2007-08-16 17:00:16 -05:00
# Authors: Simo Sorce <ssorce@redhat.com>
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
2008-02-04 14:15:52 -06:00
# published by the Free Software Foundation; version 2 only
2007-08-16 17:00:16 -05:00
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import socket
import logging
2007-12-10 15:31:21 -06:00
import ipa.dnsclient
2007-08-16 17:00:16 -05:00
import ldap
from ldap import LDAPError
class IPADiscovery:
def __init__(self):
self.realm = None
self.domain = None
self.server = None
2007-08-30 18:40:54 -05:00
self.basedn = None
2007-08-16 17:00:16 -05:00
def getServerName(self):
2008-03-05 15:33:12 -06:00
return self.server
2007-08-16 17:00:16 -05:00
def getDomainName(self):
2008-03-05 15:33:12 -06:00
return self.domain
2007-08-16 17:00:16 -05:00
def getRealmName(self):
2008-03-05 15:33:12 -06:00
return self.realm
2007-08-16 17:00:16 -05:00
2007-08-30 18:40:54 -05:00
def getBaseDN(self):
2008-03-05 15:33:12 -06:00
return self.basedn
2007-08-30 18:40:54 -05:00
2007-08-16 17:00:16 -05:00
def search(self, domain = "", server = ""):
hostname = ""
qname = ""
results = []
result = []
krbret = []
ldapret = []
if not server:
if not domain: #domain not provided do full DNS discovery
# get the local host name
hostname = socket.getfqdn()
if not hostname:
return -10 #bad host configuration
# first, check for an LDAP server for the local domain
p = hostname.find(".")
if p == -1: #no domain name
return -1
domain = hostname[p+1:]
while not self.server:
self.server = self.ipadnssearchldap(domain)
if self.server:
self.domain = domain
p = domain.find(".")
if p == -1: #no ldap server found and last component of the domain already tested
return -1
domain = domain[p+1:]
self.server = self.ipadnssearchldap(domain)
if self.server:
self.domain = domain
return -2 #no ldap server found
#search for kerberos TODO: move this after ipacheckldap()
krbret = self.ipadnssearchkrb(self.domain)
if not krbret:
return -3 #no krb server found
self.realm = krbret[0]
else: #server forced on us, this means DNS doesn't work :/
self.domain = domain
self.server = server
# check ldap now
2008-03-05 15:33:12 -06:00
ldapret = self.ipacheckldap(self.server, self.realm)
2007-08-16 17:00:16 -05:00
if not ldapret:
return -4 # not an IPA server (or broken config)
self.server = ldapret[0]
self.realm = ldapret[1]
return 0
def ipacheckldap(self, thost, trealm):
lret = []
lres = []
lattr = ""
linfo = ""
lrealms = []
i = 0
#now verify the server is really an IPA server
logging.debug("Init ldap with: ldap://"+thost+":389")
lh = ldap.initialize("ldap://"+thost+":389")
logging.debug("Search rootdse")
lret = lh.search_s("", ldap.SCOPE_BASE, "(objectClass=*)")
for lattr in lret[0][1]:
if lattr.lower() == "namingcontexts":
2007-08-30 18:40:54 -05:00
self.basedn = lret[0][1][lattr][0]
2007-08-16 17:00:16 -05:00
2007-08-30 18:40:54 -05:00
logging.debug("Search for (info=*) in "+self.basedn+"(base)")
lret = lh.search_s(self.basedn, ldap.SCOPE_BASE, "(info=IPA*)")
2007-08-16 17:00:16 -05:00
if not lret:
return []
logging.debug("Found: "+str(lret))
for lattr in lret[0][1]:
if lattr.lower() == "info":
linfo = lret[0][1][lattr][0].lower()
if not linfo:
return []
#search and return known realms
2007-08-30 18:40:54 -05:00
logging.debug("Search for (objectClass=krbRealmContainer) in "+self.basedn+"(sub)")
lret = lh.search_s("cn=kerberos,"+self.basedn, ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)")
2007-08-16 17:00:16 -05:00
if not lret:
#something very wrong
return []
logging.debug("Found: "+str(lret))
for lres in lret:
for lattr in lres[1]:
if lattr.lower() == "cn":
if trealm:
for r in lrealms:
if trealm == r:
return [thost, trealm]
# must match or something is very wrong
return []
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
return []
return [thost, lrealms[0]]
#we shouldn't get here
return []
except LDAPError, err:
#no good
2008-04-14 17:04:25 -05:00
if type(err.message) == dict:
for (k, v) in err.message.iteritems():
logging.error("LDAP Error: %s" % v )
logging.error("LDAP Error: "+err.message)
except AttributeError:
logging.error("LDAP Error: "+str(err))
2007-08-16 17:00:16 -05:00
return []
def ipadnssearchldap(self, tdomain):
servers = ""
rserver = ""
qname = "_ldap._tcp."+tdomain
# terminate the name
if not qname.endswith("."):
qname += "."
2007-12-10 15:31:21 -06:00
results = ipa.dnsclient.query(qname, ipa.dnsclient.DNS_C_IN, ipa.dnsclient.DNS_T_SRV)
2007-08-16 17:00:16 -05:00
for result in results:
2007-12-10 15:31:21 -06:00
if result.dns_type == ipa.dnsclient.DNS_T_SRV:
2007-08-16 17:00:16 -05:00
rserver = result.rdata.server.rstrip(".")
if result.rdata.port and result.rdata.port != 389:
rserver += ":" + str(result.rdata.port)
if servers:
servers += "," + rserver
servers = rserver
return servers
def ipadnssearchkrb(self, tdomain):
realm = ""
kdc = ""
# now, check for a Kerberos realm the local host or domain is in
qname = "_kerberos." + tdomain
# terminate the name
if not qname.endswith("."):
qname += "."
2007-12-10 15:31:21 -06:00
results = ipa.dnsclient.query(qname, ipa.dnsclient.DNS_C_IN, ipa.dnsclient.DNS_T_TXT)
2007-08-16 17:00:16 -05:00
for result in results:
2007-12-10 15:31:21 -06:00
if result.dns_type == ipa.dnsclient.DNS_T_TXT:
2007-08-16 17:00:16 -05:00
realm = result.rdata.data
if realm:
if realm:
# now fetch server information for the realm
qname = "_kerberos._udp." + tdomain
# terminate the name
if not qname.endswith("."):
qname += "."
2007-12-10 15:31:21 -06:00
results = ipa.dnsclient.query(qname, ipa.dnsclient.DNS_C_IN, ipa.dnsclient.DNS_T_SRV)
2007-08-16 17:00:16 -05:00
for result in results:
2007-12-10 15:31:21 -06:00
if result.dns_type == ipa.dnsclient.DNS_T_SRV:
2007-08-16 17:00:16 -05:00
qname = result.rdata.server.rstrip(".")
if result.rdata.port and result.rdata.port != 88:
qname += ":" + str(result.rdata.port)
if kdc:
kdc += "," + qname
kdc = qname
return [realm, kdc]