Manage to create a spcific DS user for the ldap instance

Add uncalled code to load and configure the password extop plugin

ipa-install/src/ipa-server-install

@@ -33,6 +33,8 @@ import ipa.krbinstance
 
 def parse_options():
     parser = OptionParser(version=VERSION)
+    parser.add_option("-u", "--user", dest="ds_user",
+                      help="ds user")
     parser.add_option("-r", "--realm", dest="realm_name",
                       help="realm name")
     parser.add_option("-a", "--host-address", dest="host_name",
@@ -56,10 +58,10 @@ def main():
                         filemode='w')
     options = parse_options()
     ds = ipa.dsinstance.DsInstance()
-    ds.create_instance(options.realm_name, options.host_name, options.password)
+    ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
 
     krb = ipa.krbinstance.KrbInstance()
-    krb.create_instance(options.realm_name, options.host_name, options.password, options.master_password)
+    krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
     #restart ds after the krb instance have add the sasl map
     ds.restart()
 

ipa-install/src/ipa/dsinstance.py

@@ -23,6 +23,7 @@ import string
 import tempfile
 import shutil
 import logging
+import pwd
 
 SHARE_DIR = "/usr/share/ipa/"
 
@@ -73,7 +74,7 @@ def run(args, stdin=None):
 INF_TEMPLATE = """
 [General]
 FullMachineName=   $FQHN
-SuiteSpotUserID=   nobody
+SuiteSpotUserID=   $USER
 ServerRoot=    /usr/lib/fedora-ds-base
 [slapd]
 ServerPort=   389
@@ -91,13 +92,15 @@ class DsInstance:
         self.admin_password = None
         self.sub_dict = None
 
-    def create_instance(self, realm_name, host_name, admin_password):
+    def create_instance(self, ds_user, realm_name, host_name, admin_password):
+        self.ds_user = ds_user
         self.serverid = generate_serverid()
         self.realm_name = realm_name.upper()
         self.host_name = host_name
         self.admin_password = admin_password
         self.__setup_sub_dict()
 
+        self.__create_ds_user()
         self.__create_instance()
         self.__add_default_schemas()
         self.__enable_ssl()
@@ -125,7 +128,14 @@ class DsInstance:
         suffix = realm_to_suffix(self.realm_name)
         self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
                              PASSWORD=self.admin_password, SUFFIX=suffix,
-                             REALM=self.realm_name)
+                             REALM=self.realm_name, USER=self.ds_user)
+
+    def __create_ds_user(self):
+	try:
+            pwd.getpwnam(self.ds_user)
+	except KeyError:
+            args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
+            run(args)
 
     def __create_instance(self):
         inf_txt = template_str(INF_TEMPLATE, self.sub_dict)
@@ -151,7 +161,3 @@ class DsInstance:
         args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
                 "-w", self.admin_password, "-f", inf_fd.name]
         run(args)
-
-        
-        
-

ipa-install/src/ipa/krbinstance.py

@@ -74,6 +74,7 @@ def run(args, stdin=None):
     
 class KrbInstance:
     def __init__(self):
+        self.ds_user = None
         self.realm_name = None
         self.host_name = None
         self.admin_password = None
@@ -82,7 +83,8 @@ class KrbInstance:
         self.kdc_password = None
         self.sub_dict = None
 
-    def create_instance(self, realm_name, host_name, admin_password, master_password):
+    def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
+        self.ds_user = ds_user
         self.realm_name = realm_name.upper()
         self.host_name = host_name
         self.admin_password = admin_password
@@ -153,3 +155,15 @@ class KrbInstance:
         #populate the directory with the realm structure
         args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
         run(args)
+
+    # TODO: NOT called yet, need to find out how to make sure the plugin is available first
+    def __add_pwd_extop_module(self):
+	#add the password extop module
+	extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
+	extop_fd = write_tmp_file(extop_txt)
+	ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+	extop_fd.close()
+
+	#add an ACL to let the DS user read the master key
+	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
+	run(args)