mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Refactor dsinstance ldap modify code
Just a patch to refactor lots of similar code in dsinstance and krbinstance using a simple helper method. Note, there are some differences: - Some code used to call ldapmodify without -h 127.0.0.1 - Some of the code used to just print an error rather than using logging.critical() - Some code used to log some extra debug Signed-off-by: Mark McLoughlin <markmc@redhat.com>
This commit is contained in:
parent
7ba901d777
commit
065827d6e1
@ -44,10 +44,6 @@ from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
|
||||
def ldap_mod(fd, dn, pwd):
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
|
||||
ipautil.run(args)
|
||||
|
||||
def get_radius_version():
|
||||
version = None
|
||||
try:
|
||||
@ -157,17 +153,26 @@ class RadiusInstance(service.Service):
|
||||
except Exception, e:
|
||||
logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
|
||||
|
||||
def __ldap_mod(self, step, ldif):
|
||||
self.step(step)
|
||||
|
||||
txt = iputil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
|
||||
fd = ipautil.write_tmp_file(txt)
|
||||
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
|
||||
"-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
|
||||
|
||||
try:
|
||||
ipautil.run(args)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load %s: %s" % (ldif, str(e)))
|
||||
|
||||
fd.close()
|
||||
|
||||
#FIXME, should use IPAdmin method
|
||||
def __set_ldap_encrypted_attributes(self):
|
||||
ldif_file = 'encrypted_attribute.ldif'
|
||||
self.step("setting ldap encrypted attributes")
|
||||
ldif_txt = ipautil.template_file(ipautil.SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
|
||||
ldif_fd = ipautil.write_tmp_file(ldif_txt)
|
||||
try:
|
||||
ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load %s: %s" % (ldif_file, str(e)))
|
||||
ldif_fd.close()
|
||||
self.__ldap_mod("setting ldap encrypted attributes",
|
||||
"encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"})
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
|
||||
|
@ -35,10 +35,6 @@ import ipaldap, ldap
|
||||
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
|
||||
SERVER_ROOT_32 = "/usr/lib/dirsrv"
|
||||
|
||||
def ldap_mod(fd, dn, pwd):
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
|
||||
ipautil.run(args)
|
||||
|
||||
def realm_to_suffix(realm_name):
|
||||
s = realm_name.split(".")
|
||||
terms = ["dc=" + x.lower() for x in s]
|
||||
@ -229,65 +225,39 @@ class DsInstance(service.Service):
|
||||
shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif",
|
||||
schema_dirname(self.realm_name) + "60ipaconfig.ldif")
|
||||
|
||||
def __add_memberof_module(self):
|
||||
self.step("enabling memboerof plugin")
|
||||
memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-conf.ldif", self.sub_dict)
|
||||
memberof_fd = ipautil.write_tmp_file(memberof_txt)
|
||||
def __ldap_mod(self, step, ldif):
|
||||
self.step(step)
|
||||
|
||||
txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
|
||||
fd = ipautil.write_tmp_file(txt)
|
||||
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
|
||||
"-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name]
|
||||
|
||||
try:
|
||||
ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password)
|
||||
ipautil.run(args)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load memberof-conf.ldif: %s" % str(e))
|
||||
memberof_fd.close()
|
||||
logging.critical("Failed to load %s: %s" % (ldif, str(e)))
|
||||
|
||||
fd.close()
|
||||
|
||||
def __add_memberof_module(self):
|
||||
self.__ldap_mod("enabling memberof plugin", "memberof-conf.ldif")
|
||||
|
||||
def __init_memberof(self):
|
||||
self.step("initializing group membership")
|
||||
memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-task.ldif", self.sub_dict)
|
||||
memberof_fd = ipautil.write_tmp_file(memberof_txt)
|
||||
try:
|
||||
ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load memberof-conf.ldif: %s" % str(e))
|
||||
memberof_fd.close()
|
||||
self.__ldap_mod("initializing group membership", "memberof-task.ldif")
|
||||
|
||||
def __add_referint_module(self):
|
||||
self.step("enabling referential integrity plugin")
|
||||
referint_txt = ipautil.template_file(ipautil.SHARE_DIR + "referint-conf.ldif", self.sub_dict)
|
||||
referint_fd = ipautil.write_tmp_file(referint_txt)
|
||||
try:
|
||||
ldap_mod(referint_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "Failed to load referint-conf.ldif", e
|
||||
referint_fd.close()
|
||||
self.__ldap_mod("enabling referential integrity plugin", "referint-conf.ldif")
|
||||
|
||||
def __add_dna_module(self):
|
||||
self.step("enabling distributed numeric assignment plugin")
|
||||
dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-conf.ldif", self.sub_dict)
|
||||
dna_fd = ipautil.write_tmp_file(dna_txt)
|
||||
try:
|
||||
ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "Failed to load dna-conf.ldif", e
|
||||
dna_fd.close()
|
||||
self.__ldap_mod("enabling distributed numeric assignment plugin", "dna-conf.ldif")
|
||||
|
||||
def __config_uidgid_gen_first_master(self):
|
||||
self.step("configuring Posix uid/gid generation as first master")
|
||||
dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-posix.ldif", self.sub_dict)
|
||||
dna_fd = ipautil.write_tmp_file(dna_txt)
|
||||
try:
|
||||
ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "Failed to configure Posix uid/gid generation with dna-posix.ldif", e
|
||||
dna_fd.close()
|
||||
self.__ldap_mod("configuring Posix uid/gid generation as first master", "dna-posix.ldif")
|
||||
|
||||
def __add_master_entry_first_master(self):
|
||||
self.step("adding master entry as first master")
|
||||
master_txt = ipautil.template_file(ipautil.SHARE_DIR + "master-entry.ldif", self.sub_dict)
|
||||
master_fd = ipautil.write_tmp_file(master_txt)
|
||||
try:
|
||||
ldap_mod(master_fd, "cn=Directory Manager", self.dm_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "Failed to add master-entry.ldif", e
|
||||
master_fd.close()
|
||||
self.__ldap_mod("adding master entry as first master", "master-entry.ldif")
|
||||
|
||||
def __enable_ssl(self):
|
||||
self.step("configuring ssl for ds instance")
|
||||
@ -324,31 +294,10 @@ class DsInstance(service.Service):
|
||||
conn.unbind()
|
||||
|
||||
def __add_default_layout(self):
|
||||
self.step("adding default layout")
|
||||
txt = ipautil.template_file(ipautil.SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
|
||||
inf_fd = ipautil.write_tmp_file(txt)
|
||||
logging.debug("adding default dfrom ipa.ipautil import *s layout")
|
||||
args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
|
||||
"-w", self.dm_password, "-f", inf_fd.name]
|
||||
try:
|
||||
ipautil.run(args)
|
||||
logging.debug("done adding default ds layout")
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "Failed to add default ds layout", e
|
||||
logging.critical("Failed to add default ds layout %s" % e)
|
||||
self.__ldap_mod("adding default layout", "bootstrap-template.ldif")
|
||||
|
||||
def __create_indeces(self):
|
||||
self.step("creating indeces")
|
||||
txt = ipautil.template_file(ipautil.SHARE_DIR + "indeces.ldif", self.sub_dict)
|
||||
inf_fd = ipautil.write_tmp_file(txt)
|
||||
logging.debug("adding/updating indeces")
|
||||
args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
|
||||
"-w", self.dm_password, "-f", inf_fd.name]
|
||||
try:
|
||||
ipautil.run(args)
|
||||
logging.debug("done adding/updating indeces")
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to add/update indeces %s" % str(e))
|
||||
self.__ldap_mod("creating indeces", "indeces.ldif")
|
||||
|
||||
def __certmap_conf(self):
|
||||
self.step("configuring certmap.conf")
|
||||
|
@ -52,10 +52,6 @@ def host_to_domain(fqdn):
|
||||
s = fqdn.split(".")
|
||||
return ".".join(s[1:])
|
||||
|
||||
def ldap_mod(fd, dn, pwd):
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
|
||||
ipautil.run(args)
|
||||
|
||||
def update_key_val_in_file(filename, key, val):
|
||||
if os.path.exists(filename):
|
||||
pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
|
||||
@ -139,7 +135,7 @@ class KrbInstance(service.Service):
|
||||
|
||||
self.__common_setup(ds_user, realm_name, host_name, admin_password)
|
||||
|
||||
self.start_creation(11, "Configuring Kerberos KDC")
|
||||
self.start_creation(12, "Configuring Kerberos KDC")
|
||||
|
||||
self.__configure_kdc_account_password()
|
||||
self.__configure_sasl_mappings()
|
||||
@ -195,6 +191,22 @@ class KrbInstance(service.Service):
|
||||
HOST=self.host,
|
||||
REALM=self.realm)
|
||||
|
||||
def __ldap_mod(self, step, ldif):
|
||||
self.step(step)
|
||||
|
||||
txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict)
|
||||
fd = ipautil.write_tmp_file(txt)
|
||||
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv",
|
||||
"-D", "cn=Directory Manager", "-w", self.admin_password, "-f", fd.name]
|
||||
|
||||
try:
|
||||
ipautil.run(args)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load %s: %s" % (ldif, str(e)))
|
||||
|
||||
fd.close()
|
||||
|
||||
def __configure_sasl_mappings(self):
|
||||
self.step("adding sasl mappings to the directory")
|
||||
# we need to remove any existing SASL mappings in the directory as otherwise they
|
||||
@ -246,25 +258,10 @@ class KrbInstance(service.Service):
|
||||
raise e
|
||||
|
||||
def __add_krb_entries(self):
|
||||
self.step("adding kerberos entries to the DS")
|
||||
|
||||
#TODO: test that the ldif is ok with any random charcter we may use in the password
|
||||
kerberos_txt = ipautil.template_file(ipautil.SHARE_DIR + "kerberos.ldif", self.sub_dict)
|
||||
kerberos_fd = ipautil.write_tmp_file(kerberos_txt)
|
||||
try:
|
||||
ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load kerberos.ldif: %s" % str(e))
|
||||
kerberos_fd.close()
|
||||
self.__ldap_mod("adding kerberos entries to the DS", "kerberos.ldif")
|
||||
|
||||
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
|
||||
aci_txt = ipautil.template_file(ipautil.SHARE_DIR + "default-aci.ldif", self.sub_dict)
|
||||
aci_fd = ipautil.write_tmp_file(aci_txt)
|
||||
try:
|
||||
ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load default-aci.ldif: %s" % str(e))
|
||||
aci_fd.close()
|
||||
self.__ldap_mod("adding defalt ACIs", "default-aci.ldif")
|
||||
|
||||
def __create_instance(self, replica=False):
|
||||
self.step("configuring KDC")
|
||||
@ -325,14 +322,7 @@ class KrbInstance(service.Service):
|
||||
|
||||
#add the password extop module
|
||||
def __add_pwd_extop_module(self):
|
||||
self.step("adding the password extenstion to the directory")
|
||||
extop_txt = ipautil.template_file(ipautil.SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict)
|
||||
extop_fd = ipautil.write_tmp_file(extop_txt)
|
||||
try:
|
||||
ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
|
||||
except ipautil.CalledProcessError, e:
|
||||
logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e))
|
||||
extop_fd.close()
|
||||
self.__ldap_mod("adding the password extenstion to the directory", "pwd-extop-conf.ldif")
|
||||
|
||||
#get the Master Key from the stash file
|
||||
try:
|
||||
|
Loading…
Reference in New Issue
Block a user