Enable ipa_memcached when upgrading

Add support for autobind to services. This is a bit of a special case so I currently require the caller to specify ldapi separately. It only makes sense to do this only in upgrade cases. Also uninstall ipa_memcached when uninstalling the server. https://fedorahosted.org/freeipa/ticket/2399
2025-01-27 16:46:42 -06:00 · 2012-02-15 16:55:59 -05:00 · 2012-02-15 16:55:59 -05:00 · b9bc99e43a
commit b9bc99e43a
parent 0c6e047128
4 changed files with 41 additions and 9 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -464,6 +464,7 @@ def uninstall():
    httpinstance.HTTPInstance(fstore).uninstall()
    krbinstance.KrbInstance(fstore).uninstall()
    dsinstance.DsInstance(fstore=fstore).uninstall()
+    memcacheinstance.MemcacheInstance().uninstall()
    fstore.restore_all_files()
    try:
        os.remove(ANSWER_CACHE)
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -29,12 +29,15 @@ try:
    from ipaserver.install import installutils
    from ipaserver.install import dsinstance
    from ipaserver.install import httpinstance
+    from ipaserver.install import memcacheinstance
    from ipaserver.install import service
+    import ldap
    import krbV
    import re
    import os
    import shutil
    import fileinput
+    import ipalib.errors
 except ImportError:
    print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@ -254,6 +257,15 @@ def main():
    http = httpinstance.HTTPInstance()
    http.remove_httpd_ccache()

+    memcache = memcacheinstance.MemcacheInstance()
+    memcache.ldapi = True
+    memcache.realm = krbctx.default_realm
+    try:
+        if not memcache.is_configured():
+            memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(krbctx.default_realm))
+    except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry):
+        pass
+
 try:
    if __name__ == "__main__":
        sys.exit(main())
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -36,7 +36,7 @@ from ipapython import ipautil, dnsclient, sysrestore
 from ipapython.ipa_log_manager import *

 # Used to determine install status
-IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named']
+IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']

 class BadHostError(Exception):
    pass
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -20,6 +20,7 @@
 import sys
 import os, socket
 import tempfile
+import pwd
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import services as ipaservices
@ -51,12 +52,13 @@ def print_msg(message, output_fd=sys.stdout):


 class Service(object):
-    def __init__(self, service_name, sstore=None, dm_password=None):
+    def __init__(self, service_name, sstore=None, dm_password=None, ldapi=False):
        self.service_name = service_name
        self.service = ipaservices.service(service_name)
        self.steps = []
        self.output_fd = sys.stdout
        self.dm_password = dm_password
+        self.ldapi = ldapi

        self.fqdn = socket.gethostname()
        self.admin_conn = None
@ -72,7 +74,12 @@ class Service(object):
        self.dercert = None

    def ldap_connect(self):
-        self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
+        if self.ldapi:
+            if not self.realm:
+                raise RuntimeError('realm must be set to use ldapi connection')
+            self.admin_conn = self.__get_conn(None, None, ldapi=True, realm=self.realm)
+        else:
+            self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)

    def ldap_disconnect(self):
        self.admin_conn.unbind()
@ -258,14 +265,25 @@ class Service(object):

        self.steps = []

-    def __get_conn(self, fqdn, dm_password):
+    def __get_conn(self, fqdn, dm_password, ldapi=False, realm=None):
        # If we are passed a password we'll use it as the DM password
        # otherwise we'll do a GSSAPI bind.
        try:
 #            conn = ipaldap.IPAdmin(fqdn, port=636, cacert=CACERT)
-            conn = ipaldap.IPAdmin(fqdn, port=389)
+            if ldapi:
+                conn = ipaldap.IPAdmin(ldapi=ldapi, realm=realm)
+            else:
+                conn = ipaldap.IPAdmin(fqdn, port=389)
            if dm_password:
                conn.do_simple_bind(bindpw=dm_password)
+            elif os.getegid() == 0 and self.ldapi:
+                try:
+                    # autobind
+                    pw_name = pwd.getpwuid(os.geteuid()).pw_name
+                    conn.do_external_bind(pw_name)
+                except errors.NotFound:
+                    # Fall back
+                    conn.do_sasl_gssapi_bind()
            else:
                conn.do_sasl_gssapi_bind()
        except Exception, e:
@ -276,7 +294,8 @@ class Service(object):

    def ldap_enable(self, name, fqdn, dm_password, ldap_suffix):
        self.disable()
-        conn = self.__get_conn(fqdn, dm_password)
+        if not self.admin_conn:
+            self.ldap_connect()

        entry_name = "cn=%s,cn=%s,%s,%s" % (name, fqdn,
                                            "cn=masters,cn=ipa,cn=etc",
@ -290,9 +309,9 @@ class Service(object):
                        "enabledService", "startOrder " + str(order))

        try:
-            conn.addEntry(entry)
-        except ldap.ALREADY_EXISTS, e:
-            root_logger.critical("failed to add %s Service startup entry" % name)
+            self.admin_conn.addEntry(entry)
+        except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
+            root_logger.debug("failed to add %s Service startup entry" % name)
            raise e

 class SimpleServiceInstance(Service):