IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-27 09:21:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
ded15c72ff
freeipa/ipaserver/install/krbinstance.py

612 lines
25 KiB
Python
Raw Normal View History

Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
Set the license uniformly to GPLv2 only.
2008-02-04 14:15:52 -06:00
# published by the Free Software Foundation; version 2 only
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import shutil
import logging
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
import fileinput
import re
import sys
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
import os
import pwd
import socket
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
import service
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
import installutils
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython import ipautil
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
from ipalib import util
Rename errors2.py to errors.py. Modify all affected files.
2009-04-23 07:51:59 -05:00
from ipalib import errors
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
from ipaserver import ipaldap
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
import ldap
from ldap import LDAPError
from ldap import ldapobject
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
from pyasn1.type import univ, namedtype
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
import pyasn1.codec.ber.encoder
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
import pyasn1.codec.ber.decoder
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
import struct
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
import certs
import httpinstance
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
from distutils import version
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
Loosen the ACI for the KDC to allow adds/deletes Password policy entries must be a child of the entry protected by this ACI. Also change the format of this because in DS it was stored as: \n(target)\n so was base64-encoded when it was retrieved.
2009-10-02 08:27:08 -05:00
KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)'
Fix syntax error
2008-09-18 15:49:35 -05:00
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
def check_pkinit_plugin():
LIB32 = '/usr/lib/krb5/plugins/preauth/pkinit.so'
LIB64 = '/usr/lib64/krb5/plugins/preauth/pkinit.so'
if not os.path.exists(LIB32) and not os.path.exists(LIB64):
print "The pkinit plugin is missing"
print "Please install the 'krb5-pkinit-openssl' package and start the installation again"
return False
return True
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
def update_key_val_in_file(filename, key, val):
if os.path.exists(filename):
Only update key/value files if necessary update_key_val_in_file() shouldn't try and write to a file if the key is already set to the given value in the file Rationale here is that if we write these files out while building a system image, ipa-server-install shouldn't need to re-write them and, therefore, they don't need to be writable. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
p = re.compile(pattern)
for line in fileinput.input(filename):
if p.search(line):
fileinput.close()
return
fileinput.close()
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
pattern = "^[\s#]*%s\s*=" % re.escape(key)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
if not p.search(line):
sys.stdout.write(line)
fileinput.close()
f = open(filename, "a")
f.write("%s=%s\n" % (key, val))
f.close()
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
class KpasswdInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "ipa_kpasswd")
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
class KrbInstance(service.Service):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
def __init__(self, fstore=None):
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
service.Service.__init__(self, "krb5kdc")
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
self.ds_user = None
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.fqdn = None
self.realm = None
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self.domain = None
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.host = None
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
self.admin_password = None
self.master_password = None
self.suffix = None
self.kdc_password = None
self.sub_dict = None
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
self.pkcs12_info = None
self.self_signed_ca = None
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
def move_service_to_host(self, principal):
"""
Used to move a host/ service principal created by kadmin.local from
cn=kerberos to reside under the host entry.
"""
conn = None
service_dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (principal, self.realm, self.suffix)
try:
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", self.admin_password)
except Exception, e:
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e
service_entry = conn.getEntry(service_dn, ldap.SCOPE_BASE)
conn.deleteEntry(service_dn)
# Create a host entry for this master
host_dn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix)
host_entry = ipaldap.Entry(host_dn)
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
host_entry.setValues('objectclass', ['top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice', 'pkiuser', 'krbprincipalaux', 'krbprincipal', 'krbticketpolicyaux'])
Changes to fix compatibility with Fedora 14 Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
2010-08-31 15:59:27 -05:00
host_entry.setValues('krbextradata', service_entry.getValues('krbextradata'))
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
host_entry.setValue('krblastpwdchange', service_entry.getValue('krblastpwdchange'))
host_entry.setValue('krbpasswordexpiration', service_entry.getValue('krbpasswordexpiration'))
host_entry.setValue('krbprincipalname', service_entry.getValue('krbprincipalname'))
Changes to fix compatibility with Fedora 14 Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
2010-08-31 15:59:27 -05:00
if 'krbticketflags' in service_entry.toDict():
host_entry.setValue('krbticketflags', service_entry.getValue('krbticketflags'))
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
host_entry.setValue('krbprincipalkey', service_entry.getValue('krbprincipalkey'))
host_entry.setValue('serverhostname', self.fqdn.split('.',1)[0])
host_entry.setValue('cn', self.fqdn)
host_entry.setValue('fqdn', self.fqdn)
UUIDs: remove uuid python plugin and let DS always autogenerate merge in remove uuid
2010-10-26 09:26:06 -05:00
host_entry.setValue('ipauniqueid', 'autogenerate')
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
host_entry.setValue('managedby', host_dn)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
conn.addEntry(host_entry)
conn.unbind()
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password):
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
self.ds_user = ds_user
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fqdn = host_name
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.realm = realm_name.upper()
self.host = host_name.split(".")[0]
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.ip = socket.gethostbyname(host_name)
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
self.domain = domain_name
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
self.suffix = util.realm_to_suffix(self.realm)
from ipa.ipautil import * --> from ipa import ipautil
2007-12-12 12:15:56 -06:00
self.kdc_password = ipautil.ipa_generate_password()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.admin_password = admin_password
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self.dm_password = admin_password
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__setup_sub_dict()
# get a connection to the DS
try:
self.conn = ipaldap.IPAdmin(self.fqdn)
self.conn.do_simple_bind(bindpw=self.admin_password)
When an LDAP connection fails, display the host one is trying to connect to. 450111
2008-06-05 13:41:15 -05:00
except Exception, e:
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
raise e
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.backup_state("running", self.is_running())
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
try:
self.stop()
except:
# It could have been not running
pass
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __common_post_setup(self):
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("starting the KDC", self.__start_instance)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.step("configuring KDC to start on boot", self.__enable)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.master_password = master_password
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("setting KDC account password", self.__configure_kdc_account_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("adding kerberos entries to the DS", self.__add_krb_entries)
Fix two typos
2008-02-05 15:50:12 -06:00
self.step("adding default ACIs", self.__add_default_acis)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("configuring KDC", self.__create_instance)
Fix two typos
2008-02-05 15:50:12 -06:00
self.step("adding default keytypes", self.__add_default_keytypes)
Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
2010-10-25 16:58:37 -05:00
self.step("adding default password policy", self.__add_default_pwpolicy)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("creating a keytab for the directory", self.__create_ds_keytab)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
self.step("creating a keytab for the machine", self.__create_host_keytab)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab)
Configure the ipa_pwd_extop plugin on replicas. If plugin isn't configured then the kerberos attributes don't get populated. User's will get Preauthentication errors from the kerberos libraries because there is no krbPrincipalKey to match against. 442134
2008-04-14 16:12:40 -05:00
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
self.step("adding the kerberos master key to the directory", self.__add_master_key)
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if setup_pkinit:
self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit)
anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
2010-11-02 17:02:59 -05:00
self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__common_post_setup()
Include time duration hints when configuring services in ipa-server-install. Give a better heads-up on how long the installation will take. Particularly important when configuring dogtag. ticket 139
2010-09-29 12:55:54 -05:00
self.start_creation("Configuring Kerberos KDC", 30)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
self.kpasswd.create_instance()
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
def create_replica(self, ds_user, realm_name, host_name,
domain_name, admin_password,
ldap_passwd_filename, kpasswd_filename,
setup_pkinit=False, pkcs12_info=None,
self_signed_ca=False, subject_base=None):
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.__copy_ldap_passwd(ldap_passwd_filename)
Use the same kpasswd.keytab on all replicas. If we generate a new keytab for each replica then effectively password changes can only occur on the last replica created. 439905
2008-04-09 15:57:41 -05:00
self.__copy_kpasswd_keytab(kpasswd_filename)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("writing stash file from DS", self.__write_stash_from_ds)
self.step("configuring KDC", self.__create_replica_instance)
self.step("creating a keytab for the directory", self.__create_ds_keytab)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
self.step("creating a keytab for the machine", self.__create_host_keytab)
Configure the ipa_pwd_extop plugin on replicas. If plugin isn't configured then the kerberos attributes don't get populated. User's will get Preauthentication errors from the kerberos libraries because there is no krbPrincipalKey to match against. 442134
2008-04-14 16:12:40 -05:00
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if setup_pkinit:
self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__common_post_setup()
Include time duration hints when configuring services in ipa-server-install. Give a better heads-up on how long the installation will take. Particularly important when configuring dogtag. ticket 139
2010-09-29 12:55:54 -05:00
self.start_creation("Configuring Kerberos KDC", 30)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
self.kpasswd.create_instance()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __copy_ldap_passwd(self, filename):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
shutil.copy(filename, "/var/kerberos/krb5kdc/ldappwd")
Add xml-rpc interface for getting keytabs. Warning: this lacks any sort of authorization.
0000-12-31 18:09:24 -05:50
os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Use the same kpasswd.keytab on all replicas. If we generate a new keytab for each replica then effectively password changes can only occur on the last replica created. 439905
2008-04-09 15:57:41 -05:00
def __copy_kpasswd_keytab(self, filename):
self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
shutil.copy(filename, "/var/kerberos/krb5kdc/kpasswd.keytab")
os.chmod("/var/kerberos/krb5kdc/kpasswd.keytab", 0600)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
def __configure_kdc_account_password(self):
hexpwd = ''
for x in self.kdc_password:
hexpwd += (hex(ord(x))[2:])
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/var/kerberos/krb5kdc/ldappwd")
Overwrite ldappwd file to fix bug when reinstalling IPA.
0000-12-31 18:09:24 -05:50
pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "w")
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
pwd_fd.close()
Add xml-rpc interface for getting keytabs. Warning: this lacks any sort of authorization.
0000-12-31 18:09:24 -05:50
os.chmod("/var/kerberos/krb5kdc/ldappwd", 0600)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
def __enable(self):
self.backup_state("enabled", self.is_enabled())
self.chkconfig_on()
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
def __start_instance(self):
try:
self.start()
except:
logging.critical("krb5kdc service failed to start")
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
def __setup_sub_dict(self):
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
PASSWORD=self.kdc_password,
SUFFIX=self.suffix,
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __configure_sasl_mappings(self):
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict. There is no way to define the order they are used in atm.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
# FIXME: for some reason IPAdmin dies here, so we switch
# it out for a regular ldapobject.
conn = self.conn
self.conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
self.conn.bind("cn=directory manager", self.admin_password)
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
try:
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
msgid = self.conn.search("cn=mapping,cn=sasl,cn=config", ldap.SCOPE_ONELEVEL, "(objectclass=nsSaslMapping)")
res = self.conn.result(msgid)
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
for r in res[1]:
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
self.conn.delete_s(r[0])
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#except LDAPError, e:
# logging.critical("Error during SASL mapping removal: %s" % str(e))
except Exception, e:
When an LDAP connection fails, display the host one is trying to connect to. 450111
2008-06-05 13:41:15 -05:00
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
print type(e)
print dir(e)
raise e
Remove unused stuff.
2008-08-13 08:45:05 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.conn = conn
entry = ipaldap.Entry("cn=Full Principal,cn=mapping,cn=sasl,cn=config")
entry.setValues("objectclass", "top", "nsSaslMapping")
entry.setValues("cn", "Full Principal")
entry.setValues("nsSaslMapRegexString", '\(.*\)@\(.*\)')
entry.setValues("nsSaslMapBaseDNTemplate", self.suffix)
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)')
try:
self.conn.add_s(entry)
except ldap.ALREADY_EXISTS:
logging.critical("failed to add Full Principal Sasl mapping")
raise e
entry = ipaldap.Entry("cn=Name Only,cn=mapping,cn=sasl,cn=config")
entry.setValues("objectclass", "top", "nsSaslMapping")
entry.setValues("cn", "Name Only")
Fix SASL mappings
2009-09-29 11:41:20 -05:00
entry.setValues("nsSaslMapRegexString", '^[^:@]+$')
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
entry.setValues("nsSaslMapBaseDNTemplate", self.suffix)
Fix SASL mappings
2009-09-29 11:41:20 -05:00
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
try:
self.conn.add_s(entry)
except ldap.ALREADY_EXISTS:
logging.critical("failed to add Name Only Sasl mapping")
raise e
def __add_krb_entries(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("kerberos.ldif", self.sub_dict)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
def __add_default_acis(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("default-aci.ldif", self.sub_dict)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
Big changeset that includes the work around keytab management. Following the changelog history from my dev tree, some comments are useful imo ------------------------------------------------------ user: Simo Sorce <ssorce@redhat.com> date: Fri Dec 21 03:05:36 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Remove remnants of the initial test tool changeset: 563:4fe574b7bdf1 user: Simo Sorce <ssorce@redhat.com> date: Fri Dec 21 02:58:37 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: Maybe actually encrypting the keys will help :-) changeset: 562:488ded41242a user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:53:50 2007 -0500 files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif description: Fixes changeset: 561:4518f6f5ecaf user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:53:32 2007 -0500 files: ipa-admintools/Makefile ipa-admintools/ipa-addservice description: transform the old ipa-getkeytab in a tool to add services as the new ipa-getkeytab won't do it (and IMO it makes more sense to keep the two functions separate anyway). changeset: 559:25a7f8ee973d user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:48:59 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: Bugfixes changeset: 558:28fcabe4aeba user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:48:29 2007 -0500 files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c description: Configure fixes Add ipa-getkeytab to spec Client fixes changeset: 557:e92a4ffdcda4 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:57:10 2007 -0500 files: ipa-client/Makefile.am ipa-client/configure.ac description: Try to make ipa-getkeytab build via autotools changeset: 556:224894175d6b user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:35:56 2007 -0500 files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c description: Messed a bit with hg commands. To make it short: - Remove the python ipa-getkeytab program - Rename the keytab plugin test program to ipa-getkeytab - Put the program in ipa-client as it should be distributed with the client tools changeset: 555:5e1a068f2e90 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:20:40 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Polish the client program changeset: 554:0a5b19a167cf user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 18:53:49 2007 -0500 files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py description: Support retrieving enctypes from LDAP Filter enctypes Update test program changeset: 553:f75d7886cb91 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 00:17:40 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Fix ber generation and remove redundant keys changeset: 552:0769cafe6dcd user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 19:31:37 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Avoid stupid segfault changeset: 551:1acd5fdb5788 user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 18:39:12 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: If ber_peek_tag() returns LBER_ERROR it may just be that we are at the end of the buffer. Unfortunately ber_scanf is broken in the sense that it doesn't actually really consider sequence endings (due probably to the fact they are just representation and do not reflect in the underlieing DER encoding.) changeset: 550:e974fb2726a4 user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 18:35:07 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: First shot at the new method
2007-12-21 10:37:19 -06:00
def __add_default_keytypes(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("default-keytypes.ldif", self.sub_dict)
Big changeset that includes the work around keytab management. Following the changelog history from my dev tree, some comments are useful imo ------------------------------------------------------ user: Simo Sorce <ssorce@redhat.com> date: Fri Dec 21 03:05:36 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Remove remnants of the initial test tool changeset: 563:4fe574b7bdf1 user: Simo Sorce <ssorce@redhat.com> date: Fri Dec 21 02:58:37 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: Maybe actually encrypting the keys will help :-) changeset: 562:488ded41242a user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:53:50 2007 -0500 files: ipa-server/ipa-install/share/Makefile.am ipa-server/ipa-install/share/default-aci.ldif description: Fixes changeset: 561:4518f6f5ecaf user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:53:32 2007 -0500 files: ipa-admintools/Makefile ipa-admintools/ipa-addservice description: transform the old ipa-getkeytab in a tool to add services as the new ipa-getkeytab won't do it (and IMO it makes more sense to keep the two functions separate anyway). changeset: 559:25a7f8ee973d user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:48:59 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: Bugfixes changeset: 558:28fcabe4aeba user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 23:48:29 2007 -0500 files: ipa-client/configure.ac ipa-client/ipa-client.spec ipa-client/ipa-client.spec.in ipa-client/ipa-getkeytab.c description: Configure fixes Add ipa-getkeytab to spec Client fixes changeset: 557:e92a4ffdcda4 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:57:10 2007 -0500 files: ipa-client/Makefile.am ipa-client/configure.ac description: Try to make ipa-getkeytab build via autotools changeset: 556:224894175d6b user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:35:56 2007 -0500 files: ipa-admintools/ipa-getkeytab ipa-client/ipa-getkeytab.c description: Messed a bit with hg commands. To make it short: - Remove the python ipa-getkeytab program - Rename the keytab plugin test program to ipa-getkeytab - Put the program in ipa-client as it should be distributed with the client tools changeset: 555:5e1a068f2e90 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 20:20:40 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Polish the client program changeset: 554:0a5b19a167cf user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 18:53:49 2007 -0500 files: ipa-server/ipa-install/share/default-aci.ldif ipa-server/ipa-install/share/default-keytypes.ldif ipa-server/ipa-install/share/kdc.conf.template ipa-server/ipa-install/share/kerberos.ldif ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c ipa-server/ipaserver/krbinstance.py description: Support retrieving enctypes from LDAP Filter enctypes Update test program changeset: 553:f75d7886cb91 user: Simo Sorce <ssorce@redhat.com> date: Thu Dec 20 00:17:40 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Fix ber generation and remove redundant keys changeset: 552:0769cafe6dcd user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 19:31:37 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: Avoid stupid segfault changeset: 551:1acd5fdb5788 user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 18:39:12 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c description: If ber_peek_tag() returns LBER_ERROR it may just be that we are at the end of the buffer. Unfortunately ber_scanf is broken in the sense that it doesn't actually really consider sequence endings (due probably to the fact they are just representation and do not reflect in the underlieing DER encoding.) changeset: 550:e974fb2726a4 user: Simo Sorce <ssorce@redhat.com> date: Wed Dec 19 18:35:07 2007 -0500 files: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ipa-server/ipa-slapi-plugins/ipa-pwd-extop/test-get-keytab.c description: First shot at the new method
2007-12-21 10:37:19 -06:00
Use kerberos password policy. This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
2010-10-25 16:58:37 -05:00
def __add_default_pwpolicy(self):
self._ldap_mod("default-pwpolicy.ldif", self.sub_dict)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
def __create_replica_instance(self):
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
self.__create_instance(replica=True)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
def __template_file(self, path):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(path)
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
fd = open(path, "w+")
fd.write(conf)
fd.close()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __create_instance(self, replica=False):
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
self.__template_file("/var/kerberos/krb5kdc/kdc.conf")
self.__template_file("/etc/krb5.conf")
self.__template_file("/usr/share/ipa/html/krb5.ini")
self.__template_file("/usr/share/ipa/html/krb.con")
self.__template_file("/usr/share/ipa/html/krbrealm.con")
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration.
2007-10-29 11:00:48 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
if not replica:
#populate the directory with the realm structure
Changes to fix compatibility with Fedora 14 Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
2010-08-31 15:59:27 -05:00
args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
try:
from ipa.ipautil import * --> from ipa import ipautil
2007-12-12 12:15:56 -06:00
ipautil.run(args)
except ipautil.CalledProcessError, e:
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
print "Failed to populate the realm structure in kerberos", e
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
MIN_KRB5KDC_WITH_WORKERS = "1.9"
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
workers = False
Don't use full pathnames for kerberos binaries, let PATH find them. Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out.
2010-11-22 13:52:09 -06:00
(stdout, stderr, rc) = ipautil.run(['klist', '-V'], raiseonerr=False)
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
if rc == 0:
verstr = stdout.split()[-1]
ver = version.LooseVersion(verstr)
min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
if ver >= min:
workers = True
if workers and cpus > 1:
#read in memory, find KRB5KDC_ARGS, check/change it, then overwrite file
self.fstore.backup_file("/etc/sysconfig/krb5kdc")
need_w = True
fd = open("/etc/sysconfig/krb5kdc", "r")
lines = fd.readlines()
fd.close()
for line in lines:
sline = line.strip()
if not sline.startswith('KRB5KDC_ARGS'):
continue
sline = sline.replace('"', '')
if sline.find("-w") != -1:
need_w = False
if need_w:
fd = open("/etc/sysconfig/krb5kdc", "w")
for line in lines:
fd.write(line)
fd.write('KRB5KDC_ARGS="${KRB5KDC_ARGS} -w %s"\n' % str(cpus))
fd.close()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __write_stash_from_ds(self):
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
try:
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
entry = self.conn.getEntry("cn=%s, cn=kerberos, %s" % (self.realm, self.suffix), ldap.SCOPE_SUBTREE)
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
except errors.NotFound, e:
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
logging.critical("Could not find master key in DS")
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(entry.krbmkey)
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open("/var/kerberos/krb5kdc/.k5."+self.realm, "w")
fd.write(s)
Minor bugs found while testing stuff. - wrong import in certs.py makes ipa-replica-manage fail - close the fs after the stash file is written so that the file is updated immediately and not when the fd is garbage collected
2008-08-19 15:39:33 -05:00
fd.close()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
except os.error, e:
logging.critical("failed to write stash file")
raise e
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
General fixes. Do not start ipa_kpasswd by default yet
2007-08-15 20:35:35 -05:00
#add the password extop module
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
def __add_pwd_extop_module(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("pwd-extop-conf.ldif", self.sub_dict)
Try to fix dir layout and recover missing files
2007-08-01 14:58:52 -05:00
Configure the ipa_pwd_extop plugin on replicas. If plugin isn't configured then the kerberos attributes don't get populated. User's will get Preauthentication errors from the kerberos libraries because there is no krbPrincipalKey to match against. 442134
2008-04-14 16:12:40 -05:00
def __add_master_key(self):
Add code to handle stash files using keytab format In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
2009-11-24 11:04:58 -06:00
#check for a keytab file by checking if the header magic is for a keytab
def __is_keytab(header):
if header == 0x0502 or header == 0x0501 or header == 0x0205 or header == 0x0105:
return 1
else:
return 0
#check whether a keytab file is v1 or v2
def __keytab_version(header):
if header == 0x0502 or header == 0x0205:
return 2
elif header == 0x0501 or header == 0x0105:
return 1
else:
return 0
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
#get the Master Key from the stash file
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
try:
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
stash = open("/var/kerberos/krb5kdc/.k5."+self.realm, "r")
keytype = struct.unpack('h', stash.read(2))[0]
Add code to handle stash files using keytab format In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
2009-11-24 11:04:58 -06:00
if __is_keytab(keytype):
#in v2, all numbers are stored in network order
if __keytab_version(keytype) > 1:
__endian = '!'
else:
__endian = ''
#walk the first entry (there should only be one)
keyentrylen = struct.unpack(__endian + 'i', stash.read(4))[0]
#number of components in the principal name
keyprinccomps = struct.unpack(__endian + 'h', stash.read(2))[0]
#version 1 counted the realm as a component, version 2 doesn't
if __keytab_version(keytype) == 1:
keyprinccomps = keyprinccomps - 1
keyprinc = []
#read the components. the realm goes first, so we should
#end up with (realm, "K", "M")
for i in range(keyprinccomps + 1):
keyprinccompsize = struct.unpack(__endian + 'h', stash.read(2))[0]
keyprinc = keyprinc + [stash.read(keyprinccompsize)]
#version 2 added the principal name type, otherwise we just
#assume it's a regular old principal name
if __keytab_version(keytype) > 1:
keyprinctype = struct.unpack(__endian + 'i', stash.read(4))[0]
else:
keyprinctype = 1
#date the key was added to this keytab
keydate = struct.unpack(__endian + 'i', stash.read(4))[0]
#kvno
keyversion = struct.unpack('B', stash.read(1))[0]
#read the real enctype
keytype = struct.unpack(__endian + 'h', stash.read(2))[0]
keylen = struct.unpack(__endian + 'h', stash.read(2))[0]
keydata = stash.read(keylen)
#check that we parsed the whole file, so no surprises
keyoffset = stash.tell()
stash.seek(0,2)
if stash.tell() != keyoffset:
logging.critical("Unexpected unprocessed data in Stash file (processed %ld bytes, %ld left)." % (keyoffset, stash.tell() - keyoffset))
else:
keyversion = 1
keyprinctype = 1
keyprinc = [self.realm,"K","M"]
keylen = struct.unpack('i', stash.read(4))[0]
keydata = stash.read(keylen)
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
except os.error:
logging.critical("Failed to retrieve Master Key from Stash file: %s")
#encode it in the asn.1 attribute
MasterKey = univ.Sequence()
MasterKey.setComponentByPosition(0, univ.Integer(keytype))
MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
krbMKey = univ.Sequence()
Add code to handle stash files using keytab format In krb5 1.7 and later, the stash file (/var/kerberos/krb5kdc/.k5.$REALM on Fedora) is created in the regular keytab format instead of the older less-portable one. Based from comments and code in kt_file.c, here's a change to try to recognize that case (the file starts with a magic number) and read the master key from Python. The KDC will still read either format, so I left the bits that set things up on replicas alone (advice appreciated). The patch works as expected on my 64-bit box, both on RHEL5 (krb5 1.6.1 with a traditional stash file) and on Raw Hide (krb5 1.7 with a keytab).
2009-11-24 11:04:58 -06:00
krbMKey.setComponentByPosition(0, univ.Integer(keyversion))
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
CVE 2008 3274 related fixes
2008-08-15 16:17:03 -05:00
#protect the master key by adding an appropriate deny rule along with the key
mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)),
(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
try:
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.conn.modify_s(dn, mod)
except ldap.TYPE_OR_VALUE_EXISTS, e:
logging.critical("failed to add master key to kerberos database\n")
raise e
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
def __create_ds_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.move_service(ldap_principal)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/dirsrv/ds.keytab")
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
in F7 all directory names have changed from fedora-ds to dirsrv which should also be the name used in DS 8.0, change all occurences
2007-08-15 18:45:18 -05:00
pent = pwd.getpwnam(self.ds_user)
Fix copy&paste error, its not the conf files we need access to, we need to access the generated keytabs
2007-08-30 14:31:27 -05:00
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
set preauth on kadmin/changepw otherwise the kpasswd can't acquire a ticket
2007-08-08 21:19:03 -05:00
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
def __create_host_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
host_principal = "host/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(host_principal)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/krb5.keytab")
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.create_keytab("/etc/krb5.keytab", host_principal)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
# Make sure access is strictly reserved to root only for now
os.chown("/etc/krb5.keytab", 0, 0)
os.chmod("/etc/krb5.keytab", 0600)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.move_service_to_host(host_principal)
Activate the passwd extop plugin and ipa-kpasswd daemon
2007-08-15 17:30:15 -05:00
def __export_kadmin_changepw_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.kadmin_modprinc("kadmin/changepw", "+requires_preauth")
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/var/kerberos/krb5kdc/kpasswd.keytab")
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.create_keytab("/var/kerberos/krb5kdc/kpasswd.keytab", "kadmin/changepw")
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/sysconfig/ipa_kpasswd")
Fix issues reported by rpmlint. - Removing shebangs (#!) from a bunch of python libraries - Don't use a variable name in init scripts for the lock file - Keep the init script name consistent with the binary name, so renamed ipa-kpasswd.init to ipa_kpasswd.init - Add status option to the init scripts - Move most python scripts out of /usr/share/ipa and into the python site-packages directories (ipaserver and ipaclient) - Remove unnecessary sys.path.append("/usr/share/ipa") - Fix the license string in the spec files - Rename ipa-webgui to ipa_webgui everywhere - Fix a couple of issues reported by pychecker in ipa-python
2008-01-18 15:20:36 -06:00
update_key_val_in_file("/etc/sysconfig/ipa_kpasswd", "export KRB5_KTNAME", "/var/kerberos/krb5kdc/kpasswd.keytab")
Activate the passwd extop plugin and ipa-kpasswd daemon
2007-08-15 17:30:15 -05:00
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
def __setup_pkinit(self):
if self.self_signed_ca:
ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
subject_base=self.subject_base)
else:
ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
host_name=self.fqdn,
subject_base=self.subject_base)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if self.pkcs12_info:
ca_db.install_pem_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
"/var/kerberos/krb5kdc/kdc.pem")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
else:
if self.self_signed_ca:
ca_db.create_kdc_cert("KDC-Cert", self.fqdn,
"/var/kerberos/krb5kdc")
else:
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
raise RuntimeError("PKI not supported yet\n")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
shutil.copyfile("/usr/share/ipa/html/ca.crt",
"/var/kerberos/krb5kdc/cacert.pem")
anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
2010-11-02 17:02:59 -05:00
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"
princ_realm = "%s@%s" % (princ, self.realm)
# Create the special anonymous principal
installutils.kadmin_addprinc(princ_realm)
try:
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", self.admin_password)
except Exception, e:
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
raise e
dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (princ_realm, self.realm, self.suffix)
conn.inactivateEntry(dn, False)
conn.unbind()
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
def uninstall(self):
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
running = self.restore_state("running")
enabled = self.restore_state("enabled")
Generate /etc/httpd/conf.d/ipa.conf from a template so the realm can be set during installation
2007-08-06 09:51:23 -05:00
Make sure all services are stopped during uninstall. We were just shutting down the KDC if it had been started prior to IPA installation. We need to stop it in all cases. And we should restart nscd as it may have made an LDAP connection. 440322
2008-05-13 15:29:01 -05:00
try:
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
self.stop()
Make sure all services are stopped during uninstall. We were just shutting down the KDC if it had been started prior to IPA installation. We need to stop it in all cases. And we should restart nscd as it may have made an LDAP connection. 440322
2008-05-13 15:29:01 -05:00
except:
pass
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
for f in ["/var/kerberos/krb5kdc/ldappwd", "/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
try:
self.fstore.restore_file(f)
except ValueError, error:
logging.debug(error)
pass
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
if not enabled is None and not enabled:
self.chkconfig_off()
if not running is None and running:
self.start()
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
self.kpasswd.uninstall()
Reference in New Issue Copy Permalink