IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Support sourcing the IPA server name from config

Browse Source 
Use ding-libs to parse /etc/ipa/default.conf to find the IPA server
to contact by default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2203
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Simo Sorce
2015-11-23 14:50:04 -05:00
committed by Petr Vobornik
parent c688954c27
commit f12f56fe8d
5 changed files with 132 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
freeipa.spec.in
View File

@@ -97,6 +97,7 @@ BuildRequires: python-kdcproxy >= 0.3
BuildRequires: python-six
BuildRequires: python-jwcrypto
BuildRequires: custodia
BuildRequires: libini_config-devel >= 1.2.0
# Build dependencies for unit tests
BuildRequires: libcmocka-devel

4
ipa-client/Makefile.am
View File

@@ -15,6 +15,7 @@ export AM_CFLAGS
KRB5_UTIL_DIR=../util
KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
ASN1_UTIL_DIR=../asn1
IPA_CONF_FILE=$(sysconfdir)/ipa/default.conf
AM_CPPFLAGS = \
-I. \
@@ -27,11 +28,13 @@ AM_CPPFLAGS = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLOCALEDIR=\""$(localedir)"\" \
-DIPACONFFILE=\""$(IPA_CONF_FILE)"\" \
$(KRB5_CFLAGS) \
$(OPENLDAP_CFLAGS) \
$(SASL_CFLAGS) \
$(POPT_CFLAGS) \
$(WARN_CFLAGS) \
$(INI_CFLAGS) \
$(NULL)
sbin_PROGRAMS = \
@@ -53,6 +56,7 @@ ipa_getkeytab_LDADD = \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
$(INI_LIBS) \
$(NULL)
ipa_rmkeytab_SOURCES = \

28
ipa-client/configure.ac
View File

@@ -191,6 +191,34 @@ fi
LIBS="$SAVELIBS"
AC_SUBST(LIBINTL_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for libini_config
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBINI_CONFIG], [ini_config >= 1.2.0], [have_libini_config=1], [have_libini_config=])
if test x$have_libini_config = x; then
AC_MSG_WARN([Could not find LIBINI_CONFIG headers])
else
INI_CONFIG_CFLAGS="`$PKG_CONFIG --cflags ini_config`"
INI_CONFIG_LIBS="`$PKG_CONFIG --libs ini_config`"
AC_CHECK_LIB(ini_config, ini_config_file_open, [],
[AC_MSG_WARN([ini_config library must support ini_config_file_open])],
[$INI_CONFIG_LIBS])
AC_CHECK_LIB(ini_config, ini_config_augment, [],
[AC_MSG_WARN([ini_config library must support ini_config_augment])],
[$INI_CONFIG_LIBS])
fi
if test x$have_libini_config = x1; then
INI_CFLAGS="$INI_CONFIG_CFLAGS"
INI_LIBS="$INI_CONFIG_LIBS"
else
AC_MSG_ERROR([ini_config development packages not available])
fi
AC_SUBST(INI_LIBS)
AC_SUBST(INI_CFLAGS)
dnl ---------------------------------------------------------------------------
dnl - Set the data install directory since we don't use pkgdatadir
dnl ---------------------------------------------------------------------------

93
ipa-client/ipa-getkeytab.c
View File

@@ -36,6 +36,7 @@
#include <ldap.h>
#include <sasl/sasl.h>
#include <popt.h>
#include <ini_configobj.h>
#include "config.h"
@@ -596,6 +597,81 @@ static char *ask_password(krb5_context krbctx)
return password;
}
struct ipa_config {
const char *server_name;
};
static int config_from_file(struct ini_cfgobj *cfgctx)
{
struct ini_cfgfile *fctx = NULL;
char **errors = NULL;
int ret;
ret = ini_config_file_open(IPACONFFILE, 0, &fctx);
if (ret) {
fprintf(stderr, _("Failed to open config file %s\n"), IPACONFFILE);
return ret;
}
ret = ini_config_parse(fctx,
INI_STOP_ON_ANY,
INI_MS_MERGE | INI_MV1S_ALLOW | INI_MV2S_ALLOW,
INI_PARSE_NOWRAP,
cfgctx);
if (ret) {
fprintf(stderr, _("Failed to parse config file %s\n"), IPACONFFILE);
if (ini_config_error_count(cfgctx)) {
ini_config_get_errors(cfgctx, &errors);
if (errors) {
ini_config_print_errors(stderr, errors);
ini_config_free_errors(errors);
}
}
ini_config_file_destroy(fctx);
return ret;
}
ini_config_file_destroy(fctx);
return 0;
}
int read_ipa_config(struct ipa_config **ipacfg)
{
struct ini_cfgobj *cfgctx = NULL;
struct value_obj *obj = NULL;
int ret;
*ipacfg = calloc(1, sizeof(struct ipa_config));
if (!*ipacfg) {
return ENOMEM;
}
ret = ini_config_create(&cfgctx);
if (ret) {
return ENOENT;
}
ret = config_from_file(cfgctx);
if (ret) {
ini_config_destroy(cfgctx);
return EINVAL;
}
ret = ini_get_config_valueobj("global", "server", cfgctx,
INI_GET_LAST_VALUE, &obj);
if (ret != 0 || obj == NULL) {
/* if called on an IPA server we need to look for 'host' instead */
ret = ini_get_config_valueobj("global", "host", cfgctx,
INI_GET_LAST_VALUE, &obj);
}
if (ret == 0 && obj != NULL) {
(*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
}
return 0;
}
int main(int argc, const char *argv[])
{
static const char *server = NULL;
@@ -688,7 +764,7 @@ int main(int argc, const char *argv[])
exit (0);
}
if (ret != -1 || !server || !principal || !keytab || permitted_enctypes) {
if (ret != -1 || !principal || !keytab || permitted_enctypes) {
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
@@ -703,6 +779,21 @@ int main(int argc, const char *argv[])
exit(10);
}
if (!server) {
struct ipa_config *ipacfg = NULL;
ret = read_ipa_config(&ipacfg);
if (ret == 0) {
server = ipacfg->server_name;
ipacfg->server_name = NULL;
}
free(ipacfg);
if (!server) {
fprintf(stderr, _("Server name not provided and unavailable\n"));
exit(2);
}
}
if (askpass && retrieve) {
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
exit(2);

12
ipa-client/man/ipa-getkeytab.1
View File

@@ -21,7 +21,7 @@
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
.SH "DESCRIPTION"
Retrieves a Kerberos \fIkeytab\fR.
@@ -50,9 +50,6 @@ This renders all other keytabs for that principal invalid.
This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
.SH "OPTIONS"
.TP
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN).
.TP
\fB\-p principal\-name\fR
The non\-realm part of the full principal name.
.TP
@@ -73,6 +70,11 @@ des\-hmac\-sha1
des\-cbc\-md5
des\-cbc\-crc
.TP
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN). If this option is not
provided the server name is read from the IPA configuration file
(/etc/ipa/default.conf)
.TP
\fB\-q\fR
Quiet mode. Only errors are displayed.
.TP
@@ -105,7 +107,7 @@ keytab must have access to the keys for this operation to succeed.
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
# ipa\-getkeytab \-s ipaserver.example.com \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
# ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
Add and retrieve a keytab for the ldap service principal on
the host foo.example.com and save it in the file /tmp/ldap.keytab.