mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
services: replace admin_conn with api.Backend.ldap2
Since service.admin_conn is only an alias to api.Backend.ldap2, replace it everywhere with the explicit api.Backend.ldap2 instead. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Tomas Krizek
committed by
Martin Basti
Martin Basti
parent
4c133837d1
commit
68295bf8cf
@@ -411,7 +411,7 @@ def main():
|
|||||||
try:
|
try:
|
||||||
# Search only masters which have support for domain levels
|
# Search only masters which have support for domain levels
|
||||||
# because only these masters will have SSSD recent enough to support AD trust agents
|
# because only these masters will have SSSD recent enough to support AD trust agents
|
||||||
entries_m, _truncated = smb.admin_conn.find_entries(
|
entries_m, _truncated = api.Backend.ldap2.find_entries(
|
||||||
filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
|
filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
|
||||||
base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
|
base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
@@ -421,7 +421,7 @@ def main():
|
|||||||
print(unicode(e))
|
print(unicode(e))
|
||||||
|
|
||||||
try:
|
try:
|
||||||
entries_a, _truncated = smb.admin_conn.find_entries(
|
entries_a, _truncated = api.Backend.ldap2.find_entries(
|
||||||
filter="", base_dn=agents_dn, attrs_list=['member'],
|
filter="", base_dn=agents_dn, attrs_list=['member'],
|
||||||
scope=ldap.SCOPE_BASE)
|
scope=ldap.SCOPE_BASE)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
@@ -470,7 +470,7 @@ def main():
|
|||||||
# Add the CIFS and host principals to the 'adtrust agents' group
|
# Add the CIFS and host principals to the 'adtrust agents' group
|
||||||
# as 389-ds only operates with GroupOfNames, we have to use
|
# as 389-ds only operates with GroupOfNames, we have to use
|
||||||
# the principal's proper dn as defined in self.cifs_agent
|
# the principal's proper dn as defined in self.cifs_agent
|
||||||
service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
|
service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member",
|
||||||
[x[1] for x in new_agents])
|
[x[1] for x in new_agents])
|
||||||
print("""
|
print("""
|
||||||
WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
|
WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
|
||||||
|
|||||||
@@ -200,7 +200,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
admin_group_dn = DN(('cn', 'admins'), api.env.container_group,
|
admin_group_dn = DN(('cn', 'admins'), api.env.container_group,
|
||||||
self.suffix)
|
self.suffix)
|
||||||
try:
|
try:
|
||||||
dom_entry = self.admin_conn.get_entry(self.smb_dom_dn)
|
dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("Samba domain object not found")
|
self.print_msg("Samba domain object not found")
|
||||||
return
|
return
|
||||||
@@ -211,13 +211,13 @@ class ADTRUSTInstance(service.Service):
|
|||||||
return
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
admin_entry = self.admin_conn.get_entry(admin_dn)
|
admin_entry = api.Backend.ldap2.get_entry(admin_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("IPA admin object not found")
|
self.print_msg("IPA admin object not found")
|
||||||
return
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
admin_group_entry = self.admin_conn.get_entry(admin_group_dn)
|
admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("IPA admin group object not found")
|
self.print_msg("IPA admin group object not found")
|
||||||
return
|
return
|
||||||
@@ -226,9 +226,10 @@ class ADTRUSTInstance(service.Service):
|
|||||||
self.print_msg("Admin SID already set, nothing to do")
|
self.print_msg("Admin SID already set, nothing to do")
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(admin_dn, \
|
api.Backend.ldap2.modify_s(
|
||||||
[(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
|
admin_dn,
|
||||||
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
|
[(ldap.MOD_ADD, "objectclass", self.OBJC_USER),
|
||||||
|
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
|
||||||
except Exception:
|
except Exception:
|
||||||
self.print_msg("Failed to modify IPA admin object")
|
self.print_msg("Failed to modify IPA admin object")
|
||||||
|
|
||||||
@@ -236,9 +237,10 @@ class ADTRUSTInstance(service.Service):
|
|||||||
self.print_msg("Admin group SID already set, nothing to do")
|
self.print_msg("Admin group SID already set, nothing to do")
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(admin_group_dn, \
|
api.Backend.ldap2.modify_s(
|
||||||
[(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
|
admin_group_dn,
|
||||||
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
|
[(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP),
|
||||||
|
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
|
||||||
except Exception:
|
except Exception:
|
||||||
self.print_msg("Failed to modify IPA admin group object")
|
self.print_msg("Failed to modify IPA admin group object")
|
||||||
|
|
||||||
@@ -247,7 +249,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
api.env.container_views, self.suffix)
|
api.env.container_views, self.suffix)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(default_view_dn)
|
api.Backend.ldap2.get_entry(default_view_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
try:
|
try:
|
||||||
self._ldap_mod('default-trust-view.ldif', self.sub_dict)
|
self._ldap_mod('default-trust-view.ldif', self.sub_dict)
|
||||||
@@ -260,7 +262,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
# _ldap_mod does not return useful error codes, so we must check again
|
# _ldap_mod does not return useful error codes, so we must check again
|
||||||
# if the default trust view was created properly.
|
# if the default trust view was created properly.
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(default_view_dn)
|
api.Backend.ldap2.get_entry(default_view_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("Failed to add Default Trust View.")
|
self.print_msg("Failed to add Default Trust View.")
|
||||||
|
|
||||||
@@ -276,7 +278,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
server.
|
server.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
dom_entry = self.admin_conn.get_entry(self.smb_dom_dn)
|
dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("Samba domain object not found")
|
self.print_msg("Samba domain object not found")
|
||||||
return
|
return
|
||||||
@@ -288,7 +290,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
fb_group_dn = DN(('cn', self.FALLBACK_GROUP_NAME),
|
fb_group_dn = DN(('cn', self.FALLBACK_GROUP_NAME),
|
||||||
api.env.container_group, self.suffix)
|
api.env.container_group, self.suffix)
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(fb_group_dn)
|
api.Backend.ldap2.get_entry(fb_group_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
try:
|
try:
|
||||||
self._ldap_mod('default-smb-group.ldif', self.sub_dict)
|
self._ldap_mod('default-smb-group.ldif', self.sub_dict)
|
||||||
@@ -299,14 +301,14 @@ class ADTRUSTInstance(service.Service):
|
|||||||
# _ldap_mod does not return useful error codes, so we must check again
|
# _ldap_mod does not return useful error codes, so we must check again
|
||||||
# if the fallback group was created properly.
|
# if the fallback group was created properly.
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(fb_group_dn)
|
api.Backend.ldap2.get_entry(fb_group_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self.print_msg("Failed to add fallback group.")
|
self.print_msg("Failed to add fallback group.")
|
||||||
return
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
|
mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
|
||||||
self.admin_conn.modify_s(self.smb_dom_dn, mod)
|
api.Backend.ldap2.modify_s(self.smb_dom_dn, mod)
|
||||||
except Exception:
|
except Exception:
|
||||||
self.print_msg("Failed to add fallback group to domain object")
|
self.print_msg("Failed to add fallback group to domain object")
|
||||||
|
|
||||||
@@ -319,7 +321,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
|
|
||||||
try:
|
try:
|
||||||
# Get the ranges
|
# Get the ranges
|
||||||
ranges = self.admin_conn.get_entries(
|
ranges = api.Backend.ldap2.get_entries(
|
||||||
DN(api.env.container_ranges, self.suffix),
|
DN(api.env.container_ranges, self.suffix),
|
||||||
ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)")
|
ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)")
|
||||||
|
|
||||||
@@ -354,7 +356,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
# If the RID bases would cause overlap with some other range,
|
# If the RID bases would cause overlap with some other range,
|
||||||
# this will be detected by ipa-range-check DS plugin
|
# this will be detected by ipa-range-check DS plugin
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(local_range.dn,
|
api.Backend.ldap2.modify_s(local_range.dn,
|
||||||
[(ldap.MOD_ADD, "ipaBaseRID",
|
[(ldap.MOD_ADD, "ipaBaseRID",
|
||||||
str(self.rid_base)),
|
str(self.rid_base)),
|
||||||
(ldap.MOD_ADD, "ipaSecondaryBaseRID",
|
(ldap.MOD_ADD, "ipaSecondaryBaseRID",
|
||||||
@@ -376,7 +378,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
self.print_msg("Reset NetBIOS domain name")
|
self.print_msg("Reset NetBIOS domain name")
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(self.smb_dom_dn,
|
api.Backend.ldap2.modify_s(self.smb_dom_dn,
|
||||||
[(ldap.MOD_REPLACE, self.ATTR_FLAT_NAME,
|
[(ldap.MOD_REPLACE, self.ATTR_FLAT_NAME,
|
||||||
self.netbios_name)])
|
self.netbios_name)])
|
||||||
except ldap.LDAPError:
|
except ldap.LDAPError:
|
||||||
@@ -385,7 +387,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
def __create_samba_domain_object(self):
|
def __create_samba_domain_object(self):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(self.smb_dom_dn)
|
api.Backend.ldap2.get_entry(self.smb_dom_dn)
|
||||||
if self.reset_netbios_name:
|
if self.reset_netbios_name:
|
||||||
self.__reset_netbios_name()
|
self.__reset_netbios_name()
|
||||||
else :
|
else :
|
||||||
@@ -398,7 +400,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
DN(('cn', 'ad'), self.trust_dn), \
|
DN(('cn', 'ad'), self.trust_dn), \
|
||||||
DN(api.env.container_cifsdomains, self.suffix)):
|
DN(api.env.container_cifsdomains, self.suffix)):
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(new_dn)
|
api.Backend.ldap2.get_entry(new_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
try:
|
try:
|
||||||
name = new_dn[1].attr
|
name = new_dn[1].attr
|
||||||
@@ -406,11 +408,11 @@ class ADTRUSTInstance(service.Service):
|
|||||||
self.print_msg('Cannot extract RDN attribute value from "%s": %s' % \
|
self.print_msg('Cannot extract RDN attribute value from "%s": %s' % \
|
||||||
(new_dn, e))
|
(new_dn, e))
|
||||||
return
|
return
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
new_dn, objectclass=['nsContainer'], cn=[name])
|
new_dn, objectclass=['nsContainer'], cn=[name])
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
self.smb_dom_dn,
|
self.smb_dom_dn,
|
||||||
{
|
{
|
||||||
'objectclass': [self.OBJC_DOMAIN, "nsContainer"],
|
'objectclass': [self.OBJC_DOMAIN, "nsContainer"],
|
||||||
@@ -421,7 +423,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
}
|
}
|
||||||
)
|
)
|
||||||
#TODO: which MAY attributes do we want to set ?
|
#TODO: which MAY attributes do we want to set ?
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
def __write_smb_conf(self):
|
def __write_smb_conf(self):
|
||||||
conf_fd = open(self.smb_conf, "w")
|
conf_fd = open(self.smb_conf, "w")
|
||||||
@@ -439,7 +441,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
try:
|
try:
|
||||||
plugin_dn = DN(('cn', plugin_cn), ('cn', 'plugins'),
|
plugin_dn = DN(('cn', plugin_cn), ('cn', 'plugins'),
|
||||||
('cn', 'config'))
|
('cn', 'config'))
|
||||||
self.admin_conn.get_entry(plugin_dn)
|
api.Backend.ldap2.get_entry(plugin_dn)
|
||||||
self.print_msg('%s plugin already configured, nothing to do' % name)
|
self.print_msg('%s plugin already configured, nothing to do' % name)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
try:
|
try:
|
||||||
@@ -477,7 +479,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
|
|
||||||
# Wait for the task to complete
|
# Wait for the task to complete
|
||||||
task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config')
|
task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config')
|
||||||
wait_for_task(self.admin_conn, task_dn)
|
wait_for_task(api.Backend.ldap2, task_dn)
|
||||||
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.warning("Exception occured during SID generation: {0}"
|
root_logger.warning("Exception occured during SID generation: {0}"
|
||||||
@@ -491,11 +493,11 @@ class ADTRUSTInstance(service.Service):
|
|||||||
targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'),
|
targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'),
|
||||||
('cn', 'etc'), self.suffix)
|
('cn', 'etc'), self.suffix)
|
||||||
try:
|
try:
|
||||||
current = self.admin_conn.get_entry(targets_dn)
|
current = api.Backend.ldap2.get_entry(targets_dn)
|
||||||
members = current.get('memberPrincipal', [])
|
members = current.get('memberPrincipal', [])
|
||||||
if not(self.principal in members):
|
if not(self.principal in members):
|
||||||
current["memberPrincipal"] = members + [self.principal]
|
current["memberPrincipal"] = members + [self.principal]
|
||||||
self.admin_conn.update_entry(current)
|
api.Backend.ldap2.update_entry(current)
|
||||||
else:
|
else:
|
||||||
self.print_msg('cifs principal already targeted, nothing to do.')
|
self.print_msg('cifs principal already targeted, nothing to do.')
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
@@ -524,8 +526,9 @@ class ADTRUSTInstance(service.Service):
|
|||||||
# Add the CIFS and host principals to the 'adtrust agents' group
|
# Add the CIFS and host principals to the 'adtrust agents' group
|
||||||
# as 389-ds only operates with GroupOfNames, we have to use
|
# as 389-ds only operates with GroupOfNames, we have to use
|
||||||
# the principal's proper dn as defined in self.cifs_agent
|
# the principal's proper dn as defined in self.cifs_agent
|
||||||
service.add_principals_to_group(self.admin_conn, self.smb_dn, "member",
|
service.add_principals_to_group(
|
||||||
[self.cifs_agent, self.host_princ])
|
api.Backend.ldap2, self.smb_dn, "member",
|
||||||
|
[self.cifs_agent, self.host_princ])
|
||||||
|
|
||||||
def __setup_principal(self):
|
def __setup_principal(self):
|
||||||
try:
|
try:
|
||||||
@@ -662,7 +665,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
try:
|
try:
|
||||||
cifs_services = DN(api.env.container_service, self.suffix)
|
cifs_services = DN(api.env.container_service, self.suffix)
|
||||||
# Search for cifs services which also belong to adtrust agents, these are our DCs
|
# Search for cifs services which also belong to adtrust agents, these are our DCs
|
||||||
res = self.admin_conn.get_entries(cifs_services,
|
res = api.Backend.ldap2.get_entries(cifs_services,
|
||||||
ldap.SCOPE_ONELEVEL,
|
ldap.SCOPE_ONELEVEL,
|
||||||
"(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn)))
|
"(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn)))
|
||||||
if len(res) > 1:
|
if len(res) > 1:
|
||||||
@@ -686,11 +689,11 @@ class ADTRUSTInstance(service.Service):
|
|||||||
lookup_nsswitch_name = "schema-compat-lookup-nsswitch"
|
lookup_nsswitch_name = "schema-compat-lookup-nsswitch"
|
||||||
for config in (("cn=users", "user"), ("cn=groups", "group")):
|
for config in (("cn=users", "user"), ("cn=groups", "group")):
|
||||||
entry_dn = DN(config[0], compat_plugin_dn)
|
entry_dn = DN(config[0], compat_plugin_dn)
|
||||||
current = self.admin_conn.get_entry(entry_dn)
|
current = api.Backend.ldap2.get_entry(entry_dn)
|
||||||
lookup_nsswitch = current.get(lookup_nsswitch_name, [])
|
lookup_nsswitch = current.get(lookup_nsswitch_name, [])
|
||||||
if not(config[1] in lookup_nsswitch):
|
if not(config[1] in lookup_nsswitch):
|
||||||
current[lookup_nsswitch_name] = [config[1]]
|
current[lookup_nsswitch_name] = [config[1]]
|
||||||
self.admin_conn.update_entry(current)
|
api.Backend.ldap2.update_entry(current)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
|
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
|
||||||
|
|
||||||
@@ -767,14 +770,14 @@ class ADTRUSTInstance(service.Service):
|
|||||||
self.__setup_sub_dict()
|
self.__setup_sub_dict()
|
||||||
|
|
||||||
def find_local_id_range(self):
|
def find_local_id_range(self):
|
||||||
if self.admin_conn.get_entries(
|
if api.Backend.ldap2.get_entries(
|
||||||
DN(api.env.container_ranges, self.suffix),
|
DN(api.env.container_ranges, self.suffix),
|
||||||
ldap.SCOPE_ONELEVEL,
|
ldap.SCOPE_ONELEVEL,
|
||||||
"(objectclass=ipaDomainIDRange)"):
|
"(objectclass=ipaDomainIDRange)"):
|
||||||
return
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.get_entry(
|
entry = api.Backend.ldap2.get_entry(
|
||||||
DN(('cn', 'admins'), api.env.container_group, self.suffix))
|
DN(('cn', 'admins'), api.env.container_group, self.suffix))
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
raise ValueError("No local ID range and no admins group found.\n" \
|
raise ValueError("No local ID range and no admins group found.\n" \
|
||||||
@@ -791,13 +794,13 @@ class ADTRUSTInstance(service.Service):
|
|||||||
"(gidNumber<=%d)(gidNumner>=%d)))" % \
|
"(gidNumber<=%d)(gidNumner>=%d)))" % \
|
||||||
((base_id - 1), (base_id + id_range_size),
|
((base_id - 1), (base_id + id_range_size),
|
||||||
(base_id - 1), (base_id + id_range_size))
|
(base_id - 1), (base_id + id_range_size))
|
||||||
if self.admin_conn.get_entries(DN(('cn', 'accounts'), self.suffix),
|
if api.Backend.ldap2.get_entries(DN(('cn', 'accounts'), self.suffix),
|
||||||
ldap.SCOPE_SUBTREE, id_filter):
|
ldap.SCOPE_SUBTREE, id_filter):
|
||||||
raise ValueError("There are objects with IDs out of the expected" \
|
raise ValueError("There are objects with IDs out of the expected" \
|
||||||
"range.\nAdd local ID range manually and try " \
|
"range.\nAdd local ID range manually and try " \
|
||||||
"again!")
|
"again!")
|
||||||
|
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
DN(
|
DN(
|
||||||
('cn', ('%s_id_range' % self.realm)),
|
('cn', ('%s_id_range' % self.realm)),
|
||||||
api.env.container_ranges, self.suffix),
|
api.env.container_ranges, self.suffix),
|
||||||
@@ -806,7 +809,7 @@ class ADTRUSTInstance(service.Service):
|
|||||||
ipaBaseID=[str(base_id)],
|
ipaBaseID=[str(base_id)],
|
||||||
ipaIDRangeSize=[str(id_range_size)],
|
ipaIDRangeSize=[str(id_range_size)],
|
||||||
)
|
)
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
def create_instance(self):
|
def create_instance(self):
|
||||||
self.step("stopping smbd", self.__stop)
|
self.step("stopping smbd", self.__stop)
|
||||||
|
|||||||
@@ -846,10 +846,10 @@ class BindInstance(service.Service):
|
|||||||
self.__add_master_records(self.fqdn, self.ip_addresses)
|
self.__add_master_records(self.fqdn, self.ip_addresses)
|
||||||
|
|
||||||
def __add_others(self):
|
def __add_others(self):
|
||||||
entries = self.admin_conn.get_entries(
|
entries = api.Backend.ldap2.get_entries(
|
||||||
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
||||||
self.suffix),
|
self.suffix),
|
||||||
self.admin_conn.SCOPE_ONELEVEL, None, ['dn'])
|
api.Backend.ldap2.SCOPE_ONELEVEL, None, ['dn'])
|
||||||
|
|
||||||
for entry in entries:
|
for entry in entries:
|
||||||
fqdn = entry.dn[0]['cn']
|
fqdn = entry.dn[0]['cn']
|
||||||
@@ -888,7 +888,7 @@ class BindInstance(service.Service):
|
|||||||
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
|
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dns_group, mod)
|
api.Backend.ldap2.modify_s(dns_group, mod)
|
||||||
except ldap.TYPE_OR_VALUE_EXISTS:
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
||||||
pass
|
pass
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
@@ -903,7 +903,7 @@ class BindInstance(service.Service):
|
|||||||
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
||||||
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dns_principal, mod)
|
api.Backend.ldap2.modify_s(dns_principal, mod)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.critical("Could not set principal's %s LDAP limits: %s" \
|
root_logger.critical("Could not set principal's %s LDAP limits: %s" \
|
||||||
% (dns_principal, str(e)))
|
% (dns_principal, str(e)))
|
||||||
@@ -933,7 +933,7 @@ class BindInstance(service.Service):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def __setup_server_configuration(self):
|
def __setup_server_configuration(self):
|
||||||
ensure_dnsserver_container_exists(self.admin_conn, self.api)
|
ensure_dnsserver_container_exists(api.Backend.ldap2, self.api)
|
||||||
try:
|
try:
|
||||||
self.api.Command.dnsserver_add(
|
self.api.Command.dnsserver_add(
|
||||||
self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(),
|
self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(),
|
||||||
|
|||||||
@@ -1100,8 +1100,8 @@ class CAInstance(DogtagInstance):
|
|||||||
('cn', 'etc'), api.env.basedn)
|
('cn', 'etc'), api.env.basedn)
|
||||||
renewal_filter = '(ipaConfigString=caRenewalMaster)'
|
renewal_filter = '(ipaConfigString=caRenewalMaster)'
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entries(base_dn=dn, filter=renewal_filter,
|
api.Backend.ldap2.get_entries(base_dn=dn, filter=renewal_filter,
|
||||||
attrs_list=[])
|
attrs_list=[])
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -1115,13 +1115,13 @@ class CAInstance(DogtagInstance):
|
|||||||
api.env.basedn)
|
api.env.basedn)
|
||||||
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
|
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
|
||||||
try:
|
try:
|
||||||
entries = self.admin_conn.get_entries(
|
entries = api.Backend.ldap2.get_entries(
|
||||||
base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
|
base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
entries = []
|
entries = []
|
||||||
|
|
||||||
dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
|
dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
|
||||||
master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
|
master_entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString'])
|
||||||
|
|
||||||
for entry in entries:
|
for entry in entries:
|
||||||
if master_entry is not None and entry.dn == master_entry.dn:
|
if master_entry is not None and entry.dn == master_entry.dn:
|
||||||
@@ -1130,11 +1130,11 @@ class CAInstance(DogtagInstance):
|
|||||||
|
|
||||||
entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
|
entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
|
||||||
if x.lower() != 'carenewalmaster']
|
if x.lower() != 'carenewalmaster']
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
|
|
||||||
if master_entry is not None:
|
if master_entry is not None:
|
||||||
master_entry['ipaConfigString'].append('caRenewalMaster')
|
master_entry['ipaConfigString'].append('caRenewalMaster')
|
||||||
self.admin_conn.update_entry(master_entry)
|
api.Backend.ldap2.update_entry(master_entry)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def update_cert_config(nickname, cert):
|
def update_cert_config(nickname, cert):
|
||||||
@@ -1173,25 +1173,25 @@ class CAInstance(DogtagInstance):
|
|||||||
|
|
||||||
# replication
|
# replication
|
||||||
dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
|
dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
dn,
|
dn,
|
||||||
objectclass=["top", "extensibleObject", "nsMappingTree"],
|
objectclass=["top", "extensibleObject", "nsMappingTree"],
|
||||||
cn=[suffix],
|
cn=[suffix],
|
||||||
)
|
)
|
||||||
entry['nsslapd-state'] = ['Backend']
|
entry['nsslapd-state'] = ['Backend']
|
||||||
entry['nsslapd-backend'] = [backend]
|
entry['nsslapd-backend'] = [backend]
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
# database
|
# database
|
||||||
dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
|
dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
|
||||||
('cn', 'config'))
|
('cn', 'config'))
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
dn,
|
dn,
|
||||||
objectclass=["top", "extensibleObject", "nsBackendInstance"],
|
objectclass=["top", "extensibleObject", "nsBackendInstance"],
|
||||||
cn=[backend],
|
cn=[backend],
|
||||||
)
|
)
|
||||||
entry['nsslapd-suffix'] = [suffix]
|
entry['nsslapd-suffix'] = [suffix]
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
def __setup_replication(self):
|
def __setup_replication(self):
|
||||||
|
|
||||||
@@ -1268,7 +1268,7 @@ class CAInstance(DogtagInstance):
|
|||||||
|
|
||||||
def __add_lightweight_ca_tracking_requests(self):
|
def __add_lightweight_ca_tracking_requests(self):
|
||||||
try:
|
try:
|
||||||
lwcas = self.admin_conn.get_entries(
|
lwcas = api.Backend.ldap2.get_entries(
|
||||||
base_dn=api.env.basedn,
|
base_dn=api.env.basedn,
|
||||||
filter='(objectclass=ipaca)',
|
filter='(objectclass=ipaca)',
|
||||||
attrs_list=['cn', 'ipacaid'],
|
attrs_list=['cn', 'ipacaid'],
|
||||||
|
|||||||
@@ -266,7 +266,7 @@ class DNSKeySyncInstance(service.Service):
|
|||||||
keylabel = replica_keylabel_template % DNSName(self.fqdn).\
|
keylabel = replica_keylabel_template % DNSName(self.fqdn).\
|
||||||
make_absolute().canonicalize().ToASCII()
|
make_absolute().canonicalize().ToASCII()
|
||||||
|
|
||||||
ldap = self.admin_conn
|
ldap = api.Backend.ldap2
|
||||||
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
|
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
|
||||||
|
|
||||||
with open(paths.DNSSEC_SOFTHSM_PIN, "r") as f:
|
with open(paths.DNSSEC_SOFTHSM_PIN, "r") as f:
|
||||||
@@ -413,7 +413,7 @@ class DNSKeySyncInstance(service.Service):
|
|||||||
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
|
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dns_group, mod)
|
api.Backend.ldap2.modify_s(dns_group, mod)
|
||||||
except ldap.TYPE_OR_VALUE_EXISTS:
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
||||||
pass
|
pass
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
@@ -429,7 +429,7 @@ class DNSKeySyncInstance(service.Service):
|
|||||||
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
||||||
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dnssynckey_principal_dn, mod)
|
api.Backend.ldap2.modify_s(dnssynckey_principal_dn, mod)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
self.logger.critical("Could not set principal's %s LDAP limits: %s"
|
self.logger.critical("Could not set principal's %s LDAP limits: %s"
|
||||||
% (dnssynckey_principal_dn, str(e)))
|
% (dnssynckey_principal_dn, str(e)))
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ import pwd
|
|||||||
from pki.client import PKIConnection
|
from pki.client import PKIConnection
|
||||||
import pki.system
|
import pki.system
|
||||||
|
|
||||||
from ipalib import errors
|
from ipalib import api, errors
|
||||||
|
|
||||||
from ipaplatform import services
|
from ipaplatform import services
|
||||||
from ipaplatform.constants import constants
|
from ipaplatform.constants import constants
|
||||||
@@ -421,12 +421,12 @@ class DogtagInstance(service.Service):
|
|||||||
|
|
||||||
def __add_admin_to_group(self, group):
|
def __add_admin_to_group(self, group):
|
||||||
dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca'))
|
dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca'))
|
||||||
entry = self.admin_conn.get_entry(dn)
|
entry = api.Backend.ldap2.get_entry(dn)
|
||||||
members = entry.get('uniqueMember', [])
|
members = entry.get('uniqueMember', [])
|
||||||
members.append(self.admin_dn)
|
members.append(self.admin_dn)
|
||||||
mod = [(ldap.MOD_REPLACE, 'uniqueMember', members)]
|
mod = [(ldap.MOD_REPLACE, 'uniqueMember', members)]
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dn, mod)
|
api.Backend.ldap2.modify_s(dn, mod)
|
||||||
except ldap.TYPE_OR_VALUE_EXISTS:
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
||||||
# already there
|
# already there
|
||||||
pass
|
pass
|
||||||
@@ -439,12 +439,12 @@ class DogtagInstance(service.Service):
|
|||||||
|
|
||||||
# remove user if left-over exists
|
# remove user if left-over exists
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.delete_entry(self.admin_dn)
|
entry = api.Backend.ldap2.delete_entry(self.admin_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# add user
|
# add user
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
self.admin_dn,
|
self.admin_dn,
|
||||||
objectclass=["top", "person", "organizationalPerson",
|
objectclass=["top", "person", "organizationalPerson",
|
||||||
"inetOrgPerson", "cmsuser"],
|
"inetOrgPerson", "cmsuser"],
|
||||||
@@ -456,7 +456,7 @@ class DogtagInstance(service.Service):
|
|||||||
userPassword=[self.admin_password],
|
userPassword=[self.admin_password],
|
||||||
userstate=['1']
|
userstate=['1']
|
||||||
)
|
)
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
for group in self.admin_groups:
|
for group in self.admin_groups:
|
||||||
self.__add_admin_to_group(group)
|
self.__add_admin_to_group(group)
|
||||||
@@ -472,7 +472,7 @@ class DogtagInstance(service.Service):
|
|||||||
dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca'))
|
dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca'))
|
||||||
mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)]
|
mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)]
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dn, mod)
|
api.Backend.ldap2.modify_s(dn, mod)
|
||||||
except ldap.NO_SUCH_ATTRIBUTE:
|
except ldap.NO_SUCH_ATTRIBUTE:
|
||||||
# already removed
|
# already removed
|
||||||
pass
|
pass
|
||||||
@@ -480,7 +480,7 @@ class DogtagInstance(service.Service):
|
|||||||
def teardown_admin(self):
|
def teardown_admin(self):
|
||||||
for group in self.admin_groups:
|
for group in self.admin_groups:
|
||||||
self.__remove_admin_from_group(group)
|
self.__remove_admin_from_group(group)
|
||||||
self.admin_conn.delete_entry(self.admin_dn)
|
api.Backend.ldap2.delete_entry(self.admin_dn)
|
||||||
|
|
||||||
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
|
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
|
||||||
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
|
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
|
||||||
|
|||||||
@@ -449,13 +449,13 @@ class DsInstance(service.Service):
|
|||||||
# they may conflict.
|
# they may conflict.
|
||||||
|
|
||||||
try:
|
try:
|
||||||
res = self.admin_conn.get_entries(
|
res = api.Backend.ldap2.get_entries(
|
||||||
DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')),
|
DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')),
|
||||||
self.admin_conn.SCOPE_ONELEVEL,
|
api.Backend.ldap2.SCOPE_ONELEVEL,
|
||||||
"(objectclass=nsSaslMapping)")
|
"(objectclass=nsSaslMapping)")
|
||||||
for r in res:
|
for r in res:
|
||||||
try:
|
try:
|
||||||
self.admin_conn.delete_entry(r)
|
api.Backend.ldap2.delete_entry(r)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.critical(
|
root_logger.critical(
|
||||||
"Error during SASL mapping removal: %s", e)
|
"Error during SASL mapping removal: %s", e)
|
||||||
@@ -464,7 +464,7 @@ class DsInstance(service.Service):
|
|||||||
root_logger.critical("Error while enumerating SASL mappings %s", e)
|
root_logger.critical("Error while enumerating SASL mappings %s", e)
|
||||||
raise
|
raise
|
||||||
|
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
DN(
|
DN(
|
||||||
('cn', 'Full Principal'), ('cn', 'mapping'), ('cn', 'sasl'),
|
('cn', 'Full Principal'), ('cn', 'mapping'), ('cn', 'sasl'),
|
||||||
('cn', 'config')),
|
('cn', 'config')),
|
||||||
@@ -475,9 +475,9 @@ class DsInstance(service.Service):
|
|||||||
nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'],
|
nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'],
|
||||||
nsSaslMapPriority=['10'],
|
nsSaslMapPriority=['10'],
|
||||||
)
|
)
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
DN(
|
DN(
|
||||||
('cn', 'Name Only'), ('cn', 'mapping'), ('cn', 'sasl'),
|
('cn', 'Name Only'), ('cn', 'mapping'), ('cn', 'sasl'),
|
||||||
('cn', 'config')),
|
('cn', 'config')),
|
||||||
@@ -488,7 +488,7 @@ class DsInstance(service.Service):
|
|||||||
nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm],
|
nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm],
|
||||||
nsSaslMapPriority=['10'],
|
nsSaslMapPriority=['10'],
|
||||||
)
|
)
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
|
|
||||||
def __update_schema(self):
|
def __update_schema(self):
|
||||||
# FIXME: https://fedorahosted.org/389/ticket/47490
|
# FIXME: https://fedorahosted.org/389/ticket/47490
|
||||||
@@ -1134,7 +1134,7 @@ class DsInstance(service.Service):
|
|||||||
"""
|
"""
|
||||||
dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config')
|
dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config')
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(dn)
|
api.Backend.ldap2.get_entry(dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix))
|
self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix))
|
||||||
else:
|
else:
|
||||||
@@ -1152,7 +1152,7 @@ class DsInstance(service.Service):
|
|||||||
"""
|
"""
|
||||||
dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config')
|
dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config')
|
||||||
try:
|
try:
|
||||||
self.admin_conn.get_entry(dn)
|
api.Backend.ldap2.get_entry(dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix))
|
self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix))
|
||||||
else:
|
else:
|
||||||
|
|||||||
@@ -416,7 +416,8 @@ class HTTPInstance(service.Service):
|
|||||||
attr_name = 'kdcProxyEnabled'
|
attr_name = 'kdcProxyEnabled'
|
||||||
|
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
|
entry = api.Backend.ldap2.get_entry(
|
||||||
|
entry_name, ['ipaConfigString'])
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
@@ -427,7 +428,7 @@ class HTTPInstance(service.Service):
|
|||||||
|
|
||||||
entry.setdefault('ipaConfigString', []).append(attr_name)
|
entry.setdefault('ipaConfigString', []).append(attr_name)
|
||||||
try:
|
try:
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
except errors.EmptyModlist:
|
except errors.EmptyModlist:
|
||||||
root_logger.debug("service KDCPROXY already enabled")
|
root_logger.debug("service KDCPROXY already enabled")
|
||||||
return
|
return
|
||||||
@@ -438,7 +439,7 @@ class HTTPInstance(service.Service):
|
|||||||
root_logger.debug("service KDCPROXY enabled")
|
root_logger.debug("service KDCPROXY enabled")
|
||||||
return
|
return
|
||||||
|
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
entry_name,
|
entry_name,
|
||||||
objectclass=["nsContainer", "ipaConfigObject"],
|
objectclass=["nsContainer", "ipaConfigObject"],
|
||||||
cn=['KDC'],
|
cn=['KDC'],
|
||||||
@@ -446,7 +447,7 @@ class HTTPInstance(service.Service):
|
|||||||
)
|
)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
except errors.DuplicateEntry:
|
except errors.DuplicateEntry:
|
||||||
root_logger.debug("failed to add service KDCPROXY entry")
|
root_logger.debug("failed to add service KDCPROXY entry")
|
||||||
raise
|
raise
|
||||||
|
|||||||
@@ -131,9 +131,10 @@ def uninstall(standalone):
|
|||||||
|
|
||||||
if standalone:
|
if standalone:
|
||||||
try:
|
try:
|
||||||
kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
|
api.Backend.ldap2.delete_entry(
|
||||||
('cn', 'masters'), ('cn', 'ipa'),
|
DN(('cn', 'KRA'), ('cn', api.env.host),
|
||||||
('cn', 'etc'), api.env.basedn))
|
('cn', 'masters'), ('cn', 'ipa'),
|
||||||
|
('cn', 'etc'), api.env.basedn))
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ from ipaserver.install import service
|
|||||||
from ipaserver.install import installutils
|
from ipaserver.install import installutils
|
||||||
from ipapython import ipautil
|
from ipapython import ipautil
|
||||||
from ipapython import kernel_keyring
|
from ipapython import kernel_keyring
|
||||||
|
from ipalib import api
|
||||||
from ipalib.constants import CACERT
|
from ipalib.constants import CACERT
|
||||||
from ipapython.ipa_log_manager import root_logger
|
from ipapython.ipa_log_manager import root_logger
|
||||||
from ipapython.dn import DN
|
from ipapython.dn import DN
|
||||||
@@ -79,14 +80,14 @@ class KrbInstance(service.Service):
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
service_dn = DN(('krbprincipalname', principal), self.get_realm_suffix())
|
service_dn = DN(('krbprincipalname', principal), self.get_realm_suffix())
|
||||||
service_entry = self.admin_conn.get_entry(service_dn)
|
service_entry = api.Backend.ldap2.get_entry(service_dn)
|
||||||
self.admin_conn.delete_entry(service_entry)
|
api.Backend.ldap2.delete_entry(service_entry)
|
||||||
|
|
||||||
# Create a host entry for this master
|
# Create a host entry for this master
|
||||||
host_dn = DN(
|
host_dn = DN(
|
||||||
('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'),
|
('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'),
|
||||||
self.suffix)
|
self.suffix)
|
||||||
host_entry = self.admin_conn.make_entry(
|
host_entry = api.Backend.ldap2.make_entry(
|
||||||
host_dn,
|
host_dn,
|
||||||
objectclass=[
|
objectclass=[
|
||||||
'top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice',
|
'top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice',
|
||||||
@@ -108,7 +109,7 @@ class KrbInstance(service.Service):
|
|||||||
'krbpasswordexpiration']
|
'krbpasswordexpiration']
|
||||||
if 'krbticketflags' in service_entry:
|
if 'krbticketflags' in service_entry:
|
||||||
host_entry['krbticketflags'] = service_entry['krbticketflags']
|
host_entry['krbticketflags'] = service_entry['krbticketflags']
|
||||||
self.admin_conn.add_entry(host_entry)
|
api.Backend.ldap2.add_entry(host_entry)
|
||||||
|
|
||||||
# Add the host to the ipaserver host group
|
# Add the host to the ipaserver host group
|
||||||
ld = ldapupdate.LDAPUpdate(ldapi=True)
|
ld = ldapupdate.LDAPUpdate(ldapi=True)
|
||||||
@@ -359,9 +360,9 @@ class KrbInstance(service.Service):
|
|||||||
# Create the special anonymous principal
|
# Create the special anonymous principal
|
||||||
installutils.kadmin_addprinc(princ_realm)
|
installutils.kadmin_addprinc(princ_realm)
|
||||||
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
|
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
|
||||||
entry = self.admin_conn.get_entry(dn)
|
entry = api.Backend.ldap2.get_entry(dn)
|
||||||
entry['nsAccountlock'] = ['TRUE']
|
entry['nsAccountlock'] = ['TRUE']
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
|
|
||||||
def __convert_to_gssapi_replication(self):
|
def __convert_to_gssapi_replication(self):
|
||||||
repl = replication.ReplicationManager(self.realm,
|
repl = replication.ReplicationManager(self.realm,
|
||||||
|
|||||||
@@ -112,7 +112,7 @@ class ODSExporterInstance(service.Service):
|
|||||||
mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
|
mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dns_group, mod)
|
api.Backend.ldap2.modify_s(dns_group, mod)
|
||||||
except ldap.TYPE_OR_VALUE_EXISTS:
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
||||||
pass
|
pass
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
@@ -127,7 +127,7 @@ class ODSExporterInstance(service.Service):
|
|||||||
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
||||||
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
||||||
try:
|
try:
|
||||||
self.admin_conn.modify_s(dns_exporter_principal_dn, mod)
|
api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.critical("Could not set principal's %s LDAP limits: %s"
|
root_logger.critical("Could not set principal's %s LDAP limits: %s"
|
||||||
% (dns_exporter_principal_dn, str(e)))
|
% (dns_exporter_principal_dn, str(e)))
|
||||||
|
|||||||
@@ -82,7 +82,7 @@ class OpenDNSSECInstance(service.Service):
|
|||||||
suffix = ipautil.dn_attribute_property('_suffix')
|
suffix = ipautil.dn_attribute_property('_suffix')
|
||||||
|
|
||||||
def get_masters(self):
|
def get_masters(self):
|
||||||
return get_dnssec_key_masters(self.admin_conn)
|
return get_dnssec_key_masters(api.Backend.ldap2)
|
||||||
|
|
||||||
def create_instance(self, fqdn, realm_name, generate_master_key=True,
|
def create_instance(self, fqdn, realm_name, generate_master_key=True,
|
||||||
kasp_db_file=None):
|
kasp_db_file=None):
|
||||||
@@ -145,7 +145,7 @@ class OpenDNSSECInstance(service.Service):
|
|||||||
dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters,
|
dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters,
|
||||||
api.env.basedn)
|
api.env.basedn)
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
|
entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString'])
|
||||||
except errors.NotFound as e:
|
except errors.NotFound as e:
|
||||||
root_logger.error(
|
root_logger.error(
|
||||||
"DNSSEC service entry not found in the LDAP (%s)", e)
|
"DNSSEC service entry not found in the LDAP (%s)", e)
|
||||||
@@ -153,7 +153,7 @@ class OpenDNSSECInstance(service.Service):
|
|||||||
config = entry.setdefault('ipaConfigString', [])
|
config = entry.setdefault('ipaConfigString', [])
|
||||||
if KEYMASTER not in config:
|
if KEYMASTER not in config:
|
||||||
config.append(KEYMASTER)
|
config.append(KEYMASTER)
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
|
|
||||||
def __setup_conf_files(self):
|
def __setup_conf_files(self):
|
||||||
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
|
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
|
||||||
|
|||||||
@@ -169,13 +169,6 @@ class Service(object):
|
|||||||
self.dm_password = None # silence pylint
|
self.dm_password = None # silence pylint
|
||||||
self.promote = False
|
self.promote = False
|
||||||
|
|
||||||
@property
|
|
||||||
def admin_conn(self):
|
|
||||||
"""
|
|
||||||
alias for api.Backend.ldap2
|
|
||||||
"""
|
|
||||||
return api.Backend.ldap2
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def principal(self):
|
def principal(self):
|
||||||
if any(attr is None for attr in (self.realm, self.fqdn,
|
if any(attr is None for attr in (self.realm, self.fqdn,
|
||||||
@@ -209,7 +202,7 @@ class Service(object):
|
|||||||
# As we always connect to the local host,
|
# As we always connect to the local host,
|
||||||
# use URI of admin connection
|
# use URI of admin connection
|
||||||
if not ldap_uri:
|
if not ldap_uri:
|
||||||
ldap_uri = self.admin_conn.ldap_uri
|
ldap_uri = api.Backend.ldap2.ldap_uri
|
||||||
|
|
||||||
args += ["-H", ldap_uri]
|
args += ["-H", ldap_uri]
|
||||||
|
|
||||||
@@ -246,21 +239,21 @@ class Service(object):
|
|||||||
|
|
||||||
dn = DN(('krbprincipalname', principal), ('cn', self.realm), ('cn', 'kerberos'), self.suffix)
|
dn = DN(('krbprincipalname', principal), ('cn', self.realm), ('cn', 'kerberos'), self.suffix)
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.get_entry(dn)
|
entry = api.Backend.ldap2.get_entry(dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
# There is no service in the wrong location, nothing to do.
|
# There is no service in the wrong location, nothing to do.
|
||||||
# This can happen when installing a replica
|
# This can happen when installing a replica
|
||||||
return None
|
return None
|
||||||
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
||||||
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
||||||
self.admin_conn.delete_entry(entry)
|
api.Backend.ldap2.delete_entry(entry)
|
||||||
entry.dn = newdn
|
entry.dn = newdn
|
||||||
classes = entry.get("objectclass")
|
classes = entry.get("objectclass")
|
||||||
classes = classes + ["ipaobject", "ipaservice", "pkiuser"]
|
classes = classes + ["ipaobject", "ipaservice", "pkiuser"]
|
||||||
entry["objectclass"] = list(set(classes))
|
entry["objectclass"] = list(set(classes))
|
||||||
entry["ipauniqueid"] = ['autogenerate']
|
entry["ipauniqueid"] = ['autogenerate']
|
||||||
entry["managedby"] = [hostdn]
|
entry["managedby"] = [hostdn]
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
return newdn
|
return newdn
|
||||||
|
|
||||||
def add_simple_service(self, principal):
|
def add_simple_service(self, principal):
|
||||||
@@ -271,7 +264,7 @@ class Service(object):
|
|||||||
"""
|
"""
|
||||||
dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
||||||
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
dn,
|
dn,
|
||||||
objectclass=[
|
objectclass=[
|
||||||
"krbprincipal", "krbprincipalaux", "krbticketpolicyaux",
|
"krbprincipal", "krbprincipalaux", "krbticketpolicyaux",
|
||||||
@@ -280,7 +273,7 @@ class Service(object):
|
|||||||
ipauniqueid=['autogenerate'],
|
ipauniqueid=['autogenerate'],
|
||||||
managedby=[hostdn],
|
managedby=[hostdn],
|
||||||
)
|
)
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
return dn
|
return dn
|
||||||
|
|
||||||
def add_cert_to_service(self):
|
def add_cert_to_service(self):
|
||||||
@@ -291,16 +284,16 @@ class Service(object):
|
|||||||
"""
|
"""
|
||||||
dn = DN(('krbprincipalname', self.principal), ('cn', 'services'),
|
dn = DN(('krbprincipalname', self.principal), ('cn', 'services'),
|
||||||
('cn', 'accounts'), self.suffix)
|
('cn', 'accounts'), self.suffix)
|
||||||
entry = self.admin_conn.get_entry(dn)
|
entry = api.Backend.ldap2.get_entry(dn)
|
||||||
entry.setdefault('userCertificate', []).append(self.dercert)
|
entry.setdefault('userCertificate', []).append(self.dercert)
|
||||||
try:
|
try:
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
|
root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
|
||||||
|
|
||||||
def import_ca_certs(self, db, ca_is_configured, conn=None):
|
def import_ca_certs(self, db, ca_is_configured, conn=None):
|
||||||
if conn is None:
|
if conn is None:
|
||||||
conn = self.admin_conn
|
conn = api.Backend.ldap2
|
||||||
|
|
||||||
try:
|
try:
|
||||||
ca_certs = certstore.get_ca_certs_nss(
|
ca_certs = certstore.get_ca_certs_nss(
|
||||||
@@ -453,7 +446,8 @@ class Service(object):
|
|||||||
|
|
||||||
# enable disabled service
|
# enable disabled service
|
||||||
try:
|
try:
|
||||||
entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
|
entry = api.Backend.ldap2.get_entry(
|
||||||
|
entry_name, ['ipaConfigString'])
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
@@ -465,7 +459,7 @@ class Service(object):
|
|||||||
entry.setdefault('ipaConfigString', []).append(u'enabledService')
|
entry.setdefault('ipaConfigString', []).append(u'enabledService')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
except errors.EmptyModlist:
|
except errors.EmptyModlist:
|
||||||
root_logger.debug("service %s startup entry already enabled", name)
|
root_logger.debug("service %s startup entry already enabled", name)
|
||||||
return
|
return
|
||||||
@@ -477,7 +471,7 @@ class Service(object):
|
|||||||
return
|
return
|
||||||
|
|
||||||
order = SERVICE_LIST[name][1]
|
order = SERVICE_LIST[name][1]
|
||||||
entry = self.admin_conn.make_entry(
|
entry = api.Backend.ldap2.make_entry(
|
||||||
entry_name,
|
entry_name,
|
||||||
objectclass=["nsContainer", "ipaConfigObject"],
|
objectclass=["nsContainer", "ipaConfigObject"],
|
||||||
cn=[name],
|
cn=[name],
|
||||||
@@ -486,7 +480,7 @@ class Service(object):
|
|||||||
)
|
)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.add_entry(entry)
|
api.Backend.ldap2.add_entry(entry)
|
||||||
except (errors.DuplicateEntry) as e:
|
except (errors.DuplicateEntry) as e:
|
||||||
root_logger.debug("failed to add service %s startup entry", name)
|
root_logger.debug("failed to add service %s startup entry", name)
|
||||||
raise e
|
raise e
|
||||||
@@ -497,13 +491,13 @@ class Service(object):
|
|||||||
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
|
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
|
||||||
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
|
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
|
||||||
search_kw = {'ipaConfigString': u'enabledService'}
|
search_kw = {'ipaConfigString': u'enabledService'}
|
||||||
filter = self.admin_conn.make_filter(search_kw)
|
filter = api.Backend.ldap2.make_filter(search_kw)
|
||||||
try:
|
try:
|
||||||
entries, _truncated = self.admin_conn.find_entries(
|
entries, _truncated = api.Backend.ldap2.find_entries(
|
||||||
filter=filter,
|
filter=filter,
|
||||||
attrs_list=['ipaConfigString'],
|
attrs_list=['ipaConfigString'],
|
||||||
base_dn=entry_dn,
|
base_dn=entry_dn,
|
||||||
scope=self.admin_conn.SCOPE_BASE)
|
scope=api.Backend.ldap2.SCOPE_BASE)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
root_logger.debug("service %s startup entry already disabled", name)
|
root_logger.debug("service %s startup entry already disabled", name)
|
||||||
return
|
return
|
||||||
@@ -518,7 +512,7 @@ class Service(object):
|
|||||||
break
|
break
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.admin_conn.update_entry(entry)
|
api.Backend.ldap2.update_entry(entry)
|
||||||
except errors.EmptyModlist:
|
except errors.EmptyModlist:
|
||||||
pass
|
pass
|
||||||
except:
|
except:
|
||||||
@@ -531,7 +525,7 @@ class Service(object):
|
|||||||
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
|
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
|
||||||
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
|
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
|
||||||
try:
|
try:
|
||||||
self.admin_conn.delete_entry(entry_dn)
|
api.Backend.ldap2.delete_entry(entry_dn)
|
||||||
except errors.NotFound:
|
except errors.NotFound:
|
||||||
root_logger.debug("service %s container already removed", name)
|
root_logger.debug("service %s container already removed", name)
|
||||||
else:
|
else:
|
||||||
|
|||||||
Reference in New Issue
Block a user