IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use ldap2 instead of legacy LDAP code from v1 in installer scripts.

Browse Source
This commit is contained in:
Pavel Zuna 2010-03-24 15:51:31 +01:00 committed by Rob Crittenden
parent cc336cf9c1
commit 3620135ec9
11 changed files with 144 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
install/tools/ipa-compat-manage
View File

@ -22,12 +22,11 @@
import sys
try:
from optparse import OptionParser
from ipaserver import ipaldap
from ipapython import entity, ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
from ipaserver.plugins.ldap2 import ldap2
from ipalib import errors
import ldap
import logging
import re
import krbV
@ -95,26 +94,29 @@ def main():
else:
dirman_password = get_dirman_password()
conn = None
try:
ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
conn = ipaldap.IPAdmin(installutils.get_fqdn())
conn.do_simple_bind(bindpw=dirman_password)
except ldap.LDAPError, e:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password
)
except errors.LDAPError, e:
print "An error occurred while connecting to the server."
print "%s" % e[0]['desc']
print e
return 1
if args[0] == "enable":
try:
conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
ldap.SCOPE_BASE, "(objectclass=*)")
conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
print "Plugin already Enabled"
retval = 2
except errors.NotFound:
print "Enabling plugin"
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
print e
retval = 1
if retval == 0:
@ -127,17 +129,15 @@ def main():
# Make a quick hack foir now, directly delete the entries by name,
# In future we should add delete capabilites to LDAPUpdate
try:
conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
ldap.SCOPE_BASE, "(objectclass=*)")
conn.deleteEntry("cn=groups,cn=Schema Compatibility,cn=plugins,cn=config")
conn.deleteEntry("cn=users,cn=Schema Compatibility,cn=plugins,cn=config")
conn.deleteEntry("cn=Schema Compatibility,cn=plugins,cn=config")
conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config')
conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config')
conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config')
except errors.NotFound:
print "Plugin is already disabled"
retval = 2
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
print e
retval = 1
else:
@ -145,7 +145,7 @@ def main():
finally:
if conn:
conn.unbind()
conn.disconnect()
return retval
@ -167,6 +167,6 @@ except config.IPAConfigError, e:
print "An IPA server to update cannot be found. Has one been configured yet?"
print "The error was: %s" % e
sys.exit(1)
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while performing operations: %s" % e
sys.exit(1)

18
install/tools/ipa-dns-install
View File

@ -22,13 +22,12 @@
from optparse import OptionParser
import traceback
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import bindinstance, ntpinstance
from ipaserver.install.installutils import *
from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, util
import ldap
from ipalib import api, errors, util
def parse_options():
parser = OptionParser(version=version.VERSION)
@ -134,14 +133,15 @@ def main():
dm_password = options.dm_password
# Try out the password
ldapuri = 'ldap://%s' % api.env.host
try:
conn = ipaldap.IPAdmin(api.env.host)
conn.do_simple_bind(bindpw=dm_password)
conn.unbind()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.INVALID_CREDENTIALS, e :
conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
conn.disconnect()
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()

63
install/tools/ipa-fix-CVE-2008-3274
View File

@ -25,13 +25,10 @@ try:
import ipapython.ipautil
import krbV
import ldap
from ldap import LDAPError
from ldap import ldapobject
from ipalib import errors
from ipaclient import ipachangeconf
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from pyasn1.type import univ, namedtype
import pyasn1.codec.ber.encoder
@ -70,22 +67,24 @@ def parse_options():
def check_vuln(realm, suffix):
ldapuri = 'ldap://127.0.0.1'
try:
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind()
msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
ldap.SCOPE_BASE,
"(objectclass=krbRealmContainer)",
("krbmkey", "cn"))
res = conn.result(msgid)
conn.unbind()
if len(res) != 2:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect()
try:
(entries, truncated) = conn.find_entries(
filter='(objectclass=krbRealmContainer)',
attrs_list=('krbmkey', 'cn'), scope=ldap2.SCOPE_BASE,
base_dn='cn=%s,cn=kerberos' % realm
)
except errors.NotFound:
err = 'Realm Container not found, unable to proceed'
print err
raise Exception, err
finally:
conn.disconnect()
if 'krbmkey' in res[1][0][1]:
if 'krbmkey' in entries[0][1]:
print 'System vulnerable'
return 1
else:
@ -185,9 +184,10 @@ def change_mkey(password = None, quiet = False):
password = getpass.getpass("Directory Manager password: ")
# get a connection to the DS
ldapuri = 'ldap://%s' % ipapython.config.config.default_server[0]
try:
conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0])
conn.do_simple_bind(bindpw=password)
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=password)
except Exception, e:
print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")"
return 1
@ -298,8 +298,8 @@ def change_mkey(password = None, quiet = False):
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn="+realm+",cn=kerberos,"+suffix
mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn.modify_s(dn, mod)
mod = {'krbmkey': str(asn1key)}
conn.update_entry(dn, mod)
except Exception, e:
print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
return 1
@ -459,16 +459,25 @@ def fix_main(password, realm, suffix):
krbMKey.setComponentByPosition(1, MasterKey)
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
dn = 'cn=%s,cn=kerberos' % realm
sub_dict = dict(REALM=realm, SUFFIX=suffix)
#protect the master key by adding an appropriate deny rule along with the key
mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
conn = ldap2(
shared_instance=False, ldap_uri='ldap://127.0.0.1',
base_dn=suffix
)
conn.connect(bind_dn='cn=directory manager', bind_pw=password)
conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
conn.simple_bind("cn=Directory Manager", password)
conn.modify_s(dn, mod)
conn.unbind()
(dn, entry_attrs) = conn.get_entry(dn, ['aci'])
entry_attrs['krbmkey'] = str(asn1key)
entry_attrs.setdefault('aci', []).append(
ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)
)
conn.update_entry(dn, entry_attrs)
conn.disconnect()
print "\n"
print "This server is now correctly configured and the master-key has been changed and secured."

2
install/tools/ipa-ldap-updater
View File

@ -26,11 +26,9 @@
import sys
try:
from optparse import OptionParser
from ipaserver import ipaldap
from ipapython import entity, ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
import ldap
import logging
import re
import krbV

44
install/tools/ipa-nis-manage
View File

@ -22,12 +22,11 @@
import sys
try:
from optparse import OptionParser
from ipaserver import ipaldap
from ipapython import entity, ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
from ipaserver.plugins.ldap2 import ldap2
from ipalib import errors
import ldap
import logging
except ImportError:
print >> sys.stderr, """\
@ -68,12 +67,9 @@ def get_dirman_password():
def get_nis_config(conn):
entry = None
try:
entry = conn.getEntry(nis_config_dn, ldap.SCOPE_BASE, "(objectclass=*)")
(dn, entry) = conn.get_entry(nis_config_dn)
except errors.NotFound:
pass
except ldap.LDAPError, e:
raise e
return entry
def main():
@ -103,22 +99,26 @@ def main():
else:
dirman_password = get_dirman_password()
conn = None
try:
ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
conn = ipaldap.IPAdmin(installutils.get_fqdn())
conn.do_simple_bind(bindpw=dirman_password)
except ldap.LDAPError, e:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password
)
except errors.LDAPError, e:
print "An error occurred while connecting to the server."
print "%s" % e[0]['desc']
print e
return 1
if args[0] == "enable":
entry = None
try:
entry = get_nis_config(conn)
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
print e
retval = 1
# Enable either the portmap or rpcbind service
@ -142,27 +142,25 @@ def main():
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
retval = ld.update(files)
else:
if entry.getValue('nsslapd-pluginenabled').lower() == "off":
if entry.get('nsslapd-pluginenabled', '').lower() == 'off':
# Already configured, just enable the plugin
print "Enabling plugin"
mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "on")]
conn.modify_s(nis_config_dn, mod)
mod = {'nsslapd-pluginenabled': 'on'}
conn.update_entry(nis_config_dn, mod)
else:
print "Plugin already Enabled"
retval = 2
elif args[0] == "disable":
try:
mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "off")]
conn.modify_s(nis_config_dn, mod)
mod = {'nsslapd-pluginenabled': 'off'}
conn.update_entry(nis_config_dn, mod)
except errors.NotFound:
print "Plugin is already disabled"
retval = 2
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while talking to the server."
print "%s" % e[0]['desc']
print e
retval = 1
else:
@ -176,7 +174,7 @@ def main():
finally:
if conn:
conn.unbind()
conn.disconnect()
return retval
@ -198,6 +196,6 @@ except config.IPAConfigError, e:
print "An IPA server to update cannot be found. Has one been configured yet?"
print "The error was: %s" % e
sys.exit(1)
except ldap.LDAPError, e:
except errors.LDAPError, e:
print "An error occurred while performing operations: %s" % e
sys.exit(1)

22
install/tools/ipa-replica-install
View File

@ -23,15 +23,14 @@ import socket
import tempfile, os, pwd, traceback, logging, shutil
from ConfigParser import SafeConfigParser
import ldap
from ipapython import ipautil
from ipaserver.install import dsinstance, replication, installutils, krbinstance, service
from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
from ipalib import api, util
from ipalib import api, errors, util
CACERT="/usr/share/ipa/html/ca.crt"
@ -300,16 +299,17 @@ def main():
config.dir = dir
# Try out the password
ldapuri = 'ldap://%s' % config.master_host_name
try:
conn = ipaldap.IPAdmin(config.master_host_name)
conn.do_simple_bind(bindpw=config.dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
except ldap.INVALID_CREDENTIALS, e :
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=config.dirman_password
)
conn.disconnect()
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api

8
install/tools/ipa-replica-manage
View File

@ -24,10 +24,9 @@ import traceback, logging
from ipapython import ipautil
from ipaserver.install import replication, dsinstance, installutils
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
from ipalib import util
from ipalib import errors
from ipalib import errors, util
def parse_options():
from optparse import OptionParser
@ -73,7 +72,8 @@ def get_realm_name():
return c.default_realm
def get_suffix():
suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name()))
l = ldap2(shared_instance=False, base_dn='')
suffix = l.normalize_dn(util.realm_to_suffix(get_realm_name()))
return suffix
def get_host_name():

33
install/tools/ipa-replica-prepare
View File

@ -29,11 +29,9 @@ from optparse import OptionParser
from ipapython import ipautil
from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance
from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
from ipalib import api
from ipalib import util
import ldap
from ipalib import api, errors, util
def parse_options():
usage = "%prog [options] FQDN (e.g. replica.example.com)"
@ -75,14 +73,16 @@ def parse_options():
return options, args
def get_subject_base(host_name, dm_password, suffix):
ldapuri = 'ldap://%s:389' % host_name
try:
conn = ipaldap.IPAdmin(host_name)
conn.do_simple_bind(bindpw=dm_password)
except Exception, e:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
logging.critical("Could not connect to the Directory Server on %s" % host_name)
raise e
entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
return entry.getValue('ipacertificatesubjectbase')
(dn, entry_attrs) = conn.get_ipa_config()
conn.disconnect()
return entry_attrs.get('ipacertificatesubjectbase', [None])[0]
def check_ipa_configuration(realm_name):
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
@ -236,16 +236,15 @@ def main():
sys.exit(0)
# Try out the password
ldapuri = 'ldap://%s:389' % api.env.host
try:
conn = ipaldap.IPAdmin(api.env.host)
conn.do_simple_bind(bindpw=dirman_password)
conn.unbind()
except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.INVALID_CREDENTIALS, e :
conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
conn.disconnect()
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)

18
install/tools/ipa-server-certinstall
View File

@ -25,13 +25,13 @@ import tempfile
import traceback
import krbV, ldap, getpass
import krbV, getpass
from ipapython.ipautil import user_input
from ipaserver import ipaldap
from ipaserver.install import certs, dsinstance, httpinstance, installutils
from ipalib import api
from ipaserver.plugins.ldap2 import ldap2
def get_realm_name():
c = krbV.default_context()
@ -64,14 +64,12 @@ def parse_options():
return options, args[0]
def set_ds_cert_name(cert_name, dm_password):
conn = ipaldap.IPAdmin("127.0.0.1")
conn.simple_bind_s("cn=directory manager", dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)]
conn.modify_s("cn=RSA,cn=encryption,cn=config", mod)
conn.unbind()
ldapuri = 'ldap://127.0.0.1'
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
mod = {'nssslpersonalityssl': cert_name}
conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
conn.disconnect()
def choose_server_cert(server_certs):
print "Please select the certificate to use:"

24
install/tools/ipa-server-install
View File

@ -35,7 +35,6 @@ import signal
import shutil
import glob
import traceback
import ldap
from optparse import OptionParser
from ConfigParser import RawConfigParser
import random
@ -51,11 +50,11 @@ from ipaserver.install import cainstance
from ipaserver.install import service
from ipapython import version
from ipaserver.install.installutils import *
from ipaserver import ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipapython import sysrestore
from ipapython.ipautil import *
from ipalib import api, util
from ipalib import api, errors, util
import ipawebui
@ -411,19 +410,18 @@ def render_assets():
ui.render_assets()
def set_subject_in_config(host_name, dm_password, suffix, subject_base):
ldapuri = 'ldap://%s' % host_name
try:
conn = ipaldap.IPAdmin(host_name)
conn.do_simple_bind(bindpw=dm_password)
except Exception, e:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
logging.critical("Could not connect to the Directory Server on %s" % host_name)
raise e
entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
if entry.getValue('ipaCertificateSubjectBase') is None:
newentry = entry.toDict()
newentry['ipaCertificateSubjectBase'] = subject_base
conn.updateEntry(entry.dn, entry.toDict(), newentry)
conn.unbind()
(dn, entry_attrs) = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
mod = {'ipacertificatesubjectbase': subject_base}
conn.update_entry(dn, mod)
conn.disconnect()
def main():
global ds

22
ipaserver/plugins/ldap2.py
View File

@ -219,19 +219,15 @@ class ldap2(CrudBackend, Encoder):
self.encoder_settings.decode_dict_vals_table = self._SYNTAX_MAPPING
self.encoder_settings.decode_dict_vals_table_keygen = get_syntax
self.encoder_settings.decode_postprocessor = lambda x: string.lower(x)
if ldap_uri is None:
self.ldap_uri = api.env.ldap_uri
else:
self.ldap_uri = ldap_uri
if base_dn is None:
self.base_dn = api.env.basedn
else:
self.base_dn = base_dn
if schema is None:
self.schema = _schema
else:
self.schema = schema
try:
self.ldap_uri = ldap_uri or api.env.ldap_uri
except AttributeError:
self.ldap_uri = 'ldap://example.com'
try:
self.base_dn = base_dn or api.env.basedn
except AttributeError:
self.base_dn = ''
self.schema = schema or _schema
def __del__(self):
if self.isconnected():