mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
44259e8e68
Description: Add support for both the old and new replication changelogs. First try to get and update the new entry, if it's not found then we know we need to update the old global changelog entry. Fixes: https://pagure.io/freeipa/issue/8407 Signed-off-by: Mark Reynolds <mreynolds@redhat.com> Fix missing self, and missing arg Fix copy/paste error Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
142 lines
5.7 KiB
Python
142 lines
5.7 KiB
Python
# Authors:
|
|
# Thierry Bordaz <tbordaz@redhat.com>
|
|
#
|
|
# Copyright (C) 2019 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import logging
|
|
|
|
from ipalib import Registry, errors
|
|
from ipalib import Updater
|
|
from ipapython.dn import DN
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class update_unhashed_password(Updater):
|
|
"""
|
|
DS
|
|
"""
|
|
def __remove_update(self, update, key, value):
|
|
statement = dict(action='remove', attr=key, value=value)
|
|
update.setdefault('updates', []).append(statement)
|
|
|
|
def __add_update(self, update, key, value):
|
|
statement = dict(action='add', attr=key, value=value)
|
|
update.setdefault('updates', []).append(statement)
|
|
|
|
def execute(self, **options):
|
|
logger.debug("Upgrading unhashed password configuration")
|
|
ldap = self.api.Backend.ldap2
|
|
base_config = DN(('cn', 'config'))
|
|
try:
|
|
entry = ldap.get_entry(base_config,
|
|
['nsslapd-unhashed-pw-switch'])
|
|
except errors.NotFound:
|
|
logger.error("Unhashed password configuration not found")
|
|
return False, []
|
|
|
|
config_dn = entry.dn
|
|
|
|
toggle = entry.single_value.get("nsslapd-unhashed-pw-switch")
|
|
if toggle.lower() not in ['off', 'on', 'nolog']:
|
|
logger.error("Unhashed password had invalid value '%s'", toggle)
|
|
|
|
# Check if it exists winsync agreements
|
|
searchfilter = '(objectclass=nsDSWindowsReplicationAgreement)'
|
|
try:
|
|
winsync_agmts, _truncated = ldap.find_entries(
|
|
base_dn=base_config,
|
|
filter=searchfilter,
|
|
attrs_list=[]
|
|
)
|
|
except errors.NotFound:
|
|
logger.debug("Unhashed password this is not a winsync deployment")
|
|
winsync_agmts = []
|
|
|
|
update = {
|
|
'dn': config_dn,
|
|
'updates': [],
|
|
}
|
|
if len(winsync_agmts) > 0:
|
|
# We are running in a winsync environment
|
|
# Log a warning that changelog will contain sensitive data
|
|
try:
|
|
# Check if the new per-backend changelog exists...
|
|
cldb = ldap.get_entry(
|
|
DN(('cn', 'changelog'),
|
|
('cn', 'userRoot'),
|
|
('cn', 'ldbm database'),
|
|
('cn', 'plugins'),
|
|
('cn', 'config')))
|
|
|
|
# We have a backend changelog so get the db dir in this case
|
|
db_entry = ldap.get_entry(
|
|
DN(('cn', 'userRoot'),
|
|
('cn', 'ldbm database'),
|
|
('cn', 'plugins'),
|
|
('cn', 'config')),
|
|
['nsslapd-directory'])
|
|
cldb = db_entry.single_value.get("nsslapd-directory")
|
|
logger.warning("This server is configured for winsync, "
|
|
"the changelog files under %s "
|
|
"may contain clear text passwords.\n"
|
|
"Please ensure that these files can be accessed"
|
|
" only by trusted accounts.\n", cldb)
|
|
except errors.NotFound:
|
|
# Did not find backend changelog, check the global changelog
|
|
try:
|
|
cldb_e = ldap.get_entry(
|
|
DN(('cn', 'changelog5'),
|
|
('cn', 'config')),
|
|
['nsslapd-changelogdir'])
|
|
cldb = cldb_e.single_value.get("nsslapd-changelogdir")
|
|
logger.warning("This server is configured for winsync, "
|
|
"the changelog files under %s "
|
|
"may contain clear text passwords.\n"
|
|
"Please ensure that these files can be "
|
|
"accessed only by trusted accounts.\n",
|
|
cldb)
|
|
except errors.NotFound:
|
|
logger.warning("This server is configured for winsync, "
|
|
"the changelog files may contain "
|
|
"clear text passwords.\n"
|
|
"Please ensure that these files can be "
|
|
"accessed only by trusted accounts.\n")
|
|
if toggle.lower() == 'on':
|
|
# The current DS configuration already logs the
|
|
# unhashed password
|
|
updates = []
|
|
else:
|
|
self.__remove_update(update, 'nsslapd-unhashed-pw-switch',
|
|
toggle)
|
|
self.__add_update(update, 'nsslapd-unhashed-pw-switch', 'on')
|
|
updates = [update]
|
|
else:
|
|
if toggle.lower() == 'nolog':
|
|
updates = []
|
|
else:
|
|
self.__remove_update(update, 'nsslapd-unhashed-pw-switch',
|
|
toggle)
|
|
self.__add_update(update, 'nsslapd-unhashed-pw-switch',
|
|
'nolog')
|
|
updates = [update]
|
|
|
|
return False, updates
|