|
|
|
# We are no longer running
|
|
|
|
watcher_running = False
|
|
|
|
|
|
|
|
# Tear down the server connection
|
|
|
|
if ldap_connection:
|
|
|
|
ldap_connection.close_db()
|
|
|
|
del ldap_connection
|
|
|
|
|
|
|
|
# Shutdown
|
|
|
|
sys.exit(0)
|
|
|
|
|
|
|
|
|
|
|
|
os.umask(007)
|
|
|
|
|
|
|
|
# Global state
|
|
|
|
watcher_running = True
|
|
|
|
ldap_connection = False
|
|
|
|
|
|
|
|
# Signal handlers
|
|
|
|
signal.signal(signal.SIGTERM, commenceShutdown)
|
|
|
|
signal.signal(signal.SIGINT, commenceShutdown)
|
|
|
|
|
|
|
|
# IPA framework initialization
|
2015-03-26 07:33:20 -05:00
|
|
|
api.bootstrap(in_server=True, log=None) # no logging to file
|
2014-10-19 10:04:40 -05:00
|
|
|
api.finalize()
|
|
|
|
standard_logging_setup(verbose=True, debug=api.env.debug)
|
|
|
|
log = root_logger
|
|
|
|
#log.addHandler(systemd.journal.JournalHandler())
|
|
|
|
|
|
|
|
# Kerberos initialization
|
|
|
|
PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
|
|
|
|
log.debug('Kerberos principal: %s', PRINCIPAL)
|
2015-03-16 10:43:10 -05:00
|
|
|
ccache_filename = os.path.join(WORKDIR, 'ccache')
|
|
|
|
ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename)
|
|
|
|
os.environ['KRB5CCNAME'] = ccache_filename
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
# LDAP initialization
|
|
|
|
basedn = DN(api.env.container_dns, api.env.basedn)
|
|
|
|
ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri)
|
|
|
|
ldap_url.dn = str(basedn)
|
|
|
|
ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE
|
|
|
|
ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))'
|
|
|
|
log.debug('LDAP URL: %s', ldap_url.unparse())
|
|
|
|
|
|
|
|
# Real work
|
|
|
|
while watcher_running:
|
|
|
|
# Prepare the LDAP server connection (triggers the connection as well)
|
|
|
|
ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api)
|
|
|
|
|
|
|
|
# Now we login to the LDAP server
|
|
|
|
try:
|
|
|
|
log.info('LDAP bind...')
|
|
|
|
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
|
|
|
|
except ldap.INVALID_CREDENTIALS, e:
|
|
|
|
log.exception('Login to LDAP server failed: %s', e)
|
|
|
|
sys.exit(1)
|
|
|
|
except ldap.SERVER_DOWN, e:
|
|
|
|
log.exception('LDAP server is down, going to retry: %s', e)
|
|
|
|
time.sleep(5)
|
|
|
|
continue
|
|
|
|
|
|
|
|
# Commence the syncing
|
|
|
|
log.info('Commencing sync process')
|
|
|
|
ldap_search = ldap_connection.syncrepl_search(
|
|
|
|
ldap_url.dn,
|
|
|
|
ldap_url.scope,
|
|
|
|
mode='refreshAndPersist',
|
|
|
|
attrlist=ldap_url.attrs,
|
|
|
|
filterstr=ldap_url.filterstr
|
|
|
|
)
|
|
|
|
|
2015-01-21 06:32:44 -06:00
|
|
|
try:
|
|
|
|
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
|
|
|
|
pass
|
|
|
|
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
|
|
|
|
log.exception('syncrepl_poll: LDAP error (%s)', e)
|
|
|
|
sys.exit(1)
|