freeipa/ipaserver/install/bindinstance.py

332 lines
11 KiB
Python
Raw Normal View History

# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import tempfile
import os
import pwd
import logging
import installutils
import ldap
import service
from ipaserver import ipaldap
from ipaserver.install.dsinstance import realm_to_serverid
from ipapython import sysrestore
from ipapython import ipautil
import ipalib
from ipalib import api, util, errors
def check_inst(unattended):
# So far this file is always present in both RHEL5 and Fedora if all the necessary
# bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
if not os.path.exists('/etc/named.rfc1912.zones'):
print "BIND was not found on this system"
print "Please install the bind package and start the installation again"
return False
# Also check for the LDAP BIND plug-in
if not os.path.exists('/usr/lib/bind/ldap.so') and \
not os.path.exists('/usr/lib64/bind/ldap.so'):
print "The BIND LDAP plug-in was not found on this system"
print "Please install the bind-dyndb-ldap package and start the installation again"
return False
if not unattended and os.path.exists('/etc/named.conf'):
msg = "Existing BIND configuration detected, overwrite?"
return ipautil.user_input(msg, False)
return True
def get_reverse_zone(ip_address):
tmp = ip_address.split(".")
tmp.reverse()
name = tmp.pop(0)
zone = ".".join(tmp) + ".in-addr.arpa"
return zone, name
def add_zone(name, update_policy=None):
if not update_policy:
update_policy = "grant %s krb5-self * A;" % api.env.realm
try:
api.Command.dns_add(unicode(name),
idnssoamname=unicode(api.env.host),
idnsallowdynupdate=True,
idnsupdatepolicy=unicode(update_policy))
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
add_rr(name, "@", "NS", api.env.host+".")
return name
def add_reverze_zone(ip_address, update_policy=None):
zone, name = get_reverse_zone(ip_address)
if not update_policy:
update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone)
try:
api.Command.dns_add(unicode(zone),
idnssoamname=unicode(api.env.host),
idnsallowdynupdate=True,
idnsupdatepolicy=unicode(update_policy))
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
add_rr(zone, "@", "NS", api.env.host)
return zone
def add_rr(zone, name, type, rdata):
try:
api.Command.dns_add_rr(unicode(zone), unicode(name),
unicode(type), unicode(rdata))
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
def add_ptr_rr(ip_address, fqdn):
zone, name = get_reverse_zone(ip_address)
add_rr(zone, name, "PTR", fqdn+".")
class BindInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "named", dm_password=dm_password)
self.named_user = None
self.fqdn = None
self.domain = None
self.host = None
self.ip_address = None
self.realm = None
self.forwarders = None
self.sub_dict = None
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, named_user="named"):
self.named_user = named_user
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
self.suffix = util.realm_to_suffix(self.realm)
self.ntp = ntp
tmp = ip_address.split(".")
tmp.reverse()
self.reverse_host = tmp.pop(0)
self.reverse_subnet = ".".join(tmp)
self.__setup_sub_dict()
def create_sample_bind_zone(self):
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
os.write(bind_fd, bind_txt)
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
def create_instance(self):
try:
self.stop()
except:
pass
self.__add_zone_steps()
self.step("setting up our zone", self.__setup_zone)
self.step("setting up reverse zone", self.__setup_reverse_zone)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up named.conf", self.__setup_named_conf)
self.step("restarting named", self.__start)
self.step("configuring named to start on boot", self.__enable)
self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf)
self.start_creation("Configuring named:")
def __add_zone_steps(self):
"""
Add a DNS container if it doesn't exist.
"""
def object_exists(dn):
"""
Test whether the given object exists in LDAP.
"""
try:
server.search_ext_s(dn, ldap.SCOPE_BASE)
except ldap.NO_SUCH_OBJECT:
return False
else:
return True
server = ldap.initialize("ldap://" + self.fqdn)
server.simple_bind_s()
if not object_exists("cn=dns,%s" % self.suffix):
self.step("adding DNS container", self.__setup_dns_container)
server.unbind_s()
def __start(self):
try:
self.backup_state("running", self.is_running())
self.restart()
except:
print "named service failed to start"
def __enable(self):
self.backup_state("enabled", self.is_running())
self.chkconfig_on()
def __setup_sub_dict(self):
if self.forwarders:
fwds = "\n"
for forwarder in self.forwarders:
fwds += "\t\t%s;\n" % forwarder
fwds += "\t"
else:
fwds = " "
if self.ntp:
optional_ntp = "\n;ntp server\n"
optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host
else:
optional_ntp = ""
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip_address,
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm,
SERVER_ID=realm_to_serverid(self.realm),
FORWARDERS=fwds,
SUFFIX=self.suffix,
OPTIONAL_NTP=optional_ntp)
def __setup_dns_container(self):
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_zone(self):
resource_records = (
(self.host, "A", self.ip_address),
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host),
("_kerberos", "TXT", self.realm),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host),
)
zone = add_zone(self.domain)
for (host, type, rdata) in resource_records:
add_rr(zone, host, type, rdata)
if self.ntp:
add_rr(zone, "_ntp._udp", "SRV", "0 100 123 "+self.host)
def __setup_reverse_zone(self):
add_reverze_zone(self.ip_address)
add_ptr_rr(self.ip_address, self.fqdn)
def __setup_principal(self):
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_principal)
# Store the keytab on disk
self.fstore.backup_file("/etc/named.keytab")
installutils.create_keytab("/etc/named.keytab", dns_principal)
dns_principal = self.move_service(dns_principal)
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
os.chmod("/etc/named.keytab", 0400)
# modify the principal so that it is marked as an ipa service so that
# it can host the memberof attribute, then also add it to the
# dnsserver role group, this way the DNS is allowed to perform
# DNS Updates
conn = None
try:
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", self.dm_password)
except Exception, e:
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e
dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
try:
conn.modify_s(dns_group, mod)
except Exception, e:
logging.critical("Could not modify principal's %s entry" % dns_principal)
raise e
conn.unbind()
def __setup_named_conf(self):
self.fstore.backup_file('/etc/named.conf')
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open('/etc/named.conf', 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
def __setup_resolv_conf(self):
self.fstore.backup_file('/etc/resolv.conf')
resolv_txt = "search "+self.domain+"\nnameserver "+self.ip_address+"\n"
resolv_fd = open('/etc/resolv.conf', 'w')
resolv_fd.seek(0)
resolv_fd.truncate(0)
resolv_fd.write(resolv_txt)
resolv_fd.close()
def uninstall(self):
running = self.restore_state("running")
enabled = self.restore_state("enabled")
if not running is None:
self.stop()
for f in ["/etc/named.conf", "/etc/resolv.conf"]:
try:
self.fstore.restore_file(f)
except ValueError, error:
logging.debug(error)
pass
if not enabled is None and not enabled:
self.chkconfig_off()
if not running is None and running:
self.start()