2007-11-03 11:22:20 -05:00
|
|
|
#! /usr/bin/python -E
|
|
|
|
|
# Authors: John Dennis <jdennis@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2007 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of the GNU General Public License as
|
|
|
|
|
# published by the Free Software Foundation; version 2 or later
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
#
|
|
|
|
|
|
2007-11-23 09:35:22 -06:00
|
|
|
import sys
|
0000-12-31 18:09:24 -05:50
|
|
|
sys.path.append("/usr/share/ipa")
|
|
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
import subprocess
|
|
|
|
|
import string
|
|
|
|
|
import tempfile
|
|
|
|
|
import shutil
|
|
|
|
|
import logging
|
|
|
|
|
import pwd
|
|
|
|
|
import time
|
0000-12-31 18:09:24 -05:50
|
|
|
import sys
|
2007-11-03 11:22:20 -05:00
|
|
|
from ipa.ipautil import *
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
from ipa import radius_util
|
2007-11-03 11:22:20 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
from ipaserver import service
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
import os
|
|
|
|
|
import re
|
|
|
|
|
|
|
|
|
|
IPA_RADIUS_VERSION = '0.0.0'
|
2007-11-06 15:26:10 -06:00
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
# FIXME there should a utility to get the user base dn
|
|
|
|
|
from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer
|
|
|
|
|
|
2007-11-06 15:26:10 -06:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
|
2007-11-13 12:06:18 -06:00
|
|
|
def ldap_mod(fd, dn, pwd):
|
|
|
|
|
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
|
|
|
|
|
run(args)
|
|
|
|
|
|
2007-11-06 15:26:10 -06:00
|
|
|
def get_radius_version():
|
|
|
|
|
version = None
|
|
|
|
|
try:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
p = subprocess.Popen([radius_util.RADIUSD, '-v'], stdout=subprocess.PIPE,
|
2007-11-06 15:26:10 -06:00
|
|
|
stderr=subprocess.PIPE)
|
|
|
|
|
stdout, stderr = p.communicate()
|
|
|
|
|
status = p.returncode
|
|
|
|
|
|
|
|
|
|
if status == 0:
|
|
|
|
|
match = re.search("radiusd: FreeRADIUS Version (.+), for host", stdout)
|
|
|
|
|
if match:
|
|
|
|
|
version = match.group(1)
|
|
|
|
|
except Exception, e:
|
|
|
|
|
pass
|
|
|
|
|
return version
|
|
|
|
|
|
|
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
class RadiusInstance(service.Service):
|
2007-11-03 11:22:20 -05:00
|
|
|
def __init__(self):
|
0000-12-31 18:09:24 -05:50
|
|
|
service.Service.__init__(self, "radiusd")
|
2007-11-03 11:22:20 -05:00
|
|
|
self.fqdn = None
|
|
|
|
|
self.realm = None
|
|
|
|
|
self.principal = None
|
|
|
|
|
|
|
|
|
|
def create_instance(self, realm_name, host_name, ldap_server):
|
|
|
|
|
self.realm = realm_name.upper()
|
2007-11-09 23:09:07 -06:00
|
|
|
self.suffix = realm_to_suffix(self.realm)
|
2007-11-03 11:22:20 -05:00
|
|
|
self.fqdn = host_name
|
|
|
|
|
self.ldap_server = ldap_server
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
self.principal = "%s/%s@%s" % (radius_util.RADIUS_SERVICE_NAME, self.fqdn, self.realm)
|
2007-11-09 23:09:07 -06:00
|
|
|
self.basedn = self.suffix
|
2007-11-03 11:22:20 -05:00
|
|
|
self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this
|
2007-11-06 15:26:10 -06:00
|
|
|
self.radius_version = get_radius_version()
|
0000-12-31 18:09:24 -05:50
|
|
|
self.start_creation(4, "Configuring radiusd")
|
|
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
try:
|
|
|
|
|
self.stop()
|
|
|
|
|
except:
|
|
|
|
|
# It could have been not running
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
self.__create_radius_keytab()
|
|
|
|
|
self.__radiusd_conf()
|
|
|
|
|
|
|
|
|
|
try:
|
0000-12-31 18:09:24 -05:50
|
|
|
self.step("starting radiusd")
|
2007-11-03 11:22:20 -05:00
|
|
|
self.start()
|
|
|
|
|
except:
|
|
|
|
|
logging.error("radiusd service failed to start")
|
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
self.step("configuring radiusd to start on boot")
|
|
|
|
|
self.chkconfig_on()
|
2007-11-03 11:22:20 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def __radiusd_conf(self):
|
0000-12-31 18:09:24 -05:50
|
|
|
self.step('configuring radiusd.conf for radius instance')
|
2007-11-03 11:22:20 -05:00
|
|
|
|
2007-11-06 15:26:10 -06:00
|
|
|
version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version)
|
2007-11-03 11:22:20 -05:00
|
|
|
sub_dict = {'CONFIG_FILE_VERSION_INFO' : version,
|
|
|
|
|
'LDAP_SERVER' : self.ldap_server,
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
'RADIUS_KEYTAB' : radius_util.RADIUS_IPA_KEYTAB_FILEPATH,
|
2007-11-03 11:22:20 -05:00
|
|
|
'RADIUS_PRINCIPAL' : self.principal,
|
|
|
|
|
'RADIUS_USER_BASE_DN' : self.user_basedn,
|
2007-11-09 23:09:07 -06:00
|
|
|
'ACCESS_ATTRIBUTE' : '',
|
|
|
|
|
'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE',
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
'CLIENTS_BASEDN' : radius_util.radius_clients_basedn(None, self.suffix),
|
2007-11-13 19:05:02 -06:00
|
|
|
'SUFFIX' : self.suffix,
|
2007-11-03 11:22:20 -05:00
|
|
|
}
|
|
|
|
|
try:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
radiusd_conf = template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
|
|
|
|
|
radiusd_fd = open(radius_util.RADIUSD_CONF_FILEPATH, 'w+')
|
2007-11-03 11:22:20 -05:00
|
|
|
radiusd_fd.write(radiusd_conf)
|
|
|
|
|
radiusd_fd.close()
|
|
|
|
|
except Exception, e:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e)
|
2007-11-03 11:22:20 -05:00
|
|
|
|
|
|
|
|
def __create_radius_keytab(self):
|
0000-12-31 18:09:24 -05:50
|
|
|
self.step("creating a keytab for radiusd")
|
2007-11-03 11:22:20 -05:00
|
|
|
try:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
if file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
|
|
|
|
|
os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
|
2007-11-03 11:22:20 -05:00
|
|
|
except os.error:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
logging.error("Failed to remove %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
|
2007-11-03 11:22:20 -05:00
|
|
|
|
|
|
|
|
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
|
|
|
|
|
kwrite.write("addprinc -randkey %s\n" % (self.principal))
|
|
|
|
|
kwrite.flush()
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
kwrite.write("ktadd -k %s %s\n" % (radius_util.RADIUS_IPA_KEYTAB_FILEPATH, self.principal))
|
2007-11-03 11:22:20 -05:00
|
|
|
kwrite.flush()
|
|
|
|
|
kwrite.close()
|
|
|
|
|
kread.close()
|
|
|
|
|
kerr.close()
|
|
|
|
|
|
|
|
|
|
# give kadmin time to actually write the file before we go on
|
|
|
|
|
retry = 0
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
while not file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
|
2007-11-03 11:22:20 -05:00
|
|
|
time.sleep(1)
|
|
|
|
|
retry += 1
|
|
|
|
|
if retry > 15:
|
|
|
|
|
print "Error timed out waiting for kadmin to finish operations\n"
|
0000-12-31 18:09:24 -05:50
|
|
|
sys.exit(1)
|
2007-11-03 11:22:20 -05:00
|
|
|
try:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
pent = pwd.getpwnam(radius_util.RADIUS_USER)
|
|
|
|
|
os.chown(radius_util.RADIUS_IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid)
|
2007-11-03 11:22:20 -05:00
|
|
|
except Exception, e:
|
Add radius profile implementations:
get_radius_profile_by_uid
add_radius_profile
update_radius_profile
delete_radius_profile
find_radius_profiles
Rewrite command line arg handling, now support pair entry, interactive
mode with auto completion, reading pairs from a file, better handling
of mandatory values, better help, long arg names now match attribute
name in pairs
Establish mappings for all attributes and names used in clients and
profiles
Add notion of containers to radius clients and profiles in LDAP
Move common code, variables, constants, and strings into the files
radius_client.py, radius_util.py, ipautil.py to eliminate redundant
elements which could get out of sync if modified and to provide access
to other code which might benefit from using these items in the
future.
Add utility functions:
format_list()
parse_key_value_pairs()
Add utility class:
AttributeValueCompleter
Unify attribute usage in radius ldap schema
2007-11-21 12:11:10 -06:00
|
|
|
logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
|
2007-11-03 11:22:20 -05:00
|
|
|
|
2007-11-13 19:05:02 -06:00
|
|
|
#FIXME, should use IPAdmin method
|
2007-11-13 12:06:18 -06:00
|
|
|
def __set_ldap_encrypted_attributes(self):
|
|
|
|
|
ldif_file = 'encrypted_attribute.ldif'
|
|
|
|
|
self.step("setting ldap encrypted attributes")
|
2007-11-13 19:05:02 -06:00
|
|
|
ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
|
2007-11-13 12:06:18 -06:00
|
|
|
ldif_fd = write_tmp_file(ldif_txt)
|
|
|
|
|
try:
|
|
|
|
|
ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password)
|
|
|
|
|
except subprocess.CalledProcessError, e:
|
|
|
|
|
logging.critical("Failed to load %s: %s" % (ldif_file, str(e)))
|
|
|
|
|
ldif_fd.close()
|
|
|
|
|
|
2007-11-03 11:22:20 -05:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
|
|
