First step in enabling SSL in the IPA web server

2025-02-25 18:55:28 -06:00 · 2007-10-15 15:42:12 -04:00
parent a4143789da
commit ed8f506b0f
4 changed files with 84 additions and 3 deletions
--- a/ipa-server/freeipa-server.spec
+++ b/ipa-server/freeipa-server.spec
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel

-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss

 %define httpd_conf /etc/httpd/conf.d
 %define plugin_dir %{_libdir}/dirsrv/plugins
--- a/ipa-server/freeipa-server.spec.in
+++ b/ipa-server/freeipa-server.spec.in
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel

-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss

 %define httpd_conf /etc/httpd/conf.d
 %define plugin_dir %{_libdir}/dirsrv/plugins
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -43,6 +43,7 @@ from optparse import OptionParser
 import ipaserver.dsinstance
 import ipaserver.krbinstance
 import ipaserver.bindinstance
+import ipaserver.httpinstance
 from ipa.ipautil import run

 def parse_options():
@@ -387,8 +388,8 @@ def main():
    print "To accept the default shown in brackets, press the Enter key."
    print ""

-    check_ports()
    check_existing_installation()
+    check_ports()

    options = parse_options()
    logging_setup(options)
@@ -508,6 +509,10 @@ def main():
    krb = ipaserver.krbinstance.KrbInstance()
    krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)

+    # Create a HTTP instance
+    http = ipaserver.httpinstance.HTTPInstance()
+    http.create_instance()
+
    bind.setup(host_name, ip_address, realm_name)
    if options.setup_bind:
        skipbind = False
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -0,0 +1,76 @@
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+import pwd
+from ipa.ipautil import *
+import fileinput
+import sys
+
+HTTPD_DIR = "/etc/httpd"
+SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
+NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
+
+def update_file(filename, orig, subst):
+    if os.path.exists(filename):
+        pattern = "%s" % re.escape(orig)
+        p = re.compile(pattern)
+        for line in fileinput.input(filename, inplace=1):
+            if not p.search(line):
+                sys.stdout.write(line)
+            else:
+                sys.stdout.write(p.sub(subst, line))
+        fileinput.close()
+
+class HTTPInstance:
+    def __init__(self):
+        pass 
+
+    def create_instance(self):
+        self.__disable_mod_ssl()
+        self.__set_mod_nss_port()
+        try:
+            self.restart()
+        except:
+            # TODO: roll back here?
+            print "Failed to restart httpd"
+
+    def stop(self):
+        run(["/sbin/service", "httpd", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "httpd", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "httpd", "restart"])
+
+    def __disable_mod_ssl(self):
+        logging.debug("disabling mod_ssl in httpd")
+        if os.path.exists(SSL_CONF):
+            os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF)
+        logging.debug("done disabling mod_ssl")
+
+    def __set_mod_nss_port(self):
+        logging.debug("Setting mod_nss port to 443")
+        update_file(NSS_CONF, '8443', '443')
+        logging.debug("done setting mod_nss port")