IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add plugin framework to LDAP updates.

Browse Source 
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
This commit is contained in:
Rob Crittenden
2011-11-23 16:52:40 -05:00
parent 56401c1abe
commit 2f4b3972a0
19 changed files with 648 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
freeipa.spec.in
View File

@@ -385,9 +385,13 @@ fi
%endif
if [ $1 -gt 1 ] ; then
/usr/sbin/ipa-upgradeconfig || :
/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
fi
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
%preun server
if [ $1 = 0 ]; then
%if 0%{?fedora} >= 16

35
install/tools/ipa-ldap-updater
View File

@@ -33,6 +33,7 @@ try:
from ipaserver.install.upgradeinstance import IPAUpgrade
from ipapython import sysrestore
import krbV
from ipalib import api
from ipapython.ipa_log_manager import *
except ImportError:
print >> sys.stderr, """\
@@ -49,15 +50,19 @@ def parse_options():
parser = IPAOptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
help="Display debugging information about the update(s)",
default=False)
parser.add_option("-t", "--test", action="store_true", dest="test",
help="Run through the update without changing anything")
help="Run through the update without changing anything",
default=False)
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
parser.add_option("-l", '--ldapi', action="store_true", dest="ldapi",
default=False, help="Connect to the LDAP server using the ldapi socket")
parser.add_option("-u", '--upgrade', action="store_true", dest="upgrade",
default=False, help="Upgrade an installed server in offline mode")
parser.add_option("-p", '--plugins', action="store_true", dest="plugins",
default=False, help="Execute update plugins. Always true when applying all update files.")
parser.add_option("-W", '--password', action="store_true",
dest="ask_password",
help="Prompt for the Directory Manager password")
@@ -78,6 +83,7 @@ def get_dirman_password():
def main():
badsyntax = False
upgradefailed = False
run_plugins = False
safe_options, options, args = parse_options()
@@ -96,14 +102,30 @@ def main():
if dirman_password is None:
sys.exit("\nDirectory Manager password required")
if options.upgrade:
standard_logging_setup('/var/log/ipaupgrade.log', verbose=True, debug=options.debug, filemode='a')
else:
standard_logging_setup(None, verbose=True, debug=options.debug)
cfg = dict (
in_server=True,
context='updates',
debug=options.debug,
)
api.bootstrap(**cfg)
api.finalize()
files = []
if len(args) > 0:
files = args
if len(files) < 1:
run_plugins = True
updates = None
if options.upgrade:
if os.getegid() != 0:
sys.exit('Upgrade can only be done as root')
standard_logging_setup('/var/log/ipaupgrade.log', verbose=True, debug=options.debug, filemode='a')
root_logger.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
realm = krbV.default_context().default_realm
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
@@ -112,21 +134,24 @@ def main():
badsyntax = upgrade.badsyntax
upgradefailed = upgrade.upgradefailed
else:
standard_logging_setup(None, verbose=True, debug=options.debug)
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi)
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins)
if len(files) < 1:
files = ld.get_all_files(UPDATES_DIR)
modified = ld.update(files)
if badsyntax:
root_logger.info('Bad syntax detected in upgrade file(s).')
print 'Bad syntax detected in upgrade file(s).'
return 1
elif upgradefailed:
root_logger.info('IPA upgrade failed.')
print 'IPA upgrade failed.'
return 1
elif modified and options.test:
root_logger.info('Update complete, changes to be made, test mode')
return 2
else:
root_logger.info('Update complete')
return 0
try:

4
install/tools/ipa-managed-entries
View File

@@ -130,12 +130,10 @@ def main():
entries = conn.search_s(
managed_entry_definitions_dn, ldap.SCOPE_SUBTREE, filter
)
managed_entries = [entry.dn for entry in entries]
managed_entries = [entry.cn for entry in entries]
if managed_entries:
print "Available Managed Entry Definitions:"
for managed_entry in managed_entries:
rdn = DN(managed_entry)
managed_entry = rdn[0].value
print managed_entry
retval = 0
sys.exit()

5
install/tools/man/ipa-ldap-updater.1
View File

@@ -83,8 +83,11 @@ File containing the Directory Manager password
\fB\-l\fR, \fB\-\-ldapi\fR
Connect to the LDAP server using the ldapi socket
.TP
\fB\-p\fR, \fB\-\-\-plugins\fR
Execute update plugins as well as any update files. There is no way to execute only the plugins.
.TP
\fB\-u\fR, \fB\-\-\-upgrade\fR
Upgrade an installed server in offline mode (implies \-\-ldapi)
Upgrade an installed server in offline mode (implies \-\-ldapi and \-\-plugins)
.TP
\fB\-W\fR, \fB\-\-\-password\fR
Prompt for the Directory Manager password

4
install/updates/20-user_private_groups.update
View File

@@ -16,9 +16,11 @@ default:mepMappedAttr: description: User private group for $$uid
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: extensibleObject
replace:originFilter:objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__)))
default:cn: UPG Definition
default:originScope: cn=users,cn=accounts,$SUFFIX
default:originFilter: objectclass=posixAccount
default:managedBase: cn=groups,cn=accounts,$SUFFIX
default:managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
replace:originFilter: objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__)))

4
ipalib/__init__.py
View File

@@ -875,7 +875,7 @@ freeIPA.org:
import os
import plugable
from backend import Backend
from frontend import Command, LocalOrRemote
from frontend import Command, LocalOrRemote, Updater
from frontend import Object, Method, Property
from crud import Create, Retrieve, Update, Delete, Search
from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, IA5Str, Password,List
@@ -907,7 +907,7 @@ def create_api(mode='dummy'):
- `backend.Backend`
"""
api = plugable.API(Command, Object, Method, Property, Backend)
api = plugable.API(Command, Object, Method, Property, Backend, Updater)
if mode is not None:
api.env.mode = mode
assert mode != 'production'

44
ipalib/frontend.py
View File

@@ -30,7 +30,7 @@ from util import make_repr
from output import Output, Entry, ListOfEntries
from text import _, ngettext
from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError
from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError, ValidationError
from errors import InvocationError
from constants import TYPE_ERROR
from ipapython.version import API_VERSION
@@ -557,7 +557,11 @@ class Command(HasParam):
# None means "delete this attribute"
value = None
if attr in self.params:
value = self.params[attr](value)
try:
value = self.params[attr](value)
except ValidationError, err:
(name, error) = str(err.strerror).split(':')
raise ValidationError(name=attr, error=error)
if append and attr in newdict:
if type(value) in (tuple,):
newdict[attr] += list(value)
@@ -1334,3 +1338,39 @@ class Property(Attribute):
attr = getattr(self, name)
if is_rule(attr):
yield attr
class Updater(Method):
"""
An LDAP update with an associated object (always update).
All plugins that subclass from `Updater` will be automatically available
as a server update function.
Plugins that subclass from Updater are registered in the ``api.Updater``
namespace. For example:
>>> from ipalib import create_api
>>> api = create_api()
>>> class my(Object):
... pass
...
>>> api.register(my)
>>> class my_update(Updater):
... pass
...
>>> api.register(my_update)
>>> api.finalize()
>>> list(api.Updater)
['my_update']
>>> api.Updater.my_update # doctest:+ELLIPSIS
ipalib.frontend.my_update()
"""
def __init__(self):
super(Updater, self).__init__()
def __call__(self, **options):
self.debug(
'raw: %s', self.name
)
return self.execute(**options)

15
ipalib/plugable.py
View File

@@ -594,16 +594,29 @@ class API(DictProxy):
self.import_plugins('ipalib')
if self.env.in_server:
self.import_plugins('ipaserver')
if self.env.context in ('installer', 'updates'):
self.import_plugins('ipaserver/install/plugins')
# FIXME: This method has no unit test
def import_plugins(self, package):
"""
Import modules in ``plugins`` sub-package of ``package``.
"""
package = package.replace(os.path.sep, '.')
subpackage = '%s.plugins' % package
try:
parent = __import__(package)
plugins = __import__(subpackage).plugins
parts = package.split('.')[1:]
if parts:
for part in parts:
if part == 'plugins':
plugins = subpackage.plugins
subpackage = plugins.__name__
break
subpackage = parent.__getattribute__(part)
parent = subpackage
else:
plugins = __import__(subpackage).plugins
except ImportError, e:
self.log.error(
'cannot import plugins sub-package %s: %s', subpackage, e

2
ipaserver/install/dsinstance.py
View File

@@ -420,7 +420,7 @@ class DsInstance(service.Service):
conn.unbind()
def apply_updates(self):
ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict, plugins=True)
files = ld.get_all_files(ldapupdate.UPDATES_DIR)
ld.update(files)

144
ipaserver/install/ldapupdate.py
View File

@@ -31,6 +31,7 @@ from ipaserver import ipaldap
from ipapython import entity, ipautil
from ipalib import util
from ipalib import errors
from ipalib import api
import ldap
from ldap.dn import escape_dn_chars
from ipapython.ipa_log_manager import *
@@ -42,6 +43,8 @@ import os
import pwd
import fnmatch
import csv
from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE
from ipaserver.install.plugins import FIRST, MIDDLE, LAST
class BadSyntax(Exception):
def __init__(self, value):
@@ -49,32 +52,15 @@ class BadSyntax(Exception):
def __str__(self):
return repr(self.value)
class IPARestart(service.Service):
"""
Restart the 389 DS service prior to performing deletions.
"""
def __init__(self, live_run=True):
"""
This class is present to provide ldapupdate the means to
restart 389 DS to apply updates prior to performing deletes.
"""
service.Service.__init__(self, "dirsrv")
self.live_run = live_run
def create_instance(self):
self.step("stopping directory server", self.stop)
self.step("starting directory server", self.start)
self.start_creation("Restarting IPA to initialize updates before performing deletes:")
class LDAPUpdate:
def __init__(self, dm_password, sub_dict={}, live_run=True,
online=True, ldapi=False):
online=True, ldapi=False, plugins=False):
"""dm_password = Directory Manager password
sub_dict = substitution dictionary
live_run = Apply the changes or just test
online = do an online LDAP update or use an experimental LDIF updater
ldapi = bind using ldapi. This assumes autobind is enabled.
plugins = execute the pre/post update plugins
"""
self.sub_dict = sub_dict
self.live_run = live_run
@@ -83,6 +69,7 @@ class LDAPUpdate:
self.modified = False
self.online = online
self.ldapi = ldapi
self.plugins = plugins
self.pw_name = pwd.getpwuid(os.geteuid()).pw_name
if sub_dict.get("REALM"):
@@ -554,11 +541,11 @@ class LDAPUpdate:
# skip this update type, it occurs in __delete_entries()
return None
elif utype == 'replace':
# v has the format "old:: new"
# v has the format "old::new"
try:
(old, new) = v.split('::', 1)
except ValueError:
raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % v
raise BadSyntax, "bad syntax in replace, needs to be in the format old::new in %s" % v
try:
e.remove(old)
e.append(new)
@@ -708,11 +695,12 @@ class LDAPUpdate:
deletes = updates.get('deleteentry', [])
for d in deletes:
try:
if self.live_run:
self.conn.deleteEntry(dn)
self.modified = True
root_logger.info('Deleting entry %s", dn)
if self.live_run:
self.conn.deleteEntry(dn)
self.modified = True
except errors.NotFound, e:
root_logger.info("Deleting non-existent entry %s", e)
root_logger.info("%s did not exist:%s", (dn, e))
self.modified = True
except errors.DatabaseError, e:
root_logger.error("Delete failed: %s", e)
@@ -724,11 +712,12 @@ class LDAPUpdate:
if utype == 'deleteentry':
try:
if self.live_run:
self.conn.deleteEntry(dn)
self.modified = True
root_logger.info('Deleting entry %s", dn)
if self.live_run:
self.conn.deleteEntry(dn)
self.modified = True
except errors.NotFound, e:
root_logger.info("Deleting non-existent entry %s", e)
root_logger.info("%s did not exist:%s", (dn, e))
self.modified = True
except errors.DatabaseError, e:
root_logger.error("Delete failed: %s", e)
@@ -772,16 +761,49 @@ class LDAPUpdate:
else:
raise RuntimeError("Offline updates are not supported.")
def __run_updates(self, dn_list, all_updates):
# For adds and updates we want to apply updates from shortest
# to greatest length of the DN. For deletes we want the reverse.
sortedkeys = dn_list.keys()
sortedkeys.sort()
for k in sortedkeys:
for dn in dn_list[k]:
self.__update_record(all_updates[dn])
sortedkeys.reverse()
for k in sortedkeys:
for dn in dn_list[k]:
self.__delete_record(all_updates[dn])
def update(self, files):
"""Execute the update. files is a list of the update files to use.
returns True if anything was changed, otherwise False
"""
updates = None
if self.plugins:
logging.info('PRE_UPDATE')
updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
try:
self.create_connection()
all_updates = {}
dn_list = {}
# Start with any updates passed in from pre-update plugins
if updates:
for entry in updates:
all_updates.update(entry)
for upd in updates:
for dn in upd:
dn_explode = ldap.explode_dn(dn.lower())
l = len(dn_explode)
if dn_list.get(l):
if dn not in dn_list[l]:
dn_list[l].append(dn)
else:
dn_list[l] = [dn]
for f in files:
try:
root_logger.info("Parsing file %s" % f)
@@ -792,40 +814,38 @@ class LDAPUpdate:
(all_updates, dn_list) = self.parse_update_file(data, all_updates, dn_list)
# Process Managed Entry Updates
managed_entries = self.__update_managed_entries()
if managed_entries:
managed_entry_dns = [[m[entry]['dn'] for entry in m] for m in managed_entries]
l = len(dn_list.keys())
# Add Managed Entry DN's to the DN List
for dn in managed_entry_dns:
l+=1
dn_list[l] = dn
# Add Managed Entry Updates to All Updates List
for managed_entry in managed_entries:
all_updates.update(managed_entry)
# For adds and updates we want to apply updates from shortest
# to greatest length of the DN. For deletes we want the reverse.
sortedkeys = dn_list.keys()
sortedkeys.sort()
for k in sortedkeys:
for dn in dn_list[k]:
self.__update_record(all_updates[dn])
# Restart 389 Directory Service
socket_name = '/var/run/slapd-%s.socket' % self.realm.replace('.','-')
iparestart = IPARestart()
iparestart.create_instance()
installutils.wait_for_open_socket(socket_name)
self.create_connection()
sortedkeys.reverse()
for k in sortedkeys:
for dn in dn_list[k]:
self.__delete_record(all_updates[dn])
self.__run_updates(dn_list, all_updates)
finally:
if self.conn: self.conn.unbind()
if self.plugins:
logging.info('POST_UPDATE')
updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run)
dn_list = {}
for upd in updates:
for dn in upd:
dn_explode = ldap.explode_dn(dn.lower())
l = len(dn_explode)
if dn_list.get(l):
if dn not in dn_list[l]:
dn_list[l].append(dn)
else:
dn_list[l] = [dn]
self.__run_updates(dn_list, updates)
return self.modified
def update_from_dict(self, dn_list, updates):
"""
Apply updates internally as opposed to from a file.
dn_list is a list of dns to be updated
updates is a dictionary containing the updates
"""
if not self.conn:
self.create_connection()
self.__run_updates(dn_list, updates)
return self.modified

16
ipaserver/install/plugins/Makefile.am Normal file
View File

@@ -0,0 +1,16 @@
NULL =
appdir = $(pythondir)/ipaserver/install
app_PYTHON = \
__init__.py \
baseupdate.py \
rename_managed.py \
updateclient.py \
$(NULL)
EXTRA_DIST = \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

28
ipaserver/install/plugins/__init__.py Normal file
View File

@@ -0,0 +1,28 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Provide a separate api for updates.
"""
PRE_UPDATE = 1
POST_UPDATE = 2
FIRST = 1
MIDDLE = 2
LAST = 4

68
ipaserver/install/plugins/baseupdate.py Normal file
View File

@@ -0,0 +1,68 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipalib import api
from ipalib import errors
from ipalib import Updater, Object
from ipaserver.install import service
from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, MIDDLE
class DSRestart(service.Service):
"""
Restart the 389-ds service.
"""
def __init__(self):
"""
This class is present to provide ldapupdate the means to
restart 389-ds.
"""
service.Service.__init__(self, "dirsrv")
def create_instance(self):
self.step("stopping directory server", self.stop)
self.step("starting directory server", self.start)
self.start_creation("Restarting Directory server to apply updates")
class update(Object):
"""
Generic object used to register all updates into a single namespace.
"""
backend_name = 'ldap2'
api.register(update)
class PreUpdate(Updater):
"""
Base class for updates that run prior to file processing.
"""
updatetype = PRE_UPDATE
order = MIDDLE
def __init__(self):
super(PreUpdate, self).__init__()
class PostUpdate(Updater):
"""
Base class for updates that run after file processing.
"""
updatetype = POST_UPDATE
order = MIDDLE
def __init__(self):
super(PostUpdate, self).__init__()

132
ipaserver/install/plugins/rename_managed.py Normal file
View File

@@ -0,0 +1,132 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
from ipalib.frontend import Updater
from ipaserver.install.plugins import baseupdate
from ipalib import api, errors
from ipapython import ipautil
import ldap as _ldap
def entry_to_update(entry):
"""
Convert an entry into a name/value pair list that looks like an update.
An entry is a dict.
An update is a list of name/value pairs.
"""
update = []
for attr in entry.keys():
if isinstance(entry[attr], list):
for i in xrange(len(entry[attr])):
update.append('%s:%s' % (str(attr), str(entry[attr][i])))
else:
update.append('%s:%s' % (str(attr), str(entry[attr])))
return update
def generate_update(ldap, deletes=False):
"""
We need to separate the deletes that need to happen from the
new entries that need to be added.
"""
suffix = ipautil.realm_to_suffix(api.env.realm)
searchfilter = '(objectclass=*)'
definitions_managed_entries = []
old_template_container = 'cn=etc,%s' % suffix
old_definition_container = 'cn=managed entries,cn=plugins,cn=config'
new = 'cn=Managed Entries,cn=etc,%s' % suffix
sub = ['cn=Definitions,', 'cn=Templates,']
new_managed_entries = []
old_templates = []
template = None
restart = False
# If the old entries don't exist the server has already been updated.
try:
(definitions_managed_entries, truncated) = ldap.find_entries(
searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
)
except errors.NotFound, e:
return (False, new_managed_entries)
for entry in definitions_managed_entries:
new_definition = {}
definition_managed_entry_updates = {}
if deletes:
old_definition = {'dn': str(entry[0]), 'deleteentry': ['dn: %s' % str(entry[0])]}
old_template = str(entry[1]['managedtemplate'][0])
definition_managed_entry_updates[old_definition['dn']] = old_definition
old_templates.append(old_template)
else:
entry[1]['managedtemplate'] = str(entry[1]['managedtemplate'][0].replace(old_template_container, sub[1] + new))
new_definition['dn'] = str(entry[0].replace(old_definition_container, sub[0] + new))
new_definition['default'] = entry_to_update(entry[1])
definition_managed_entry_updates[new_definition['dn']] = new_definition
new_managed_entries.append(definition_managed_entry_updates)
for old_template in old_templates: # Only happens when deletes is True
try:
(dn, template) = ldap.get_entry(old_template, ['*'], normalize=False)
dn = str(dn)
new_template = {}
template_managed_entry_updates = {}
old_template = {'dn': dn, 'deleteentry': ['dn: %s' % dn]}
new_template['dn'] = str(dn.replace(old_template_container, sub[1] + new))
new_template['default'] = entry_to_update(template)
template_managed_entry_updates[new_template['dn']] = new_template
template_managed_entry_updates[old_template['dn']] = old_template
new_managed_entries.append(template_managed_entry_updates)
except errors.NotFound, e:
pass
if len(new_managed_entries) > 0:
restart = True
new_managed_entries.sort(reverse=True)
return (restart, new_managed_entries)
class update_managed_post_first(PreUpdate):
"""
Update managed entries
"""
order=FIRST
def execute(self, **options):
# Never need to restart with the pre-update changes
(ignore, new_managed_entries) = generate_update(self.obj.backend, False)
return (False, True, new_managed_entries)
api.register(update_managed_post_first)
class update_managed_post(PostUpdate):
"""
Update managed entries
"""
order=LAST
def execute(self, **options):
(restart, new_managed_entries) = generate_update(self.obj.backend, True)
return (restart, True, new_managed_entries)
api.register(update_managed_post)

182
ipaserver/install/plugins/updateclient.py Normal file
View File

@@ -0,0 +1,182 @@
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
from ipaserver.install import installutils
from ipaserver.install.plugins import FIRST, MIDDLE, LAST
from ipaserver.install.plugins import POST_UPDATE
from ipaserver.install.plugins.baseupdate import DSRestart
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api
from ipalib import backend
import ldap as _ldap
class updateclient(backend.Executioner):
"""
Backend used for applying LDAP updates via plugins
An update plugin can be executed before the file-based plugins or
afterward. Each plugin returns three values:
1. restart: dirsrv needs to be restarted BEFORE this update is
applied.
2. apply_now: when True the update is applied when the plugin
returns. Otherwise the update is cached until all
plugins of that update type are complete, then they
are applied together.
3. updates: A dictionary of updates to be applied.
updates is a dictionary keyed on dn. The value of an update is a
dictionary with the following possible values:
- dn: str, duplicate of the key
- updates: list of updates against the dn
- default: list of the default entry to be added if it doesn't
exist
- deleteentry: list of dn's to be deleted (typically single dn)
For example, this update file:
dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
replace:krbPwdLockoutDuration:10::600
replace: krbPwdMaxFailure:3::6
Generates this update dictionary:
dict('cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com':
dict(
'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'updates': ['replace:krbPwdLockoutDuration:10::600',
'replace:krbPwdMaxFailure:3::6']
)
)
Here is another example showing how a default entry is configured:
dn: cn=Managed Entries,cn=etc,$SUFFIX
default: objectClass: nsContainer
default: objectClass: top
default: cn: Managed Entries
This generates:
dict('cn=Managed Entries,cn=etc,dc=example,dc=com',
dict(
'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com',
'default': ['objectClass:nsContainer',
'objectClass:top',
'cn:Managed Entries'
]
)
)
Note that the variable substitution in both examples has been completed.
A PRE_UPDATE plugin is executed before file-based updates.
A POST_UPDATE plugin is executed after file-based updates.
Plugins are executed automatically when ipa-ldap-updater is run
in upgrade mode (--upgrade). They are not executed normally otherwise.
To execute plugins as well use the --plugins flag.
Either may make changes directly in LDAP or can return updates in
update format.
"""
def create_context(self, dm_password):
if dm_password:
autobind = False
else:
autobind = True
self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind)
def order(self, updatetype):
"""
Calculate rough order of plugins.
"""
order = []
for plugin in api.Updater(): #pylint: disable=E1101
if plugin.updatetype != updatetype:
continue
if plugin.order == FIRST:
order.insert(0, plugin)
elif plugin.order == MIDDLE:
order.insert(len(order)/2, plugin)
else:
order.append(plugin)
for o in order:
yield o
def update(self, updatetype, dm_password, ldapi, live_run):
"""
Execute all update plugins of type updatetype.
"""
self.create_context(dm_password)
kw = dict(live_run=live_run)
result = []
ld = LDAPUpdate(dm_password=dm_password, sub_dict={}, live_run=live_run, ldapi=ldapi)
for update in self.order(updatetype):
(restart, apply_now, res) = self.run(update.name, **kw)
if restart:
self.restart(dm_password, live_run)
dn_list = {}
for upd in res:
for dn in upd:
dn_explode = _ldap.explode_dn(dn.lower())
l = len(dn_explode)
if dn_list.get(l):
if dn not in dn_list[l]:
dn_list[l].append(dn)
else:
dn_list[l] = [dn]
updates = {}
for entry in res:
updates.update(entry)
if apply_now:
ld.update_from_dict(dn_list, updates)
elif res:
result.extend(res)
self.destroy_context()
return result
def run(self, method, **kw):
"""
Execute the update plugin.
"""
return self.Updater[method](**kw) #pylint: disable=E1101
def restart(self, dm_password, live_run):
if os.getegid() != 0:
self.log.warn("Not root, skipping restart")
return
dsrestart = DSRestart()
socket_name = '/var/run/slapd-%s.socket' % \
api.env.realm.replace('.','-')
if live_run:
self.destroy_context()
dsrestart.create_instance()
installutils.wait_for_open_socket(socket_name)
self.create_context(dm_password)
else:
self.log.warn("Test mode, skipping restart")
api.register(updateclient)

7
ipaserver/install/upgradeinstance.py
View File

@@ -21,6 +21,7 @@ import os
import sys
import shutil
import random
import traceback
from ipapython.ipa_log_manager import *
from ipaserver.install import installutils
@@ -100,11 +101,12 @@ class IPAUpgrade(service.Service):
def __upgrade(self):
try:
ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run)
ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
if len(self.files) == 0:
self.files = ld.get_all_files(ldapupdate.UPDATES_DIR)
self.modified = ld.update(self.files)
except ldapupdate.BadSyntax:
except ldapupdate.BadSyntax, e:
logging.error('Bad syntax in upgrade %s' % str(e))
self.modified = False
self.badsyntax = True
except Exception, e:
@@ -112,6 +114,7 @@ class IPAUpgrade(service.Service):
self.modified = False
self.upgradefailed = True
root_logger.error('Upgrade failed with %s' % str(e))
root_logger.debug('%s', traceback.format_exc())
def main():
if os.getegid() != 0:

16
ipaserver/plugins/ldap2.py
View File

@@ -34,6 +34,7 @@ import shutil
import tempfile
import time
import re
import pwd
import krbV
from ipapython.ipa_log_manager import *
@@ -313,7 +314,7 @@ class ldap2(CrudBackend, Encoder):
@encode_args(2, 3, 'bind_dn', 'bind_pw')
def create_connection(self, ccache=None, bind_dn='', bind_pw='',
tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
debug_level=0):
debug_level=0, autobind=False):
"""
Connect to LDAP server.
@@ -326,6 +327,7 @@ class ldap2(CrudBackend, Encoder):
tls_cacertfile -- TLS CA certificate filename
tls_certfile -- TLS certificate filename
tls_keyfile - TLS bind key filename
autobind - autobind as the current user
Extends backend.Connectible.create_connection.
"""
@@ -342,7 +344,7 @@ class ldap2(CrudBackend, Encoder):
try:
conn = _ldap.initialize(self.ldap_uri)
if self.ldap_uri.startswith('ldapi://'):
if self.ldap_uri.startswith('ldapi://') and ccache:
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
@@ -351,8 +353,14 @@ class ldap2(CrudBackend, Encoder):
context=krbV.default_context()).principal().name
setattr(context, 'principal', principal)
else:
# no kerberos ccache, use simple bind
conn.simple_bind_s(bind_dn, bind_pw)
# no kerberos ccache, use simple bind or external sasl
if autobind:
pent = pwd.getpwuid(os.geteuid())
auth_tokens = _ldap.sasl.external(pent.pw_name)
conn.sasl_interactive_bind_s("", auth_tokens)
else:
conn.simple_bind_s(bind_dn, bind_pw)
except _ldap.LDAPError, e:
_handle_errors(e, **{})

1
setup.py
View File

@@ -81,6 +81,7 @@ setup(
'ipaserver',
'ipaserver.plugins',
'ipaserver.install',
'ipaserver.install.plugins',
],
scripts=['ipa'],
data_files = [('share/man/man1', ["ipa.1"])],

22
tests/test_ipaserver/test_ldap.py
View File

@@ -31,7 +31,7 @@ from ipaserver.plugins.ldap2 import ldap2
from ipalib.plugins.service import service, service_show
from ipalib.plugins.host import host
import nss.nss as nss
from ipalib import api, x509, create_api
from ipalib import api, x509, create_api, errors
from ipapython import ipautil
from ipalib.dn import *
@@ -49,7 +49,7 @@ class test_ldap(object):
('cn','services'),('cn','accounts'),api.env.basedn))
def tearDown(self):
if self.conn:
if self.conn and self.conn.isconnected():
self.conn.disconnect()
def test_anonymous(self):
@@ -120,3 +120,21 @@ class test_ldap(object):
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.DatabaseError, e:
if e.desc == 'Inappropriate authentication':
raise nose.SkipTest("Only executed as root")
(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None