Update for new python library layout.

This commit is contained in:
Karl MacMillan 0001-01-01 00:00:00 +00:00
parent 899daaf048
commit b8a0512998
12 changed files with 358 additions and 27 deletions

View File

@ -1,16 +1,5 @@
SUBDIRS=ipa-install
# Version number - this is for the entire server. After
# updating this you should run the version-update
# target.
MAJOR=0
MINOR=1
RELEASE=0
VERSION=$(MAJOR).$(MINOR).$(RELEASE)
TARBALL_PREFIX=freeipa-server-$(VERSION)
TARBALL=$(TARBALL_PREFIX).tgz
all:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
@ -25,16 +14,3 @@ clean:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
done
version-update:
sed s/VERSION/$(VERSION)/ freeipa-server.spec.in > freeipa-server.spec
tarball:
-mkdir dist
hg archive -p $(TARBALL_PREFIX) -t tgz dist/$(TARBALL)
dist: version-update tarball
cp dist/$(TARBALL) ~/rpmbuild/SOURCES/.
rpmbuild -ba freeipa-server.spec
cp ~/rpmbuild/RPMS/noarch/freeipa-server-$(VERSION)-*.rpm dist/.
cp ~/rpmbuild/SRPMS/freeipa-server-$(VERSION)-*.src.rpm dist/.

View File

@ -1,12 +1,12 @@
PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)")
PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa
PYTHONLIBDIR ?= /usr/share/ipa/python
PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipainstall
SBINDIR = $(DESTDIR)/usr/sbin
all: ;
install:
-mkdir -p $(PACKAGEDIR)
install -m 644 ipa/*.py $(PACKAGEDIR)
install -m 644 ipainstall/*.py $(PACKAGEDIR)
install -m 755 ipa-server-install $(SBINDIR)
install -m 755 ipa-server-setupssl $(SBINDIR)

View File

@ -26,6 +26,9 @@
VERSION = "%prog .1"
import sys
sys.path.append("/usr/share/ipa")
import socket
import logging
from optparse import OptionParser

View File

@ -0,0 +1,117 @@
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools
VERSION = "%prog .1"
import socket
import logging
from optparse import OptionParser
import ipa.dsinstance
import ipa.krbinstance
def parse_options():
parser = OptionParser(version=VERSION)
parser.add_option("-u", "--user", dest="ds_user",
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
parser.add_option("-p", "--password", dest="password",
help="admin password")
parser.add_option("-m", "--master-password", dest="master_password",
help="kerberos master password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
dest="debug", default=False, help="print debugging information")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
options, args = parser.parse_args()
if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
parser.error("error: all options are required")
return options
def logging_setup(options):
# Always log everything (i.e., DEBUG) to the log
# file.
logging.basicConfig(level=logging.DEBUG,
format='%(asctime)s %(levelname)s %(message)s',
filename='ipa-install.log',
filemode='w')
console = logging.StreamHandler()
# If the debug option is set, also log debug messages to the console
if options.debug:
console.setLevel(logging.DEBUG)
else:
# Otherwise, log critical and error messages
console.setLevel(logging.ERROR)
formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
console.setFormatter(formatter)
logging.getLogger('').addHandler(console)
def main():
options = parse_options()
logging_setup(options)
# check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set
# up some of the standard entries
if options.host_name:
host_name = options.host_name
else:
host_name = socket.gethostname()
if len(host_name.split(".")) < 2:
print "Invalid hostname <"+host_name+">"
print "Check the /etc/hosts file and make sure to have a valid FQDN"
return "-Fatal Error-"
if socket.gethostbyname(host_name) == "127.0.0.1":
print "The hostname resolves to the localhost address (127.0.0.1)"
print "Please change your /etc/hosts file or your DNS so that the"
print "hostname resolves to the ip address of your network interface."
print "The KDC service does not listen on 127.0.0.1"
return "-Fatal Error-"
print "The Final KDC Host Name will be: " + host_name
# Create a directory server instance
ds = ipa.dsinstance.DsInstance()
ds.create_instance(options.ds_user, options.realm_name, host_name,
options.password)
# Create a kerberos instance
krb = ipa.krbinstance.KrbInstance()
krb.create_instance(options.ds_user, options.realm_name, host_name,
options.password, options.master_password)
#restart ds after the krb instance have add the sasl map
ds.restart()
return 0
main()

View File

@ -0,0 +1,177 @@
#! /usr/bin/python -E
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 or later
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import subprocess
import string
import tempfile
import shutil
import logging
from random import Random
from time import gmtime
import os
import pwd
import socket
from util import *
def host_to_domain(fqdn):
s = fqdn.split(".")
return ".".join(s[1:])
def generate_kdc_password():
rndpwd = ''
r = Random()
r.seed(gmtime())
for x in range(12):
# rndpwd += chr(r.randint(32,126))
rndpwd += chr(r.randint(65,90)) #stricter set for testing
return rndpwd
def ldap_mod(fd, dn, pwd):
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
run(args)
class KrbInstance:
def __init__(self):
self.ds_user = None
self.fqdn = None
self.realm = None
self.domain = None
self.host = None
self.admin_password = None
self.master_password = None
self.suffix = None
self.kdc_password = None
self.sub_dict = None
def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
self.ds_user = ds_user
self.fqdn = host_name
self.ip = socket.gethostbyname(host_name)
self.realm = realm_name.upper()
self.host = host_name.split(".")[0]
self.domain = host_to_domain(host_name)
self.admin_password = admin_password
self.master_password = master_password
self.suffix = realm_to_suffix(self.realm)
self.kdc_password = generate_kdc_password()
self.__configure_kdc_account_password()
self.__setup_sub_dict()
self.__configure_ldap()
self.__create_instance()
self.__create_ds_keytab()
self.__create_sample_bind_zone()
self.start()
def stop(self):
run(["/sbin/service", "krb5kdc", "stop"])
def start(self):
run(["/sbin/service", "krb5kdc", "start"])
def restart(self):
run(["/sbin/service", "krb5kdc", "restart"])
def __configure_kdc_account_password(self):
hexpwd = ''
for x in self.kdc_password:
hexpwd += (hex(ord(x))[2:])
pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
pwd_fd.close()
def __setup_sub_dict(self):
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
PASSWORD=self.kdc_password,
SUFFIX=self.suffix,
DOMAIN=self.domain,
HOST=self.host,
REALM=self.realm)
def __configure_ldap(self):
#TODO: test that the ldif is ok with any random charcter we may use in the password
kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
kerberos_fd = write_tmp_file(kerberos_txt)
ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
kerberos_fd.close()
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
aci_fd = write_tmp_file(aci_txt)
ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
aci_fd.close()
def __create_instance(self):
kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
kdc_fd.write(kdc_conf)
kdc_fd.close()
krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
krb5_fd = open("/etc/krb5.conf", "w+")
krb5_fd.write(krb5_conf)
krb5_fd.close()
#populate the directory with the realm structure
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
run(args)
# TODO: NOT called yet, need to find out how to make sure the plugin is available first
def __add_pwd_extop_module(self):
#add the password extop module
extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
extop_fd = write_tmp_file(extop_txt)
ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
extop_fd.close()
#add an ACL to let the DS user read the master key
args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
run(args)
def __create_sample_bind_zone(self):
bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
os.write(bind_fd, bind_txt)
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
def __create_ds_keytab(self):
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
kwrite.flush()
kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
kwrite.flush()
kwrite.close()
kread.close()
kerr.close()
cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
cfg_fd.close()
pent = pwd.getpwnam(self.ds_user)
os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)

View File

@ -0,0 +1,58 @@
#! /usr/bin/python -E
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 or later
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
SHARE_DIR = "/usr/share/ipa/"
import string
import tempfile
import logging
import subprocess
def realm_to_suffix(realm_name):
s = realm_name.split(".")
terms = ["dc=" + x.lower() for x in s]
return ",".join(terms)
def template_str(txt, vars):
return string.Template(txt).substitute(vars)
def template_file(infilename, vars):
txt = open(infilename).read()
return template_str(txt, vars)
def write_tmp_file(txt):
fd = tempfile.NamedTemporaryFile()
fd.write(txt)
fd.flush()
return fd
def run(args, stdin=None):
p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if stdin:
stdout,stderr = p.communicate(stdin)
else:
stdout,stderr = p.communicate()
logging.info(stdout)
logging.info(stderr)
if p.returncode != 0:
raise subprocess.CalledProcessError(p.returncode, args[0])

View File