import initial install tool

ipa-install/Makefile

@@ -0,0 +1,10 @@
+all: ;
+
+install:
+	$(MAKE) -C src $@
+	$(MAKE) -C share $@
+
+clean:
+	$(MAKE) -C src $@
+	$(MAKE) -C share $@
+	rm -f *~

ipa-install/share/60kerberos.ldif

@@ -0,0 +1,283 @@
+dn: cn=schema
+# Novell Kerberos Schema Definitions
+# Novell Inc.
+# 1800 South Novell Place
+# Provo, UT 84606
+#
+# VeRsIoN=1.0
+# CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved
+#
+# OIDs:
+#    joint-iso-ccitt(2)
+#      country(16)
+#        us(840)
+#          organization(1)
+#            Novell(113719)
+#              applications(1)
+#                kerberos(301)
+#                 Kerberos Attribute Type(4) attr# version#
+#                    specific attribute definitions
+#                 Kerberos Attribute Syntax(5)
+#                    specific syntax definitions
+#                 Kerberos Object Class(6) class# version#
+#                    specific class definitions
+########################################################################
+########################################################################
+# 		      Attribute Type Definitions                       #
+########################################################################
+##### This is the principal name in the RFC 1964 specified format
+attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### This specifies the type of the principal, the types could be any of
+##### the types mentioned in section 6.2 of RFC 4120
+attributetypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### This flag is used to find whether directory User Password has to be used
+##### as kerberos password.
+##### TRUE, if User Password is to be used as the kerberos password.
+##### FALSE, if User Password and the kerberos password are different.
+attributetypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
+##### The time at which the principal expires
+attributetypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+##### The krbTicketFlags attribute holds information about the kerberos flags for a principal
+##### The values (0x00000001 - 0x00800000) are reserved for standards and 
+##### values (0x01000000 - 0x80000000) can be used for proprietary extensions.
+##### The flags and values as per RFC 4120 and MIT implementation are,
+##### DISALLOW_POSTDATED	0x00000001
+##### DISALLOW_FORWARDABLE	0x00000002
+##### DISALLOW_TGT_BASED        0x00000004
+##### DISALLOW_RENEWABLE        0x00000008
+##### DISALLOW_PROXIABLE        0x00000010
+##### DISALLOW_DUP_SKEY         0x00000020
+##### DISALLOW_ALL_TIX          0x00000040
+##### REQUIRES_PRE_AUTH         0x00000080
+##### REQUIRES_HW_AUTH          0x00000100
+##### REQUIRES_PWCHANGE         0x00000200
+##### DISALLOW_SVR              0x00001000
+##### PWCHANGE_SERVICE          0x00002000
+attributetypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### The maximum ticket lifetime for a principal in seconds
+attributetypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Maximum renewable lifetime for a principal's ticket in seconds
+attributetypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Forward reference to the Realm object.
+##### (FDN of the krbRealmContainer object).
+##### Example:   cn=ACME.COM, cn=Kerberos, cn=Security
+attributetypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### List of LDAP servers that kerberos servers can contact.
+##### The attribute holds data in the ldap uri format,
+##### Example: ldaps://acme.com:636
+#####
+##### The values of this attribute need to be updated, when
+##### the LDAP servers listed here are renamed, moved or deleted.
+attributetypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+##### A set of forward references to the KDC Service objects.
+##### (FDNs of the krbKdcService objects).
+##### Example:   cn=kdc - server 1, ou=uvw, o=xyz
+attributetypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### A set of forward references to the Password Service objects.
+##### (FDNs of the krbPwdService objects).
+##### Example:   cn=kpasswdd - server 1, ou=uvw, o=xyz
+attributetypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### This attribute holds the Host Name or the ip address, 
+##### transport protocol and ports of the kerberos service host
+##### The format is host_name-or-ip_address#protocol#port
+##### Protocol can be 0 or 1. 0 is for UDP. 1 is for TCP.
+attributetypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### This attribute holds the scope for searching the principals
+##### under krbSubTree attribute of krbRealmContainer
+##### The value can either be 1 (ONE) or 2 (SUB_TREE).
+attributetypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### FDNs pointing to Kerberos principals
+attributetypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### This attribute specifies which attribute of the user objects  
+##### be used as the principal name component for Kerberos.
+##### The allowed values are cn, sn, uid, givenname, fullname.
+attributetypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+##### A set of forward references to the Administration Service objects.
+##### (FDNs of the krbAdmService objects).
+##### Example:   cn=kadmindd - server 1, ou=uvw, o=xyz
+attributetypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### Maximum lifetime of a principal's password
+attributetypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Minimum lifetime of a principal's password
+attributetypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Minimum number of character clases allowed in a password
+attributetypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Minimum length of the password
+attributetypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### Number of previous versions of passwords that are stored
+attributetypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### FDN pointing to a Kerberos Password Policy object
+attributetypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
+##### The time at which the principal's password expires
+attributetypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+##### This attribute holds the principal's key (krbPrincipalKey) that is encrypted with
+##### the master key (krbMKey). 
+##### The attribute is ASN.1 encoded.
+#####
+##### The format of the value for this attribute is explained below,
+##### KrbKeySet ::= SEQUENCE {
+##### attribute-major-vno       [0] UInt16,
+##### attribute-minor-vno       [1] UInt16,
+##### kvno                      [2] UInt32,
+##### mkvno                     [3] UInt32 OPTIONAL,
+##### keys                      [4] SEQUENCE OF KrbKey,
+##### ...
+##### }
+#####
+##### KrbKey ::= SEQUENCE {
+##### salt      [0] KrbSalt OPTIONAL,
+##### key       [1] EncryptionKey,
+##### s2kparams [2] OCTET STRING OPTIONAL,
+##### ...
+##### }
+#####
+##### KrbSalt ::= SEQUENCE {
+##### type      [0] Int32,
+##### salt      [1] OCTET STRING OPTIONAL
+##### }
+#####
+##### EncryptionKey ::= SEQUENCE {
+##### keytype   [0] Int32,
+##### keyvalue  [1] OCTET STRING
+##### }
+attributetypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+##### FDN pointing to a Kerberos Ticket Policy object.
+attributetypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
+##### Forward reference to an entry that starts sub-trees
+##### where principals and other kerberos objects in the realm are configured.
+##### Example:   ou=acme, ou=pq, o=xyz
+attributetypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### Holds the default encryption/salt type combinations of principals for
+##### the Realm. Stores in the form of key:salt strings.
+##### Example: des-cbc-crc:normal
+attributetypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+##### Holds the Supported encryption/salt type combinations of principals for
+##### the Realm. Stores in the form of key:salt strings.
+##### The supported encryption types are mentioned in RFC 3961
+##### The supported salt types are,
+##### NORMAL          
+##### V4              
+##### NOREALM         
+##### ONLYREALM       
+##### SPECIAL         
+##### AFS3            
+##### Example: des-cbc-crc:normal
+#####
+##### This attribute obsoletes the krbSupportedEncTypes and krbSupportedSaltTypes
+##### attributes.
+attributetypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+##### This attribute holds the principal's old keys (krbPwdHistory) that is encrypted with
+##### the kadmin/history key.
+##### The attribute is ASN.1 encoded.
+#####
+##### The format of the value for this attribute is explained below,
+##### KrbKeySet ::= SEQUENCE {
+##### attribute-major-vno       [0] UInt16,
+##### attribute-minor-vno       [1] UInt16,
+##### kvno                      [2] UInt32,
+##### mkvno                     [3] UInt32 OPTIONAL -- actually kadmin/history key,
+##### keys                      [4] SEQUENCE OF KrbKey,
+##### ...
+##### }
+#####
+##### KrbKey ::= SEQUENCE {
+##### salt      [0] KrbSalt OPTIONAL,
+##### key       [1] EncryptionKey,
+##### s2kparams [2] OCTET STRING OPTIONAL,
+##### ...
+##### }
+#####
+##### KrbSalt ::= SEQUENCE {
+##### type      [0] Int32,
+##### salt      [1] OCTET STRING OPTIONAL
+##### }
+#####
+##### EncryptionKey ::= SEQUENCE {
+##### keytype   [0] Int32,
+##### keyvalue  [1] OCTET STRING
+##### }
+attributetypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+##### The time at which the principal's password last password change happened.
+attributetypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+##### This attribute holds the kerberos master key.
+##### This can be used to encrypt principal keys. 
+##### This attribute has to be secured in directory.
+#####
+##### This attribute is ASN.1 encoded.
+##### The format of the value for this attribute is explained below,
+##### KrbMKey ::= SEQUENCE {
+##### kvno    [0] UInt32,
+##### key     [1] MasterKey
+##### }
+#####
+##### MasterKey ::= SEQUENCE {
+##### keytype         [0] Int32,
+##### keyvalue        [1] OCTET STRING
+##### }
+attributetypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+##### This stores the alternate principal names for the principal in the RFC 1961 specified format
+attributetypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+##### The time at which the principal's last successful authentication happened.
+attributetypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+##### The time at which the principal's last failed authentication happened.
+attributetypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
+##### This attribute stores the number of failed authentication attempts
+##### happened for the principal since the last successful authentication.
+attributetypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+##### This attribute holds the application specific data.
+attributetypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40)
+##### This attributes holds references to the set of directory objects.
+##### This stores the DNs of the directory objects to which the 
+##### principal object belongs to.
+attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+##### This attribute holds references to a Container object where 
+##### the additional principal objects and stand alone principal 
+##### objects (krbPrincipal) can be created.
+attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+########################################################################
+########################################################################
+# 		        Object Class Definitions                       #
+########################################################################
+#### This is a kerberos container for all the realms in a tree.
+objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top MUST ( cn ) )
+##### The krbRealmContainer is created per realm and holds realm specific data.
+objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top MUST ( cn ) MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef ) )
+##### An instance of a class derived from krbService is created per
+##### kerberos authentication or administration server in an realm and holds
+##### references to the realm objects. These references is used to further read
+##### realm specific data to service AS/TGS requests. Additionally this object
+##### contains some server specific data like pathnames and ports that the
+##### server uses. This is the identity the kerberos server logs in with. A key
+##### pair for the same is created and the kerberos server logs in with the same.
+#####
+##### krbKdcService, krbAdmService and krbPwdService derive from this class.
+objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' ABSTRACT SUP ( top ) MUST ( cn ) MAY ( krbHostServer $ krbRealmReferences ) )
+##### Representative object for the KDC server to bind into a LDAP directory
+##### and have a connection to access Kerberos data with the required 
+##### access rights.
+objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbService ) )
+##### Representative object for the Kerberos Password server to bind into a LDAP directory
+##### and have a connection to access Kerberos data with the required
+##### access rights.
+objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
+###### The principal data auxiliary class. Holds principal information
+###### and is used to store principal information for Person, Service objects.
+objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+###### This class is used to create additional principals and stand alone principals.
+objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
+###### The principal references auxiliary class. Holds all principals referred
+###### from a service
+objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences )
+##### Representative object for the Kerberos Administration server to bind into a LDAP directory
+##### and have a connection Id to access Kerberos data with the required access rights.
+objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP ( krbService ) )
+##### The krbPwdPolicy object is a template password policy that 
+##### can be applied to principals when they are created. 
+##### These policy attributes will be in effect, when the Kerberos
+##### passwords are different from users' passwords (UP).
+objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top MUST ( cn ) MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength ) )
+##### The krbTicketPolicyAux holds Kerberos ticket policy attributes.
+##### This class can be attached to a principal object or realm object.
+objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
+##### The krbTicketPolicy object is an effective ticket policy that is associated with a realm or a principal
+objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top MUST ( cn ) )

ipa-install/share/Makefile

@@ -0,0 +1,8 @@
+SHAREDIR = $(DESTDIR)/usr/share/ipa
+
+install:
+	-mkdir -p $(SHAREDIR)
+	install -m 644 *.ldif $(SHAREDIR)
+
+clean:
+	rm -f *~

ipa-install/share/bootstrap-template.ldif

@@ -0,0 +1,25 @@
+
+# default, $REALM
+dn: ou=default,$SUFFIX
+objectClass: organizationalUnit
+objectClass: top
+ou: default
+
+# users, default, $REALM
+dn: cn=users,ou=default,$SUFFIX
+objectClass: nsContainer
+objectClass: top
+cn: users
+
+# groups, default, $REALM
+dn: cn=groups,ou=default,$SUFFIX
+objectClass: nsContainer
+objectClass: top
+cn: groups
+
+# computers, default, $REALM
+dn: cn=computers,ou=default,$SUFFIX
+objectClass: nsContainer
+objectClass: top
+cn: computers
+

ipa-install/src/Makefile

@@ -0,0 +1,14 @@
+PYTHONLIBDIR ?= $(shell  python -c "from distutils.sysconfig import *; print get_python_lib(1)")
+PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa
+SBINDIR = $(DESTDIR)/usr/sbin
+
+all: ;
+
+install:
+	-mkdir -p $(PACKAGEDIR)
+	install -m 644 ipa/*.py $(PACKAGEDIR)
+	install -m 755 ipa-server-install $(SBINDIR)
+	install -m 755 ipa-server-setupssl $(SBINDIR)
+
+clean:
+	rm -f *~ *.pyc

ipa-install/src/ipa-server-install

@@ -0,0 +1,60 @@
+#! /usr/bin/python -E
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# requires the following packages:
+# fedora-ds-base
+# openldap-clients
+# nss-tools
+
+VERSION = "%prog .1"
+
+import logging
+from optparse import OptionParser
+import ipa.dsinstance
+
+def parse_options():
+    parser = OptionParser(version=VERSION)
+    parser.add_option("-r", "--realm", dest="realm_name",
+                      help="realm name")
+    parser.add_option("-a", "--host-address", dest="host_name",
+                      help="host address (name or IP address)")
+    parser.add_option("-p", "--password", dest="password",
+                      help="admin password")
+
+    options, args = parser.parse_args()
+
+    if not options.realm_name or not options.host_name or not options.password:
+        parser.error("error: password, realm, and host name required")
+
+    return options
+
+def main():
+    logging.basicConfig(level=logging.DEBUG,
+                        format='%(asctime)s %(levelname)s %(message)s',
+                        filename='ipa-install.log',
+                        filemode='w')
+    options = parse_options()
+    ds = ipa.dsinstance.DsInstance()
+    ds.create_instance(options.realm_name, options.host_name, options.password)
+
+    return 0
+
+main()

ipa-install/src/ipa-server-setupssl

@@ -0,0 +1,228 @@
+#!/bin/sh
+
+if [ "$1" ] ; then
+    password=$1
+else
+    echo "password required"
+    exit 1
+fi
+
+if [ "$2" -a -d "$2" ] ; then
+    secdir="$2"
+else
+    secdir=/etc/fedora-ds/slapd-localhost
+fi
+
+if [ "$3" ] ; then
+    myhost=$3
+else
+    myhost=`hostname --fqdn`
+fi
+
+
+if [ "$4" ] ; then
+    ldapport=$4
+else
+    ldapport=389
+fi
+
+me=`whoami`
+if [ "$me" = "root" ] ; then
+    isroot=1
+fi
+
+# see if there are already certs and keys
+if [ -f $secdir/cert8.db ] ; then
+    # look for CA cert
+    if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
+        echo "Using existing CA certificate"
+    else
+        echo "No CA certificate found - will create new one"
+        needCA=1
+    fi
+
+    # look for server cert
+    if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
+        echo "Using existing directory Server-Cert"
+    else
+        echo "No Server Cert found - will create new one"
+        needServerCert=1
+    fi
+
+    # look for admin server cert
+    if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then
+        echo "Using existing admin server-cert"
+    else
+        echo "No Admin Server Cert found - will create new one"
+        needASCert=1
+    fi
+    prefix="new-"
+    prefixarg="-P $prefix"
+else
+    needCA=1
+    needServerCert=1
+    needASCert=1
+fi
+
+if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then
+    echo "No certs needed - exiting"
+    exit 0
+fi
+
+# get our user and group
+if test -n "$isroot" ; then
+    uid=`/bin/ls -ald $secdir | awk '{print $3}'`
+    gid=`/bin/ls -ald $secdir | awk '{print $4}'`
+fi
+
+# 2. Create a password file for your security token password:
+if [ -f $secdir/pwdfile.txt ] ; then
+    echo "Using existing $secdir/pwdfile.txt"
+else
+    (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/pwdfile.txt
+    fi
+    chmod 400 $secdir/pwdfile.txt
+fi
+
+# 3. Create a "noise" file for your encryption mechanism: 
+if [ -f $secdir/noise.txt ] ; then
+    echo "Using existing $secdir/noise.txt file"
+else
+    (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/noise.txt
+    fi
+    chmod 400 $secdir/noise.txt
+fi
+
+# 4. Create the key3.db and cert8.db databases:
+certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
+if test -n "$isroot" ; then
+    chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+fi
+chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
+
+
+if test -n "$needCA" ; then
+# 5. Generate the encryption key:
+    certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# 6. Generate the self-signed certificate: 
+    certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+# export the CA cert for use with other apps
+    certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
+    pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+fi
+
+if test -n "$needServerCert" ; then
+# 7. Generate the server certificate:
+    certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+fi
+
+if test -n "$needASCert" ; then
+# Generate the admin server certificate
+    certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
+
+# export the admin server certificate/private key for import into its key/cert db
+    pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/adminserver.p12
+    fi
+    chmod 400 $secdir/adminserver.p12
+fi
+
+# create the pin file
+if [ ! -f $secdir/pin.txt ] ; then
+    pinfile=$secdir/pin.txt
+    echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
+    if test -n "$isroot" ; then
+        chown $uid:$gid $pinfile
+    fi
+    chmod 400 $pinfile
+else
+    echo Using existing $secdir/pin.txt
+fi
+
+if [ -n "$prefix" ] ; then
+    # move the old files out of the way
+    mv $secdir/cert8.db $secdir/orig-cert8.db
+    mv $secdir/key3.db $secdir/orig-key3.db
+    # move in the new files - will be used after server restart
+    mv $secdir/${prefix}cert8.db $secdir/cert8.db
+    mv $secdir/${prefix}key3.db $secdir/key3.db
+fi
+
+# create the admin server key/cert db
+asprefix=admin-serv-
+if [ ! -f ${asprefix}cert8.db ] ; then
+    certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/admin-serv-*.db
+    fi
+    chmod 600 $secdir/admin-serv-*.db
+fi
+
+if test -n "$needASCert" ; then
+# import the admin server key/cert
+    pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
+
+# import the CA cert to the admin server cert db
+    certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc
+fi
+
+if [ ! -f $secdir/password.conf ] ; then
+# create the admin server password file
+    echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf
+    if test -n "$isroot" ; then
+        chown $uid:$gid $secdir/password.conf
+    fi
+    chmod 400 $secdir/password.conf
+fi
+
+# tell admin server to use the password file
+if [ -f ../admin-serv/config/nss.conf ] ; then
+    sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf
+    if test -n "$isroot" ; then
+        chown $uid:$gid ../admin-serv/config/nss.conf
+    fi
+    chmod 400 ../admin-serv/config/nss.conf
+fi
+
+# enable SSL in the directory server
+
+ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
+dn: cn=encryption,cn=config
+changetype: modify
+replace: nsSSL3
+nsSSL3: on
+-
+replace: nsSSLClientAuth
+nsSSLClientAuth: allowed
+-
+add: nsSSL3Ciphers
+nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+ +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+ +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+ +tls_rsa_export1024_with_des_cbc_sha
+
+dn: cn=config
+changetype: modify
+add: nsslapd-security
+nsslapd-security: on
+-
+replace: nsslapd-ssl-check-hostname
+nsslapd-ssl-check-hostname: off
+
+dn: cn=RSA,cn=encryption,cn=config
+changetype: add
+objectclass: top
+objectclass: nsEncryptionModule
+cn: RSA
+nsSSLPersonalitySSL: Server-Cert
+nsSSLToken: internal (software)
+nsSSLActivation: on
+
+EOF
+
+

ipa-install/src/ipa/dsinstance.py

@@ -0,0 +1,155 @@
+#! /usr/bin/python -E
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+
+SHARE_DIR = "/usr/share/ipa/"
+
+def generate_serverid():
+    """Generate a UUID (universally unique identifier) suitable
+    for use as a unique identifier for a DS instance.
+    """
+    try:
+        import uuid
+        id = str(uuid.uuid1())
+    except ImportError:
+        import commands
+        id = commands.getoutput("/usr/bin/uuidgen")
+    return id
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x for x in s]
+    return ",".join(terms)
+
+def template_str(txt, vars):
+    return string.Template(txt).substitute(vars)
+
+def template_file(infilename, vars):
+    txt = open(infilename).read()
+    return template_str(txt, vars)
+
+def write_tmp_file(txt):
+    fd = tempfile.NamedTemporaryFile()
+    fd.write(txt)
+    fd.flush()
+
+    return fd
+
+def run(args, stdin=None):
+    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if stdin:
+        stdout,stderr = p.communicate(stdin)
+    else:
+        stdout,stderr = p.communicate()
+    logging.info(stdout)
+    logging.info(stderr)
+
+    if p.returncode != 0:
+        raise subprocess.CalledProcessError(p.returncode, args[0])
+    
+
+INF_TEMPLATE = """
+[General]
+FullMachineName=   $FQHN
+SuiteSpotUserID=   nobody
+ServerRoot=    /usr/lib/fedora-ds-base
+[slapd]
+ServerPort=   389
+ServerIdentifier=   $SERVERID
+Suffix=   $SUFFIX
+RootDN=   cn=Directory Manager
+RootDNPwd= $PASSWORD
+"""
+
+class DsInstance:
+    def __init__(self):
+        self.serverid = None
+        self.realm_name = None
+        self.host_name = None
+        self.admin_password = None
+        self.sub_dict = None
+
+    def create_instance(self, realm_name, host_name, admin_password):
+        self.serverid = generate_serverid()
+        self.realm_name = realm_name
+        self.host_name = host_name
+        self.admin_password = admin_password
+        self.__setup_sub_dict()
+
+        self.__create_instance()
+        self.__add_default_schemas()
+        self.__enable_ssl()
+        self.restart()
+        self.__add_default_layout()
+
+    def config_dirname(self):
+        if not self.serverid:
+            raise RuntimeError("serverid not set")
+        return "/etc/fedora-ds/slapd-" + self.serverid + "/"
+
+    def schema_dirname(self):
+        return self.config_dirname() + "/schema/"
+
+    def stop(self):
+        run(["/sbin/service", "fedora-ds", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "fedora-ds", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "fedora-ds", "restart"])
+
+    def __setup_sub_dict(self):
+        suffix = realm_to_suffix(self.realm_name)
+        self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
+                             PASSWORD=self.admin_password, SUFFIX=suffix,
+                             REALM=self.realm_name)
+
+    def __create_instance(self):
+        inf_txt = template_str(INF_TEMPLATE, self.sub_dict)
+        inf_fd = write_tmp_file(inf_txt)
+        args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
+        run(args)
+
+    def __add_default_schemas(self):
+        shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
+                        self.schema_dirname() + "60kerberos.ldif")
+
+    def __enable_ssl(self):
+        dirname = self.config_dirname()
+        args = ["/usr/sbin/ipa-server-setupssl", self.admin_password,
+                dirname, self.host_name]
+        run(args)
+        
+    def __add_default_layout(self):
+        txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
+        inf_fd = write_tmp_file(txt)
+        args = ["/usr/bin/ldapadd", "-xv", "-D", "cn=Directory Manager",
+                "-w", self.admin_password, "-f", inf_fd.name]
+        run(args)
+
+        
+        
+

ipa-install/test/test-users.ldif

@@ -0,0 +1,23 @@
+# test, users, default, $REALM
+dn: uid=test,cn=users,ou=default,$SUFFIX
+uidNumber: 1001
+uid: test
+gecos: test
+homeDirectory: /home/test
+loginShell: /bin/bash
+shadowMin: 0
+shadowWarning: 7
+shadowMax: 99999
+shadowExpire: -1
+shadowInactive: -1
+shadowLastChange: 13655
+shadowFlag: -1
+gidNumber: 100
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: account
+objectClass: top
+objectClass: krbprincipalaux
+cn: test
+userPassword:: e1NTSEF9T0FNVnNCL2hjYlJFRVlQaU9kYy9BY0dmNmdBaFdpYVNub2VPenc9PQ=
+ =