IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Used the encrypt_file and decrypt_file utility functions to encrypt replica

Browse Source 
information. This way we do not risk to leave around sensitive data.
Set the destination host in the replica file too and do checks against
in ipa-replica-install
This commit is contained in:
Simo Sorce 2008-08-08 08:53:55 -04:00
parent 5cbc453d89
commit 0368d4329a
2 changed files with 60 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
ipa-server/ipa-install/ipa-replica-install
View File

@ -61,10 +61,13 @@ def parse_options():
def get_dirman_password(): def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def expand_info(filename): def expand_info(filename, password):
top_dir = tempfile.mkdtemp("ipa") top_dir = tempfile.mkdtemp("ipa")
tarfile = top_dir+"/files.tar"
dir = top_dir + "/realm_info" dir = top_dir + "/realm_info"
ipautil.run(["tar", "xfz", filename, "-C", top_dir]) ipautil.decrypt_file(filename, tarfile, password, top_dir)
ipautil.run(["tar", "xf", tarfile, "-C", top_dir])
os.remove(tarfile)
return top_dir, dir return top_dir, dir
@ -78,6 +81,7 @@ def read_info(dir, rconfig):
rconfig.master_host_name = config.get("realm", "master_host_name") rconfig.master_host_name = config.get("realm", "master_host_name")
rconfig.ds_user = config.get("realm", "ds_user") rconfig.ds_user = config.get("realm", "ds_user")
rconfig.domain_name = config.get("realm", "domain_name") rconfig.domain_name = config.get("realm", "domain_name")
rconfig.host_name = config.get("realm", "destination_host")
def get_host_name(): def get_host_name():
hostname = installutils.get_fqdn() hostname = installutils.get_fqdn()
@ -179,33 +183,37 @@ def main():
check_dirsrv() check_dirsrv()
top_dir, dir = expand_info(filename) # get the directory manager password
dirman_password = options.password
if not dirman_password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
try:
top_dir, dir = expand_info(filename, dirman_password)
except Exception, e:
print "ERROR: Failed to decrypt or open the replica file."
print "Verify you entered the correct Directory Manager password."
sys.exit(1)
config = ReplicaConfig() config = ReplicaConfig()
read_info(dir, config) read_info(dir, config)
config.host_name = get_host_name() config.dirman_password = dirman_password
p = filename.split('-') host = get_host_name()
host = '-'.join(p[2:]) if config.host_name != host:
if host != config.host_name:
try: try:
print "This replica was created for '%s' but this machine is named '%s'" % (host, config.host_name) print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
if not ipautil.user_input("This may cause problems. Continue?", True): if not ipautil.user_input("This may cause problems. Continue?", True):
sys.exit(0) sys.exit(0)
config.host_name = host
print "" print ""
except KeyboardInterrupt: except KeyboardInterrupt:
sys.exit(0) sys.exit(0)
config.repl_password = ipautil.ipa_generate_password() config.repl_password = ipautil.ipa_generate_password()
config.dir = dir config.dir = dir
# get the directory manager password
if not options.password:
try:
config.dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
else:
config.dirman_password = options.password
# Try out the password # Try out the password
try: try:
conn = ipaldap.IPAdmin(config.master_host_name) conn = ipaldap.IPAdmin(config.master_host_name)

40
ipa-server/ipa-install/ipa-replica-prepare
View File

@ -49,6 +49,8 @@ def parse_options():
help="PIN for the Directory Server PKCS#12 file") help="PIN for the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin", parser.add_option("--http_pin", dest="http_pin",
help="PIN for the Apache Server PKCS#12 file") help="PIN for the Apache Server PKCS#12 file")
parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password")
options, args = parser.parse_args(args) options, args = parser.parse_args(args)
@ -138,13 +140,14 @@ def get_ds_user(ds_dir):
return user return user
def save_config(dir, realm_name, host_name, ds_user, domain_name): def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host):
config = SafeConfigParser() config = SafeConfigParser()
config.add_section("realm") config.add_section("realm")
config.set("realm", "realm_name", realm_name) config.set("realm", "realm_name", realm_name)
config.set("realm", "master_host_name", host_name) config.set("realm", "master_host_name", host_name)
config.set("realm", "ds_user", ds_user) config.set("realm", "ds_user", ds_user)
config.set("realm", "domain_name", domain_name) config.set("realm", "domain_name", domain_name)
config.set("realm", "destination_host", dest_host)
fd = open(dir + "/realm_info", "w") fd = open(dir + "/realm_info", "w")
config.write(fd) config.write(fd)
@ -162,6 +165,9 @@ def copy_files(realm_name, dir):
print "error copying files: " + str(e) print "error copying files: " + str(e)
sys.exit(1) sys.exit(1)
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def main(): def main():
options, args = parse_options() options, args = parse_options()
@ -191,6 +197,26 @@ def main():
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
ds_user = get_ds_user(ds_dir) ds_user = get_ds_user(ds_dir)
# get the directory manager password
dirman_password = options.password
if not options.password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
# Try out the password
try:
conn = ipaldap.IPAdmin(host_name)
conn.do_simple_bind(bindpw=dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name)
print "Preparing replica for %s from %s" % (replica_fqdn, host_name) print "Preparing replica for %s from %s" % (replica_fqdn, host_name)
top_dir = tempfile.mkdtemp("ipa") top_dir = tempfile.mkdtemp("ipa")
@ -241,12 +267,16 @@ def main():
print "Copying additional files" print "Copying additional files"
copy_files(realm_name, dir) copy_files(realm_name, dir)
print "Finalizing configuration" print "Finalizing configuration"
save_config(dir, realm_name, host_name, ds_user, domain_name) save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn)
print "Packaging the replica into /var/lib/ipa/%s" % "replica-info-" + replica_fqdn replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
ipautil.run(["/bin/tar", "cfz", "/var/lib/ipa/replica-info-" + replica_fqdn, "-C", top_dir, "realm_info"]) encfile = replicafile+".gpg"
os.chmod("/var/lib/ipa/replica-info-" + replica_fqdn, 0600)
print "Packaging replica information into %s" % encfile
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
os.remove(replicafile)
shutil.rmtree(dir) shutil.rmtree(dir)
try: try: