IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use a common group for all DS instances

Browse Source 
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.

Fixes: https://fedorahosted.org/freeipa/ticket/851
This commit is contained in:
Simo Sorce 2011-01-28 15:45:19 -05:00
parent a629f3f4c7
commit cc9abf5d38
6 changed files with 141 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
install/tools/ipa-replica-install
View File

@ -22,6 +22,7 @@ import sys
import socket
import tempfile, os, pwd, traceback, logging, shutil
import grp
from ConfigParser import SafeConfigParser
from ipapython import ipautil
@ -33,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
CACERT="/etc/ipa/ca.crt"
@ -45,7 +47,6 @@ class ReplicaConfig:
self.domain_name = ""
self.master_host_name = ""
self.dirman_password = ""
self.ds_user = ""
self.host_name = ""
self.dir = ""
self.subject_base = ""
@ -116,7 +117,6 @@ def read_info(dir, rconfig):
rconfig.realm_name = config.get("realm", "realm_name")
rconfig.master_host_name = config.get("realm", "master_host_name")
rconfig.ds_user = config.get("realm", "ds_user")
rconfig.domain_name = config.get("realm", "domain_name")
rconfig.host_name = config.get("realm", "destination_host")
rconfig.subject_base = config.get("realm", "subject_base")
@ -145,7 +145,7 @@ def resolve_host(host_name):
return None
def set_owner(config, dir):
pw = pwd.getpwnam(config.ds_user)
pw = pwd.getpwnam(dsinstance.DS_USER)
os.chown(dir, pw.pw_uid, pw.pw_gid)
def install_ca(config):
@ -168,9 +168,13 @@ def install_ca(config):
sys.exit(1)
cs = cainstance.CADSInstance()
cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
cs.create_instance(config.realm_name, config.host_name,
config.domain_name, config.dirman_password)
ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base)
ca.configure_instance(config.host_name, config.dirman_password,
config.dirman_password, pkcs12_info=(cafile,),
master_host=config.master_host_name,
subject_base=config.subject_base)
return ca
@ -187,7 +191,7 @@ def install_replica_ds(config):
config.dir + "/dirsrv_pin.txt")
ds = dsinstance.DsInstance()
ds.create_replica(config.ds_user, config.realm_name,
ds.create_replica(config.realm_name,
config.master_host_name, config.host_name,
config.domain_name, config.dirman_password,
pkcs12_info)
@ -205,7 +209,7 @@ def install_krb(config, setup_pkinit=False):
pkcs12_info = (config.dir + "/pkinitcert.p12",
config.dir + "/pkinit_pin.txt")
krb.create_replica(config.ds_user, config.realm_name,
krb.create_replica(config.realm_name,
config.master_host_name, config.host_name,
config.domain_name, config.dirman_password,
ldappwd_filename, kpasswd_filename,
@ -339,6 +343,9 @@ def main():
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
# check the bind is installed
if options.setup_dns:
check_bind()
@ -393,6 +400,21 @@ def main():
api.bootstrap(in_server=True)
api.finalize()
# Create DS group if it doesn't exist yet
try:
grp.getgrnam(dsinstance.DS_GROUP)
logging.debug("ds group %s exists" % dsinstance.DS_GROUP)
group_exists = True
except KeyError:
group_exists = False
args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
try:
ipautil.run(args)
logging.debug("done adding DS group")
except ipautil.CalledProcessError, e:
logging.critical("failed to add DS group: %s" % e)
sstore.backup_state("install", "group_exists", group_exists)
#Automatically disable pkinit w/ dogtag until that is supported
#[certs.ipa_self_signed() must be called only after api.finalize()]
if not ipautil.file_exists(config.dir + "/pkinitcert.p12") and not certs.ipa_self_signed():

17
install/tools/ipa-replica-prepare
View File

@ -183,19 +183,13 @@ def export_ra_pkcs12(dir, dm_password):
finally:
os.remove(agent_name)
def get_ds_user(ds_dir):
uid = os.stat(ds_dir).st_uid
user = pwd.getpwuid(uid)[0]
return user
def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host,
def save_config(dir, realm_name, host_name,
domain_name, dest_host,
subject_base):
config = SafeConfigParser()
config.add_section("realm")
config.set("realm", "realm_name", realm_name)
config.set("realm", "master_host_name", host_name)
config.set("realm", "ds_user", ds_user)
config.set("realm", "domain_name", domain_name)
config.set("realm", "destination_host", dest_host)
config.set("realm", "subject_base", subject_base)
@ -213,8 +207,8 @@ def copy_files(realm_name, dir):
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
try:
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
@ -281,7 +275,6 @@ def main():
print "You can't create a replica on itself"
sys.exit(1)
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
ds_user = get_ds_user(ds_dir)
# get the directory manager password
dirman_password = options.password
@ -404,7 +397,7 @@ def main():
print "Copying additional files"
copy_files(api.env.realm, dir)
print "Finalizing configuration"
save_config(dir, api.env.realm, api.env.host, ds_user, api.env.domain, replica_fqdn, subject_base)
save_config(dir, api.env.realm, api.env.host, api.env.domain, replica_fqdn, subject_base)
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
encfile = replicafile+".gpg"

102
install/tools/ipa-server-install
View File

@ -31,7 +31,7 @@ import os
import socket
import errno
import logging
import pwd
import grp
import subprocess
import signal
import shutil
@ -58,8 +58,6 @@ from ipapython.ipautil import *
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
DEF_DS_USER = 'dirsrv'
pw_name = None
uninstalling = False
@ -68,8 +66,6 @@ def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-u", "--user", dest="ds_user",
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
parser.add_option("-n", "--domain", dest="domain_name",
@ -151,12 +147,10 @@ def parse_options():
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
if options.uninstall:
if (options.ds_user or options.realm_name or
if (options.realm_name or
options.admin_password or options.master_password):
parser.error("In uninstall mode, -u, r and -P options are not allowed")
parser.error("In uninstall mode, -a, -r and -P options are not allowed")
elif options.unattended:
if not options.ds_user:
options.ds_user = DEF_DS_USER
if (not options.realm_name or
not options.dm_password or not options.admin_password):
parser.error("In unattended mode you need to provide at least -r, -p and -a options")
@ -306,32 +300,6 @@ def resolve_host(host_name):
print "Unable to lookup the IP address of the provided host"
return ip
def read_ds_user():
print "The server must run as a specific user in a specific group."
print "It is strongly recommended that this user should have no privileges"
print "on the computer (i.e. a non-root user). The set up procedure"
print "will give this user/group some permissions in specific paths/files"
print "to perform server-specific operations."
print ""
ds_user = ""
try:
pwd.getpwnam(DEF_DS_USER)
print "A user account named %s already exists." % DEF_DS_USER
print "This is the user id that the Directory Server will run as."
print ""
if user_input("Do you want to use the existing %s account?" % DEF_DS_USER, True):
ds_user = DEF_DS_USER
else:
print ""
ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False)
print ""
except KeyError:
ds_user = DEF_DS_USER
return ds_user
def read_domain_name(domain_name, unattended):
print "The domain name has been calculated based on the host name."
print ""
@ -447,6 +415,18 @@ def uninstall():
os.remove("/etc/httpd/conf.d/ipa.conf")
except:
pass
group_exists = sstore.restore_state("install", "group_exists")
if group_exists == False:
try:
grp.getgrnam(dsinstance.DS_GROUP)
try:
ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete group %s" % e)
except KeyError:
logging.info("Group %s already removed", dsinstance.DS_GROUP)
return 0
@ -492,6 +472,8 @@ def main():
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
@ -544,7 +526,6 @@ def main():
if not options.external_ca:
check_dirsrv(options.unattended)
ds_user = ""
realm_name = ""
host_name = ""
domain_name = ""
@ -629,14 +610,6 @@ def main():
print "Domain name: " + domain_name
print ""
if not options.ds_user:
ds_user = read_ds_user()
if ds_user == "":
sys.exit(1)
logging.debug("read ds_user: %s\n" % ds_user)
else:
ds_user = options.ds_user
if not options.realm_name:
realm_name = read_realm_name(domain_name, options.unattended)
logging.debug("read realm_name: %s\n" % realm_name)
@ -695,6 +668,21 @@ def main():
print "Please wait until the prompt is returned."
print ""
# Create DS group if it doesn't exist yet
try:
grp.getgrnam(dsinstance.DS_GROUP)
logging.debug("ds group %s exists" % dsinstance.DS_GROUP)
group_exists = True
except KeyError:
group_exists = False
args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
try:
ipautil.run(args)
logging.debug("done adding DS group")
except ipautil.CalledProcessError, e:
logging.critical("failed to add DS group: %s" % e)
sstore.backup_state("install", "group_exists", group_exists)
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance(fstore)
@ -730,21 +718,26 @@ def main():
if options.external_cert_file is None:
cs = cainstance.CADSInstance()
cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
cs.create_instance(realm_name, host_name, domain_name, dm_password)
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
if external == 0:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=options.subject)
elif external == 1:
options.realm_name = realm_name
options.domain_name = domain_name
options.ds_user = ds_user
options.master_password = master_password
options.host_name = host_default
options.unattended = True
write_cache(options)
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, csr_file="/root/ipa.csr", subject_base=options.subject)
ca.configure_instance(host_name, dm_password, dm_password,
csr_file="/root/ipa.csr",
subject_base=options.subject)
else:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, subject_base=options.subject)
ca.configure_instance(host_name, dm_password, dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
subject_base=options.subject)
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert("/etc/ipa/ca.crt")
@ -762,11 +755,14 @@ def main():
if options.dirsrv_pkcs12:
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
try:
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow)
ds.create_instance(realm_name, host_name, domain_name,
dm_password, pkcs12_info,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
finally:
os.remove(pw_name)
else:
ds.create_instance(ds_user, realm_name, host_name, domain_name,
ds.create_instance(realm_name, host_name, domain_name,
dm_password, self_signed_ca=options.selfsign,
idstart=options.idstart, idmax=options.idmax,
subject_base=options.subject,
@ -786,13 +782,13 @@ def main():
krb = krbinstance.KrbInstance(fstore)
if options.pkinit_pkcs12:
pkcs12_info = (options.pkinit_pkcs12, pw_name)
krb.create_instance(ds_user, realm_name, host_name, domain_name,
krb.create_instance(realm_name, host_name, domain_name,
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
pkcs12_info=pkcs12_info,
subject_base=options.subject)
else:
krb.create_instance(ds_user, realm_name, host_name, domain_name,
krb.create_instance(realm_name, host_name, domain_name,
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
self_signed_ca=options.selfsign,

62
ipaserver/install/cainstance.py
View File

@ -53,6 +53,9 @@ from ipalib import util
DEFAULT_DSPORT=7389
PKI_USER = "pkiuser"
PKI_DS_USER = "pkisrv"
# These values come from /usr/share/pki/ca/setup/postinstall
PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
@ -219,7 +222,6 @@ class CADSInstance(service.Service):
self.serverid = None
self.host_name = None
self.pkcs12_info = None
self.ds_user = None
self.ds_port = None
self.master_host = None
if realm_name:
@ -228,8 +230,8 @@ class CADSInstance(service.Service):
else:
self.suffix = None
def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
self.ds_user = ds_user
def create_instance(self, realm_name, host_name, domain_name,
dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
self.ds_port = ds_port
self.realm_name = realm_name.upper()
self.serverid = "PKI-IPA"
@ -250,26 +252,29 @@ class CADSInstance(service.Service):
server_root = dsinstance.find_server_root()
self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(),
REALM=self.realm_name, USER=self.ds_user,
REALM=self.realm_name, USER=PKI_DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
TIME=int(time.time()), DSPORT=self.ds_port)
def __create_ds_user(self):
user_exists = True
try:
pwd.getpwnam(self.ds_user)
logging.debug("ds user %s exists" % self.ds_user)
pwd.getpwnam(PKI_DS_USER)
logging.debug("ds user %s exists" % PKI_DS_USER)
except KeyError:
user_exists = False
logging.debug("adding ds user %s" % self.ds_user)
args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
logging.debug("adding ds user %s" % PKI_DS_USER)
args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
"-c", "PKI DS System User",
"-d", "/var/lib/dirsrv",
"-s", "/sbin/nologin",
"-M", "-r", PKI_DS_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
self.backup_state("user", self.ds_user)
self.backup_state("user_exists", user_exists)
def __create_instance(self):
@ -328,17 +333,15 @@ class CADSInstance(service.Service):
dsinstance.erase_ds_instance_data(serverid)
self.service_name="pkids"
ds_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
if not ds_user is None and not user_exists is None and not user_exists:
if user_exists == False:
try:
ipautil.run(["/usr/sbin/userdel", ds_user])
ipautil.run(["/usr/sbin/userdel", PKI_DS_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
self.service_name = sav_name
class CAInstance(service.Service):
"""
In the self-signed case the CA exists in the NSS_DB database.
@ -360,7 +363,6 @@ class CAInstance(service.Service):
def __init__(self, realm, ra_db):
service.Service.__init__(self, "pki-cad")
self.realm = realm
self.pki_user = "pkiuser"
self.dm_password = None
self.admin_password = None
self.host_name = None
@ -389,7 +391,7 @@ class CAInstance(service.Service):
def __del__(self):
shutil.rmtree(self.ca_agent_db, ignore_errors=True)
def configure_instance(self, pki_user, host_name, dm_password,
def configure_instance(self, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
@ -404,7 +406,6 @@ class CAInstance(service.Service):
chain and actually proceed to create the CA. For step 1 set
csr_file. For step 2 set cert_file and cert_chain_file.
"""
self.pki_user = pki_user
self.host_name = host_name
self.dm_password = dm_password
self.admin_password = admin_password
@ -484,19 +485,21 @@ class CAInstance(service.Service):
def __create_ca_user(self):
user_exists = True
try:
pwd.getpwnam(self.pki_user)
logging.debug("ca user %s exists" % self.pki_user)
pwd.getpwnam(PKI_USER)
logging.debug("ca user %s exists" % PKI_USER)
except KeyError:
user_exists = False
logging.debug("adding ca user %s" % self.pki_user)
args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", "-M", "-r", "-s", "/sbin/nologin", self.pki_user]
logging.debug("adding ca user %s" % PKI_USER)
args = ["/usr/sbin/useradd", "-c", "CA System User",
"-d", "/var/lib",
"-s", "/sbin/nologin",
"-M", "-r", PKI_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
self.backup_state("user", self.pki_user)
self.backup_state("user_exists", user_exists)
def __configure_instance(self):
@ -558,7 +561,7 @@ class CAInstance(service.Service):
# The install wizard expects the file to be here.
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
pent = pwd.getpwnam(self.pki_user)
pent = pwd.getpwnam(PKI_USER)
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
args.append("-clone")
args.append("true")
@ -615,7 +618,7 @@ class CAInstance(service.Service):
# Turn off Nonces (again)
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
pent = pwd.getpwnam(self.pki_user)
pent = pwd.getpwnam(PKI_USER)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
@ -934,8 +937,8 @@ class CAInstance(service.Service):
publishdir='/var/lib/pki-ca/publish'
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
pent = pwd.getpwnam(self.pki_user)
os.chown(publishdir, pent.pw_uid, pent.pw_gid )
pent = pwd.getpwnam(PKI_USER)
os.chown(publishdir, pent.pw_uid, pent.pw_gid)
# Enable file publishing, disable LDAP
installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
@ -994,11 +997,10 @@ class CAInstance(service.Service):
except ipautil.CalledProcessError, e:
logging.critical("failed to uninstall CA instance %s" % e)
pki_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
if not pki_user is None and not user_exists is None and not user_exists:
if user_exists == False:
try:
ipautil.run(["/usr/sbin/userdel", pki_user])
ipautil.run(["/usr/sbin/userdel", PKI_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
@ -1013,6 +1015,6 @@ class CAInstance(service.Service):
if __name__ == "__main__":
installutils.standard_logging_setup("install.log", False)
cs = CADSInstance()
cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password")
ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
ca.configure_instance("catest.example.com", "password", "password")

43
ipaserver/install/dsinstance.py
View File

@ -21,7 +21,6 @@
import shutil
import logging
import pwd
import grp
import glob
import sys
import os
@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
CACERT="/etc/ipa/ca.crt"
DS_USER = 'dirsrv'
DS_GROUP = 'dirsrv'
def find_server_root():
if ipautil.dir_exists(SERVER_ROOT_64):
return SERVER_ROOT_64
@ -176,7 +178,6 @@ class DsInstance(service.Service):
self.serverid = None
self.fqdn = None
self.pkcs12_info = None
self.ds_user = None
self.dercert = None
self.idstart = None
self.idmax = None
@ -223,11 +224,10 @@ class DsInstance(service.Service):
self.step("configuring directory to start on boot", self.__enable)
def create_instance(self, ds_user, realm_name, fqdn, domain_name,
def create_instance(self, realm_name, fqdn, domain_name,
dm_password, pkcs12_info=None, self_signed_ca=False,
idstart=1100, idmax=999999, subject_base=None,
hbac_allow=True):
self.ds_user = ds_user
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = util.realm_to_suffix(self.realm_name)
@ -256,9 +256,8 @@ class DsInstance(service.Service):
self.start_creation("Configuring directory server", 60)
def create_replica(self, ds_user, realm_name, master_fqdn, fqdn,
def create_replica(self, realm_name, master_fqdn, fqdn,
domain_name, dm_password, pkcs12_info=None):
self.ds_user = ds_user
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = util.realm_to_suffix(self.realm_name)
@ -309,7 +308,7 @@ class DsInstance(service.Service):
self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
SUFFIX=self.suffix.lower(),
REALM=self.realm_name, USER=self.ds_user,
REALM=self.realm_name, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
TIME=int(time.time()), IDSTART=self.idstart,
IDMAX=self.idmax, HOST=self.fqdn,
@ -319,27 +318,22 @@ class DsInstance(service.Service):
def __create_ds_user(self):
user_exists = True
try:
pwd.getpwnam(self.ds_user)
logging.debug("ds user %s exists" % self.ds_user)
pwd.getpwnam(DS_USER)
logging.debug("ds user %s exists" % DS_USER)
except KeyError:
user_exists = False
logging.debug("adding ds user %s" % self.ds_user)
args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
try:
# if the group already exists we need to request to add it,
# otherwise useradd will create it for us
grp.getgrnam(self.ds_user)
args.append("-g")
args.append(self.ds_user)
except KeyError:
pass
logging.debug("adding ds user %s" % DS_USER)
args = ["/usr/sbin/useradd", "-g", DS_GROUP,
"-c", "DS System User",
"-d", "/var/lib/dirsrv",
"-s", "/sbin/nologin",
"-M", "-r", DS_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
self.backup_state("user", self.ds_user)
self.backup_state("user_exists", user_exists)
def __create_instance(self):
@ -617,12 +611,11 @@ class DsInstance(service.Service):
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
ds_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
if not ds_user is None and not user_exists is None and not user_exists:
if user_exists == False:
try:
ipautil.run(["/usr/sbin/userdel", ds_user])
ipautil.run(["/usr/sbin/userdel", DS_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
@ -686,7 +679,7 @@ class DsInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
if not sline.startswith(self.ds_user):
if not sline.startswith(DS_USER):
continue
if sline.find('nofile') == -1:
continue
@ -711,7 +704,7 @@ class DsInstance(service.Service):
if need_sysconf and need_limits:
self.fstore.backup_file("/etc/security/limits.conf")
fd = open("/etc/security/limits.conf", "a+")
fd.write('%s\t\t-\tnofile\t\t%s\n' % (self.ds_user, str(num)))
fd.write('%s\t\t-\tnofile\t\t%s\n' % (DS_USER, str(num)))
fd.close()
fd = open("/etc/sysconfig/dirsrv", "a+")

18
ipaserver/install/krbinstance.py
View File

@ -35,7 +35,7 @@ from ipalib import errors
from ipaserver import ipaldap
from ipaserver.install import replication
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install import dsinstance
import ldap
from ldap import LDAPError
@ -78,7 +78,6 @@ class KpasswdInstance(service.SimpleServiceInstance):
class KrbInstance(service.Service):
def __init__(self, fstore=None):
service.Service.__init__(self, "krb5kdc")
self.ds_user = None
self.fqdn = None
self.realm = None
self.domain = None
@ -124,8 +123,7 @@ class KrbInstance(service.Service):
host_entry.setValue('managedby', host_dn)
self.admin_conn.addEntry(host_entry)
def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password):
self.ds_user = ds_user
def __common_setup(self, realm_name, host_name, domain_name, admin_password):
self.fqdn = host_name
self.realm = realm_name.upper()
self.host = host_name.split(".")[0]
@ -152,13 +150,13 @@ class KrbInstance(service.Service):
self.step("starting the KDC", self.__start_instance)
self.step("configuring KDC to start on boot", self.__enable)
def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
self.master_password = master_password
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("setting KDC account password", self.__configure_kdc_account_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
@ -183,7 +181,7 @@ class KrbInstance(service.Service):
self.kpasswd = KpasswdInstance()
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
def create_replica(self, ds_user, realm_name,
def create_replica(self, realm_name,
master_fqdn, host_name,
domain_name, admin_password,
ldap_passwd_filename, kpasswd_filename,
@ -196,7 +194,7 @@ class KrbInstance(service.Service):
self.__copy_kpasswd_keytab(kpasswd_filename)
self.master_fqdn = master_fqdn
self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("writing stash file from DS", self.__write_stash_from_ds)
@ -256,7 +254,7 @@ class KrbInstance(service.Service):
SUFFIX=self.suffix,
DOMAIN=self.domain,
HOST=self.host,
SERVER_ID=realm_to_serverid(self.realm),
SERVER_ID=dsinstance.realm_to_serverid(self.realm),
REALM=self.realm)
def __configure_sasl_mappings(self):
@ -492,7 +490,7 @@ class KrbInstance(service.Service):
installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
pent = pwd.getpwnam(self.ds_user)
pent = pwd.getpwnam(dsinstance.DS_USER)
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):