IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move certauth configuration into a server krb5.conf template

Browse Source 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2019-04-11 18:11:06 -04:00 committed by Alexander Bokovoy
parent c7b938a1d5
commit 39e3704a06
5 changed files with 19 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install/share/Makefile.am
View File

@ -51,6 +51,7 @@ dist_app_DATA = \
kdc_extensions.template \ kdc_extensions.template \
kdc_req.conf.template \ kdc_req.conf.template \
krb5.conf.template \ krb5.conf.template \
freeipa-server.template \
krb5.ini.template \ krb5.ini.template \
krb.con.template \ krb.con.template \
krbrealm.con.template \ krbrealm.con.template \

5
install/share/freeipa-server.template Normal file
View File

@ -0,0 +1,5 @@
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}

1
ipaplatform/base/paths.py
View File

@ -74,6 +74,7 @@ class BasePathNamespace:
COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/" COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/"
KRB5_CONF = "/etc/krb5.conf" KRB5_CONF = "/etc/krb5.conf"
KRB5_FREEIPA = COMMON_KRB5_CONF_DIR + "freeipa" KRB5_FREEIPA = COMMON_KRB5_CONF_DIR + "freeipa"
KRB5_FREEIPA_SERVER = COMMON_KRB5_CONF_DIR + "freeipa-server"
KRB5_KEYTAB = "/etc/krb5.keytab" KRB5_KEYTAB = "/etc/krb5.keytab"
LDAP_CONF = "/etc/ldap.conf" LDAP_CONF = "/etc/ldap.conf"
LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf" LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"

1
ipaserver/install/krbinstance.py
View File

@ -349,6 +349,7 @@ class KrbInstance(service.Service):
def __configure_instance(self): def __configure_instance(self):
self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
self.__template_file(paths.KRB5_CONF) self.__template_file(paths.KRB5_CONF)
self.__template_file(paths.KRB5_FREEIPA_SERVER)
self.__template_file(paths.KRB5_FREEIPA, client_template=True) self.__template_file(paths.KRB5_FREEIPA, client_template=True)
self.__template_file(paths.HTML_KRB5_INI) self.__template_file(paths.HTML_KRB5_INI)
self.__template_file(paths.KRB_CON) self.__template_file(paths.KRB_CON)

41
ipaserver/install/server/upgrade.py
View File

@ -1654,36 +1654,17 @@ def setup_spake(krb):
aug.close() aug.close()
def enable_certauth(krb): # Currently, this doesn't support templating.
logger.info("[Enable certauth]") def enable_server_snippet():
logger.info("[Enable server krb5.conf snippet]")
template = os.path.join(
paths.USR_SHARE_IPA_DIR,
os.path.basename(paths.KRB5_FREEIPA_SERVER) + ".template"
)
shutil.copy(template, paths.KRB5_FREEIPA_SERVER)
os.chmod(paths.KRB5_FREEIPA_SERVER, 0o644)
aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, tasks.restore_context(paths.KRB5_FREEIPA_SERVER)
loadpath=paths.USR_SHARE_IPA_DIR)
try:
aug.transform('IPAKrb5', paths.KRB5_CONF)
aug.load()
path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
modified = False
if not aug.match(path):
aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
aug.set('{}/enable_only'.format(path), 'ipakdb')
modified = True
if modified:
try:
aug.save()
except IOError:
for error_path in aug.match('/augeas//error'):
logger.error('augeas: %s', aug.get(error_path))
raise
if krb.is_running():
krb.stop()
krb.start()
finally:
aug.close()
def ntpd_cleanup(fqdn, fstore): def ntpd_cleanup(fqdn, fstore):
@ -2144,7 +2125,7 @@ def upgrade_configuration():
krb.add_anonymous_principal() krb.add_anonymous_principal()
setup_spake(krb) setup_spake(krb)
setup_pkinit(krb) setup_pkinit(krb)
enable_certauth(krb) enable_server_snippet()
if not ds_running: if not ds_running:
ds.stop(ds.serverid) ds.stop(ds.serverid)