IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Debian: Add fixes for OpenDNSSEC 2.0

Browse Source 
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes 2019-04-17 14:14:26 +02:00
parent da2cf1c513
commit 750e658dba
4 changed files with 33 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ipaplatform/base/paths.py
View File

@ -185,6 +185,8 @@ class BasePathNamespace:
NSUPDATE = "/usr/bin/nsupdate" NSUPDATE = "/usr/bin/nsupdate"
ODS_KSMUTIL = "/usr/bin/ods-ksmutil" ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer" ODS_SIGNER = "/usr/sbin/ods-signer"
ODS_ENFORCER = None
ODS_ENFORCER_SETUP = None
OPENSSL = "/usr/bin/openssl" OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util" PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"

3
ipaplatform/debian/paths.py
View File

@ -65,6 +65,9 @@ class DebianPathNamespace(BasePathNamespace):
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem" OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
SBIN_SERVICE = "/usr/sbin/service" SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
ODS_KSMUTIL = None
ODS_ENFORCER = "/usr/sbin/ods-enforcer"
ODS_ENFORCER_SETUP = "/usr/sbin/ods-enforcer-db-setup"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates" UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/" BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/" BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"

9
ipaserver/dnssec/odsmgr.py
View File

@ -11,6 +11,7 @@ except ImportError:
from xml.etree import ElementTree as etree from xml.etree import ElementTree as etree
from ipapython import ipa_log_manager, ipautil from ipapython import ipa_log_manager, ipautil
from ipaplatform.paths import paths
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -130,11 +131,15 @@ class ODSMgr:
self.zl_ldap = LDAPZoneListReader() self.zl_ldap = LDAPZoneListReader()
def ksmutil(self, params): def ksmutil(self, params):
"""Call ods-ksmutil with given parameters and return stdout. """Call ods-ksmutil / ods-enforcer with parameters and return stdout.
Raises CalledProcessError if returncode != 0. Raises CalledProcessError if returncode != 0.
""" """
cmd = ['ods-ksmutil'] + params if paths.ODS_ENFORCER is not None:
cmd = [paths.ODS_ENFORCER]
else:
cmd = [paths.ODS_KSMUTIL]
cmd.extend(params)
result = ipautil.run(cmd, capture_output=True) result = ipautil.run(cmd, capture_output=True)
return result.output return result.output

36
ipaserver/install/opendnssecinstance.py
View File

@ -200,6 +200,11 @@ class OpenDNSSECInstance(service.Service):
if not self.fstore.has_file(paths.SYSCONFIG_ODS): if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS) self.fstore.backup_file(paths.SYSCONFIG_ODS)
if not os.path.isfile(paths.SYSCONFIG_ODS):
# create file, it's not shipped on Debian
with open(paths.SYSCONFIG_ODS, 'a') as f:
os.fchmod(f.fileno(), 0o644)
directivesetter.set_directive(paths.SYSCONFIG_ODS, directivesetter.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF', 'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF, paths.DNSSEC_SOFTHSM2_CONF,
@ -274,6 +279,11 @@ class OpenDNSSECInstance(service.Service):
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_DB): if not self.fstore.has_file(paths.OPENDNSSEC_KASP_DB):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_DB) self.fstore.backup_file(paths.OPENDNSSEC_KASP_DB)
if paths.ODS_ENFORCER is not None:
ods_cmd = paths.ODS_ENFORCER
else:
ods_cmd = paths.ODS_KSMUTIL
if self.kasp_db_file: if self.kasp_db_file:
# copy user specified kasp.db to proper location and set proper # copy user specified kasp.db to proper location and set proper
# privileges # privileges
@ -282,24 +292,20 @@ class OpenDNSSECInstance(service.Service):
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660) os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml # regenerate zonelist.xml
cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export'] cmd = [ods_cmd, 'zonelist', 'export']
result = ipautil.run(cmd, result = ipautil.run(
runas=constants.ODS_USER, cmd, runas=constants.ODS_USER, capture_output=True
capture_output=True) )
with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf: if paths.ODS_ENFORCER is not None:
zonelistf.write(result.output) with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as f:
os.chown(paths.OPENDNSSEC_ZONELIST_FILE, f.write(result.output)
self.ods_uid, self.ods_gid) os.fchown(f.fileno(), self.ods_uid, self.ods_gid)
os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660) os.fchmod(f.fileno(), 0o660)
else: else:
# initialize new kasp.db # initialize new kasp.db
command = [ cmd = [ods_cmd, 'setup']
paths.ODS_KSMUTIL, ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
'setup'
]
ipautil.run(command, stdin="y", runas=constants.ODS_USER)
def __setup_dnskeysyncd(self): def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master # set up dnskeysyncd this is DNSSEC master