mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Update for new python library layout.
This commit is contained in:
parent
899daaf048
commit
b8a0512998
@ -1,16 +1,5 @@
|
||||
SUBDIRS=ipa-install
|
||||
|
||||
# Version number - this is for the entire server. After
|
||||
# updating this you should run the version-update
|
||||
# target.
|
||||
MAJOR=0
|
||||
MINOR=1
|
||||
RELEASE=0
|
||||
VERSION=$(MAJOR).$(MINOR).$(RELEASE)
|
||||
|
||||
TARBALL_PREFIX=freeipa-server-$(VERSION)
|
||||
TARBALL=$(TARBALL_PREFIX).tgz
|
||||
|
||||
all:
|
||||
@for subdir in $(SUBDIRS); do \
|
||||
(cd $$subdir && $(MAKE) $@) || exit 1; \
|
||||
@ -25,16 +14,3 @@ clean:
|
||||
@for subdir in $(SUBDIRS); do \
|
||||
(cd $$subdir && $(MAKE) $@) || exit 1; \
|
||||
done
|
||||
|
||||
version-update:
|
||||
sed s/VERSION/$(VERSION)/ freeipa-server.spec.in > freeipa-server.spec
|
||||
|
||||
tarball:
|
||||
-mkdir dist
|
||||
hg archive -p $(TARBALL_PREFIX) -t tgz dist/$(TARBALL)
|
||||
|
||||
dist: version-update tarball
|
||||
cp dist/$(TARBALL) ~/rpmbuild/SOURCES/.
|
||||
rpmbuild -ba freeipa-server.spec
|
||||
cp ~/rpmbuild/RPMS/noarch/freeipa-server-$(VERSION)-*.rpm dist/.
|
||||
cp ~/rpmbuild/SRPMS/freeipa-server-$(VERSION)-*.src.rpm dist/.
|
||||
|
@ -1,12 +1,12 @@
|
||||
PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)")
|
||||
PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa
|
||||
PYTHONLIBDIR ?= /usr/share/ipa/python
|
||||
PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipainstall
|
||||
SBINDIR = $(DESTDIR)/usr/sbin
|
||||
|
||||
all: ;
|
||||
|
||||
install:
|
||||
-mkdir -p $(PACKAGEDIR)
|
||||
install -m 644 ipa/*.py $(PACKAGEDIR)
|
||||
install -m 644 ipainstall/*.py $(PACKAGEDIR)
|
||||
install -m 755 ipa-server-install $(SBINDIR)
|
||||
install -m 755 ipa-server-setupssl $(SBINDIR)
|
||||
|
||||
|
@ -26,6 +26,9 @@
|
||||
|
||||
VERSION = "%prog .1"
|
||||
|
||||
import sys
|
||||
sys.path.append("/usr/share/ipa")
|
||||
|
||||
import socket
|
||||
import logging
|
||||
from optparse import OptionParser
|
||||
|
117
ipa-server/ipa-install/src/ipa-server-install~
Normal file
117
ipa-server/ipa-install/src/ipa-server-install~
Normal file
@ -0,0 +1,117 @@
|
||||
#! /usr/bin/python -E
|
||||
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
||||
#
|
||||
# Copyright (C) 2007 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation; version 2 only
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
#
|
||||
|
||||
|
||||
# requires the following packages:
|
||||
# fedora-ds-base
|
||||
# openldap-clients
|
||||
# nss-tools
|
||||
|
||||
VERSION = "%prog .1"
|
||||
|
||||
import socket
|
||||
import logging
|
||||
from optparse import OptionParser
|
||||
import ipa.dsinstance
|
||||
import ipa.krbinstance
|
||||
|
||||
def parse_options():
|
||||
parser = OptionParser(version=VERSION)
|
||||
parser.add_option("-u", "--user", dest="ds_user",
|
||||
help="ds user")
|
||||
parser.add_option("-r", "--realm", dest="realm_name",
|
||||
help="realm name")
|
||||
parser.add_option("-p", "--password", dest="password",
|
||||
help="admin password")
|
||||
parser.add_option("-m", "--master-password", dest="master_password",
|
||||
help="kerberos master password")
|
||||
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
||||
dest="debug", default=False, help="print debugging information")
|
||||
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
|
||||
|
||||
options, args = parser.parse_args()
|
||||
|
||||
if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
|
||||
parser.error("error: all options are required")
|
||||
|
||||
return options
|
||||
|
||||
def logging_setup(options):
|
||||
# Always log everything (i.e., DEBUG) to the log
|
||||
# file.
|
||||
logging.basicConfig(level=logging.DEBUG,
|
||||
format='%(asctime)s %(levelname)s %(message)s',
|
||||
filename='ipa-install.log',
|
||||
filemode='w')
|
||||
|
||||
console = logging.StreamHandler()
|
||||
# If the debug option is set, also log debug messages to the console
|
||||
if options.debug:
|
||||
console.setLevel(logging.DEBUG)
|
||||
else:
|
||||
# Otherwise, log critical and error messages
|
||||
console.setLevel(logging.ERROR)
|
||||
formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
|
||||
console.setFormatter(formatter)
|
||||
logging.getLogger('').addHandler(console)
|
||||
|
||||
def main():
|
||||
options = parse_options()
|
||||
logging_setup(options)
|
||||
|
||||
# check the hostname is correctly configured, it must be as the kldap
|
||||
# utilities just use the hostname as returned by gethostbyname to set
|
||||
# up some of the standard entries
|
||||
|
||||
if options.host_name:
|
||||
host_name = options.host_name
|
||||
else:
|
||||
host_name = socket.gethostname()
|
||||
if len(host_name.split(".")) < 2:
|
||||
print "Invalid hostname <"+host_name+">"
|
||||
print "Check the /etc/hosts file and make sure to have a valid FQDN"
|
||||
return "-Fatal Error-"
|
||||
|
||||
if socket.gethostbyname(host_name) == "127.0.0.1":
|
||||
print "The hostname resolves to the localhost address (127.0.0.1)"
|
||||
print "Please change your /etc/hosts file or your DNS so that the"
|
||||
print "hostname resolves to the ip address of your network interface."
|
||||
print "The KDC service does not listen on 127.0.0.1"
|
||||
return "-Fatal Error-"
|
||||
|
||||
print "The Final KDC Host Name will be: " + host_name
|
||||
|
||||
|
||||
# Create a directory server instance
|
||||
ds = ipa.dsinstance.DsInstance()
|
||||
ds.create_instance(options.ds_user, options.realm_name, host_name,
|
||||
options.password)
|
||||
|
||||
# Create a kerberos instance
|
||||
krb = ipa.krbinstance.KrbInstance()
|
||||
krb.create_instance(options.ds_user, options.realm_name, host_name,
|
||||
options.password, options.master_password)
|
||||
|
||||
#restart ds after the krb instance have add the sasl map
|
||||
ds.restart()
|
||||
|
||||
return 0
|
||||
|
||||
main()
|
0
ipa-server/ipa-install/src/ipa/#krbinstance.py#
Normal file
0
ipa-server/ipa-install/src/ipa/#krbinstance.py#
Normal file
0
ipa-server/ipa-install/src/ipa/dsinstance.py~
Normal file
0
ipa-server/ipa-install/src/ipa/dsinstance.py~
Normal file
0
ipa-server/ipa-install/src/ipa/krbinstance.py.orig
Normal file
0
ipa-server/ipa-install/src/ipa/krbinstance.py.orig
Normal file
177
ipa-server/ipa-install/src/ipa/krbinstance.py~
Normal file
177
ipa-server/ipa-install/src/ipa/krbinstance.py~
Normal file
@ -0,0 +1,177 @@
|
||||
#! /usr/bin/python -E
|
||||
# Authors: Simo Sorce <ssorce@redhat.com>
|
||||
#
|
||||
# Copyright (C) 2007 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation; version 2 or later
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
#
|
||||
|
||||
import subprocess
|
||||
import string
|
||||
import tempfile
|
||||
import shutil
|
||||
import logging
|
||||
from random import Random
|
||||
from time import gmtime
|
||||
import os
|
||||
import pwd
|
||||
import socket
|
||||
from util import *
|
||||
|
||||
def host_to_domain(fqdn):
|
||||
s = fqdn.split(".")
|
||||
return ".".join(s[1:])
|
||||
|
||||
def generate_kdc_password():
|
||||
rndpwd = ''
|
||||
r = Random()
|
||||
r.seed(gmtime())
|
||||
for x in range(12):
|
||||
# rndpwd += chr(r.randint(32,126))
|
||||
rndpwd += chr(r.randint(65,90)) #stricter set for testing
|
||||
return rndpwd
|
||||
|
||||
def ldap_mod(fd, dn, pwd):
|
||||
args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
|
||||
run(args)
|
||||
|
||||
class KrbInstance:
|
||||
def __init__(self):
|
||||
self.ds_user = None
|
||||
self.fqdn = None
|
||||
self.realm = None
|
||||
self.domain = None
|
||||
self.host = None
|
||||
self.admin_password = None
|
||||
self.master_password = None
|
||||
self.suffix = None
|
||||
self.kdc_password = None
|
||||
self.sub_dict = None
|
||||
|
||||
def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
|
||||
self.ds_user = ds_user
|
||||
self.fqdn = host_name
|
||||
self.ip = socket.gethostbyname(host_name)
|
||||
self.realm = realm_name.upper()
|
||||
self.host = host_name.split(".")[0]
|
||||
self.domain = host_to_domain(host_name)
|
||||
self.admin_password = admin_password
|
||||
self.master_password = master_password
|
||||
|
||||
self.suffix = realm_to_suffix(self.realm)
|
||||
self.kdc_password = generate_kdc_password()
|
||||
self.__configure_kdc_account_password()
|
||||
|
||||
self.__setup_sub_dict()
|
||||
|
||||
self.__configure_ldap()
|
||||
|
||||
self.__create_instance()
|
||||
|
||||
self.__create_ds_keytab()
|
||||
|
||||
self.__create_sample_bind_zone()
|
||||
|
||||
self.start()
|
||||
|
||||
def stop(self):
|
||||
run(["/sbin/service", "krb5kdc", "stop"])
|
||||
|
||||
def start(self):
|
||||
run(["/sbin/service", "krb5kdc", "start"])
|
||||
|
||||
def restart(self):
|
||||
run(["/sbin/service", "krb5kdc", "restart"])
|
||||
|
||||
def __configure_kdc_account_password(self):
|
||||
hexpwd = ''
|
||||
for x in self.kdc_password:
|
||||
hexpwd += (hex(ord(x))[2:])
|
||||
pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
|
||||
pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
|
||||
pwd_fd.close()
|
||||
|
||||
def __setup_sub_dict(self):
|
||||
self.sub_dict = dict(FQDN=self.fqdn,
|
||||
IP=self.ip,
|
||||
PASSWORD=self.kdc_password,
|
||||
SUFFIX=self.suffix,
|
||||
DOMAIN=self.domain,
|
||||
HOST=self.host,
|
||||
REALM=self.realm)
|
||||
|
||||
def __configure_ldap(self):
|
||||
|
||||
#TODO: test that the ldif is ok with any random charcter we may use in the password
|
||||
kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
|
||||
kerberos_fd = write_tmp_file(kerberos_txt)
|
||||
ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
|
||||
kerberos_fd.close()
|
||||
|
||||
#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
|
||||
aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
|
||||
aci_fd = write_tmp_file(aci_txt)
|
||||
ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
|
||||
aci_fd.close()
|
||||
|
||||
def __create_instance(self):
|
||||
kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
|
||||
kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
|
||||
kdc_fd.write(kdc_conf)
|
||||
kdc_fd.close()
|
||||
|
||||
krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
|
||||
krb5_fd = open("/etc/krb5.conf", "w+")
|
||||
krb5_fd.write(krb5_conf)
|
||||
krb5_fd.close()
|
||||
|
||||
#populate the directory with the realm structure
|
||||
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
|
||||
run(args)
|
||||
|
||||
# TODO: NOT called yet, need to find out how to make sure the plugin is available first
|
||||
def __add_pwd_extop_module(self):
|
||||
#add the password extop module
|
||||
extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
|
||||
extop_fd = write_tmp_file(extop_txt)
|
||||
ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
|
||||
extop_fd.close()
|
||||
|
||||
#add an ACL to let the DS user read the master key
|
||||
args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
|
||||
run(args)
|
||||
|
||||
def __create_sample_bind_zone(self):
|
||||
bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
|
||||
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
|
||||
os.write(bind_fd, bind_txt)
|
||||
os.close(bind_fd)
|
||||
print "Sample zone file for bind has been created in "+bind_name
|
||||
|
||||
def __create_ds_keytab(self):
|
||||
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
|
||||
kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
|
||||
kwrite.flush()
|
||||
kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
|
||||
kwrite.flush()
|
||||
kwrite.close()
|
||||
kread.close()
|
||||
kerr.close()
|
||||
|
||||
cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
|
||||
cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
|
||||
cfg_fd.close()
|
||||
pent = pwd.getpwnam(self.ds_user)
|
||||
os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
|
58
ipa-server/ipa-install/src/ipa/util.py
Normal file
58
ipa-server/ipa-install/src/ipa/util.py
Normal file
@ -0,0 +1,58 @@
|
||||
#! /usr/bin/python -E
|
||||
# Authors: Simo Sorce <ssorce@redhat.com>
|
||||
#
|
||||
# Copyright (C) 2007 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation; version 2 or later
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
#
|
||||
|
||||
SHARE_DIR = "/usr/share/ipa/"
|
||||
|
||||
import string
|
||||
import tempfile
|
||||
import logging
|
||||
import subprocess
|
||||
|
||||
def realm_to_suffix(realm_name):
|
||||
s = realm_name.split(".")
|
||||
terms = ["dc=" + x.lower() for x in s]
|
||||
return ",".join(terms)
|
||||
|
||||
|
||||
def template_str(txt, vars):
|
||||
return string.Template(txt).substitute(vars)
|
||||
|
||||
def template_file(infilename, vars):
|
||||
txt = open(infilename).read()
|
||||
return template_str(txt, vars)
|
||||
|
||||
def write_tmp_file(txt):
|
||||
fd = tempfile.NamedTemporaryFile()
|
||||
fd.write(txt)
|
||||
fd.flush()
|
||||
|
||||
return fd
|
||||
|
||||
def run(args, stdin=None):
|
||||
p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
if stdin:
|
||||
stdout,stderr = p.communicate(stdin)
|
||||
else:
|
||||
stdout,stderr = p.communicate()
|
||||
logging.info(stdout)
|
||||
logging.info(stderr)
|
||||
|
||||
if p.returncode != 0:
|
||||
raise subprocess.CalledProcessError(p.returncode, args[0])
|
0
ipa-server/ipa-install/src/ipa/util.py~
Normal file
0
ipa-server/ipa-install/src/ipa/util.py~
Normal file
Loading…
Reference in New Issue
Block a user