IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-27 00:26:33 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add password request for admin user

Browse Source 
Set password for admin user using the Directory Mangaer account
and the mozldapldappaswd binary to get and SSL connection
Fix some timeout problems with deploying keytabs
Fix ipa_pwd_extop to actuallt correctly detect an SSL connection
Do not ask for the user to use for the directory unless 'dirsrv' is
 an existing user which may clash, create it silently
This commit is contained in:
Simo Sorce 2007-08-31 18:40:01 -04:00
parent 7a0629ea55
commit abeda55e34
4 changed files with 93 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
ipa-server/ipa-install/ipa-server-install
View File

@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa")
import socket import socket
import logging import logging
import pwd
from optparse import OptionParser from optparse import OptionParser
import ipaserver.dsinstance import ipaserver.dsinstance
import ipaserver.krbinstance import ipaserver.krbinstance
@ -42,10 +43,12 @@ def parse_options():
help="ds user") help="ds user")
parser.add_option("-r", "--realm", dest="realm_name", parser.add_option("-r", "--realm", dest="realm_name",
help="realm name") help="realm name")
parser.add_option("-p", "--ds-password", dest="ds_password", parser.add_option("-p", "--ds-password", dest="dm_password",
help="admin password") help="admin password")
parser.add_option("-P", "--master-password", dest="master_password", parser.add_option("-P", "--master-password", dest="master_password",
help="kerberos master password") help="kerberos master password")
parser.add_option("-a", "--admin-password", dest="admin_password",
help="admin user kerberos password")
parser.add_option("-d", "--debug", dest="debug", action="store_true", parser.add_option("-d", "--debug", dest="debug", action="store_true",
dest="debug", default=False, help="print debugging information") dest="debug", default=False, help="print debugging information")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
@ -56,7 +59,8 @@ def parse_options():
if options.unattended and (not options.ds_user or if options.unattended and (not options.ds_user or
not options.realm_name or not options.realm_name or
not options.ds_password or not options.dm_password or
not options.admin_password or
not options.master_password): not options.master_password):
parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options")
@ -95,7 +99,8 @@ def main():
realm_name = "" realm_name = ""
host_name = "" host_name = ""
master_password = "" master_password = ""
ds_password = "" dm_password = ""
admin_password = ""
# check the hostname is correctly configured, it must be as the kldap # check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set # utilities just use the hostname as returned by gethostbyname to set
@ -137,13 +142,25 @@ def main():
print "" print ""
if not options.ds_user: if not options.ds_user:
print "To securely run Directory Server we need a user account to be set up."
print "This will allow DS to run as a user and not as root." try:
print "The user account will have access to some security material so it should not be shared with any other application." pwd.getpwnam('dirsrv')
print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure."
print "" print "To securely run Directory Server we need a user account to be set up."
ds_user = raw_input("Which account name do you want to use for the DS instance ? ") print "This will allow DS to run as a user and not as root."
print "" print "The user account will have access to some security material so it should not be shared with any other application."
print "A user account named 'dirsrv' already exist. You should not share the account with any other service."
print ""
yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)")
print ""
if yesno.lower() == "y":
ds_user = "dirsrv"
else:
ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
print ""
except KeyError:
ds_user = "dirsrv"
if ds_user == "": if ds_user == "":
return "-Aborted-" return "-Aborted-"
else: else:
@ -177,14 +194,15 @@ def main():
else: else:
realm_name = options.realm_name realm_name = options.realm_name
if not options.ds_password: if not options.dm_password:
print "The Directory Manager user is the equivalent of 'root' for Diretcory Server." print "The Directory Manager user is the equivalent of 'root' for Diretcory Server."
print "This account has full access to the Directory and is used for system management tasks."
print "" print ""
#TODO: provide the option of generating a random password #TODO: provide the option of generating a random password
ds_password = raw_input("Please provide a password for the Directory Manager: ") dm_password = raw_input("Please provide a password for the Directory Manager: ")
print "" print ""
else: else:
ds_password = options.ds_password dm_password = options.dm_password
if not options.master_password: if not options.master_password:
print "The Kerberos database is usually encrypted using a master password." print "The Kerberos database is usually encrypted using a master password."
@ -199,13 +217,23 @@ def main():
else: else:
master_password = options.master_password master_password = options.master_password
if not options.admin_password:
print "The 'admin' user is the administrative user used to administare an IPA server."
print "This account is the one that will be used for normal administration and is also a regular unix user"
print ""
#TODO: provide the option of generating a random password
admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ")
print ""
else:
admin_password = options.admin_password
# Create a directory server instance # Create a directory server instance
ds = ipaserver.dsinstance.DsInstance() ds = ipaserver.dsinstance.DsInstance()
ds.create_instance(ds_user, realm_name, host_name, ds_password) ds.create_instance(ds_user, realm_name, host_name, dm_password)
# Create a kerberos instance # Create a kerberos instance
krb = ipaserver.krbinstance.KrbInstance() krb = ipaserver.krbinstance.KrbInstance()
krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password) krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)
# Restart ds after the krb instance has changed ds configurations # Restart ds after the krb instance has changed ds configurations
ds.restart() ds.restart()
@ -228,6 +256,9 @@ def main():
# Start Kpasswd # Start Kpasswd
run(["/sbin/service", "ipa-kpasswd", "start"]) run(["/sbin/service", "ipa-kpasswd", "start"])
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
# Create the config file # Create the config file
fd = open("/etc/ipa/ipa.conf", "w") fd = open("/etc/ipa/ipa.conf", "w")
fd.write("[defaults]\n") fd.write("[defaults]\n")

2
ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb )
goto free_and_return; goto free_and_return;
} }
if ( (is_ssl <=1) && (sasl_ssf <= 1) ) { if ( (is_ssl == 0) && (sasl_ssf <= 1) ) {
errMesg = "Operation requires a secure connection.\n"; errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED; rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto free_and_return; goto free_and_return;

27
ipa-server/ipaserver/dsinstance.py
View File

@ -72,16 +72,18 @@ class DsInstance:
def __init__(self): def __init__(self):
self.serverid = None self.serverid = None
self.realm_name = None self.realm_name = None
self.suffix = None
self.host_name = None self.host_name = None
self.admin_password = None self.dm_password = None
self.sub_dict = None self.sub_dict = None
def create_instance(self, ds_user, realm_name, host_name, admin_password): def create_instance(self, ds_user, realm_name, host_name, dm_password):
self.ds_user = ds_user self.ds_user = ds_user
self.serverid = generate_serverid() self.serverid = generate_serverid()
self.realm_name = realm_name.upper() self.realm_name = realm_name.upper()
self.suffix = realm_to_suffix(self.realm_name)
self.host_name = host_name self.host_name = host_name
self.admin_password = admin_password self.dm_password = dm_password
self.__setup_sub_dict() self.__setup_sub_dict()
self.__create_ds_user() self.__create_ds_user()
@ -111,10 +113,9 @@ class DsInstance:
run(["/sbin/service", "dirsrv", "restart"]) run(["/sbin/service", "dirsrv", "restart"])
def __setup_sub_dict(self): def __setup_sub_dict(self):
suffix = realm_to_suffix(self.realm_name)
server_root = find_server_root() server_root = find_server_root()
self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
PASSWORD=self.admin_password, SUFFIX=suffix, PASSWORD=self.dm_password, SUFFIX=self.suffix,
REALM=self.realm_name, USER=self.ds_user, REALM=self.realm_name, USER=self.ds_user,
SERVER_ROOT=server_root) SERVER_ROOT=server_root)
@ -155,7 +156,7 @@ class DsInstance:
def __enable_ssl(self): def __enable_ssl(self):
logging.debug("configuring ssl for ds instance") logging.debug("configuring ssl for ds instance")
dirname = self.config_dirname() dirname = self.config_dirname()
args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, args = ["/usr/sbin/ipa-server-setupssl", self.dm_password,
dirname, self.host_name] dirname, self.host_name]
run(args) run(args)
logging.debug("done configuring ssl for ds instance") logging.debug("done configuring ssl for ds instance")
@ -165,7 +166,7 @@ class DsInstance:
inf_fd = write_tmp_file(txt) inf_fd = write_tmp_file(txt)
logging.debug("adding default ds layout") logging.debug("adding default ds layout")
args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
"-w", self.admin_password, "-f", inf_fd.name] "-w", self.dm_password, "-f", inf_fd.name]
run(args) run(args)
logging.debug("done adding default ds layout") logging.debug("done adding default ds layout")
@ -184,5 +185,15 @@ class DsInstance:
certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd = open(dirname+"certmap.conf", "w+")
certmap_fd.write(certmap_conf) certmap_fd.write(certmap_conf)
certmap_fd.close() certmap_fd.close()
logging.debug("done configuring certmap.conf for ds instance") logging.debug("done configuring certmap.conf for ds instance")
def change_admin_password(self, password):
logging.debug("Changing admin password")
dirname = self.config_dirname()
args = ["/usr/lib/mozldap/ldappasswd",
"-D", "cn=Directory Manager", "-w", self.dm_password,
"-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
"uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
run(args)
logging.debug("ldappasswd done")

29
ipa-server/ipaserver/krbinstance.py
View File

@ -109,7 +109,7 @@ class KrbInstance:
for x in self.kdc_password: for x in self.kdc_password:
hexpwd += (hex(ord(x))[2:]) hexpwd += (hex(ord(x))[2:])
pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
pwd_fd.close() pwd_fd.close()
def __setup_sub_dict(self): def __setup_sub_dict(self):
@ -147,7 +147,7 @@ class KrbInstance:
krb5_fd.close() krb5_fd.close()
#populate the directory with the realm structure #populate the directory with the realm structure
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
run(args) run(args)
#add the password extop module #add the password extop module
@ -178,6 +178,15 @@ class KrbInstance:
kread.close() kread.close()
kerr.close() kerr.close()
# give kadmin time to actually write the file before we go on
retry = 0
while not file_exists("/etc/dirsrv/ds.keytab"):
time.sleep(1)
retry += 1
if retry > 15:
print "Error timed out waiting for kadmin to finish operations\n"
os.exit()
cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd = open("/etc/sysconfig/dirsrv", "a")
cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n")
cfg_fd.close() cfg_fd.close()
@ -199,6 +208,15 @@ class KrbInstance:
kread.close() kread.close()
kerr.close() kerr.close()
# give kadmin time to actually write the file before we go on
retry = 0
while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
time.sleep(1)
retry += 1
if retry > 15:
print "Error timed out waiting for kadmin to finish operations\n"
os.exit()
cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a")
cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n")
cfg_fd.close() cfg_fd.close()
@ -215,8 +233,15 @@ class KrbInstance:
kread.close() kread.close()
kerr.close() kerr.close()
# give kadmin time to actually write the file before we go on
retry = 0
while not file_exists("/etc/httpd/conf/ipa.keytab"): while not file_exists("/etc/httpd/conf/ipa.keytab"):
time.sleep(1) time.sleep(1)
retry += 1
if retry > 15:
print "Error timed out waiting for kadmin to finish operations\n"
os.exit()
pent = pwd.getpwnam("apache") pent = pwd.getpwnam("apache")
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)