IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove Custodia server keys from LDAP

Browse Source 
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Christian Heimes 2016-08-08 16:06:08 +02:00 committed by Martin Basti
parent 775c37bb81
commit c346a2d1d1
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ipalib/constants.py
View File

@ -124,6 +124,7 @@ DEFAULT_CONFIG = (
('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))),
('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))),
('container_dnsservers', DN(('cn', 'servers'), ('cn', 'dns'))), ('container_dnsservers', DN(('cn', 'servers'), ('cn', 'dns'))),
('container_custodia', DN(('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'))),
# Ports, hosts, and URIs: # Ports, hosts, and URIs:
('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),

29
ipaserver/plugins/server.py
View File

@ -609,6 +609,32 @@ class server_del(LDAPDelete):
message=_("Failed to remove server %(master)s from server " message=_("Failed to remove server %(master)s from server "
"list: %(err)s") % dict(master=master, err=e))) "list: %(err)s") % dict(master=master, err=e)))
def _remove_server_custodia_keys(self, ldap, master):
"""
Delete all Custodia encryption and signing keys
"""
conn = self.Backend.ldap2
env = self.api.env
# search for memberPrincipal=*/fqdn@realm
member_filter = ldap.make_filter_from_attr(
'memberPrincipal', "/{}@{}".format(master, env.realm),
exact=False, leading_wildcard=True, trailing_wildcard=False)
custodia_subtree = DN(env.container_custodia, env.basedn)
try:
entries = conn.get_entries(custodia_subtree,
ldap.SCOPE_SUBTREE,
filter=member_filter)
for entry in entries:
conn.delete_entry(entry)
except errors.NotFound:
pass
except Exception as e:
self.add_message(
messages.ServerRemovalWarning(
message=_(
"Failed to clean up Custodia keys for "
"%(master)s: %(err)s") % dict(master=master, err=e)))
def _remove_server_host_services(self, ldap, master): def _remove_server_host_services(self, ldap, master):
""" """
delete server kerberos key and all its svc principals delete server kerberos key and all its svc principals
@ -682,6 +708,9 @@ class server_del(LDAPDelete):
# remove the references to master's ldap/http principals # remove the references to master's ldap/http principals
self._remove_server_principal_references(pkey) self._remove_server_principal_references(pkey)
# remove Custodia encryption and signing keys
self._remove_server_custodia_keys(ldap, pkey)
# finally destroy all Kerberos principals # finally destroy all Kerberos principals
self._remove_server_host_services(ldap, pkey) self._remove_server_host_services(ldap, pkey)