mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
39adb6d3a8
We use convenience types (classes) in IPA which make working with LDAP easier and more robust. It would be really nice if the basic python-ldap library understood our utility types and could accept them as parameters to the basic ldap functions and/or the basic ldap functions returned our utility types. Normally such a requirement would trivially be handled in an object- oriented language (which Python is) by subclassing to extend and modify the functionality. For some reason we didn't do this with the python-ldap classes. python-ldap objects are primarily used in two different places in our code, ipaserver.ipaldap.py for the IPAdmin class and in ipaserver/plugins/ldap2.py for the ldap2 class's .conn member. In IPAdmin we use a IPA utility class called Entry to make it easier to use the results returned by LDAP. The IPAdmin class is derived from python-ldap.SimpleLDAPObject. But for some reason when we added the support for the use of the Entry class in SimpleLDAPObject we didn't subclass SimpleLDAPObject and extend it for use with the Entry class as would be the normal expected methodology in an object-oriented language, rather we used an obscure feature of the Python language to override all methods of the SimpleLDAPObject class by wrapping those class methods in another function call. The reason why this isn't a good approach is: * It violates object-oriented methodology. * Other classes cannot be derived and inherit the customization (because the method wrapping occurs in a class instance, not within the class type). * It's non-obvious and obscure * It's inefficient. Here is a summary of what the code was doing: It iterated over every member of the SimpleLDAPObject class and if it was callable it wrapped the method. The wrapper function tested the name of the method being wrapped, if it was one of a handful of methods we wanted to customize we modified a parameter and called the original method. If the method wasn't of interest to use we still wrapped the method. It was inefficient because every non-customized method (the majority) executed a function call for the wrapper, the wrapper during run-time used logic to determine if the method was being overridden and then called the original method. So every call to ldap was doing extra function calls and logic processing which for the majority of cases produced nothing useful (and was non-obvious from brief code reading some methods were being overridden). Object-orientated languages have support built in for calling the right method for a given class object that do not involve extra function call overhead to realize customized class behaviour. Also when programmers look for customized class behaviour they look for derived classes. They might also want to utilize the customized class as the base class for their use. Also the wrapper logic was fragile, it did things like: if the method name begins with "add" I'll unconditionally modify the first and second argument. It would be some much cleaner if the "add", "add_s", etc. methods were overridden in a subclass where the logic could be seen and where it would apply to only the explicit functions and parameters being overridden. Also we would really benefit if there were classes which could be used as a base class which had specific ldap customization. At the moment our ldap customization needs are: 1) Support DN objects being passed to ldap operations 2) Support Entry & Entity objects being passed into and returned from ldap operations. We want to subclass the ldap SimpleLDAPObject class, that is the base ldap class with all the ldap methods we're using. IPASimpleLDAPObject class would subclass SimpleLDAPObject class which knows about DN objects (and possilby other IPA specific types that are universally used in IPA). Then IPAEntrySimpleLDAPObject would subclass IPASimpleLDAPObject which knows about Entry objects. The reason for the suggested class hierarchy is because DN objects will be used whenever we talk to LDAP (in the future we may want to add other IPA specific classes which will always be used). We don't add Entry support to the the IPASimpleLDAPObject class because Entry objects are (currently) only used in IPAdmin. What this patch does is: * Introduce IPASimpleLDAPObject derived from SimpleLDAPObject. IPASimpleLDAPObject is DN object aware. * Introduce IPAEntryLDAPObject derived from IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware. * Derive IPAdmin from IPAEntryLDAPObject and remove the funky method wrapping from IPAdmin. * Code which called add_s() with an Entry or Entity object now calls addEntry(). addEntry() always existed, it just wasn't always used. add_s() had been modified to accept Entry or Entity object (why didn't we just call addEntry()?). The add*() ldap routine in IPAEntryLDAPObject have been subclassed to accept Entry and Entity objects, but that should proably be removed in the future and just use addEntry(). * Replace the call to ldap.initialize() in ldap2.create_connection() with a class constructor for IPASimpleLDAPObject. The ldap.initialize() is a convenience function in python-ldap, but it always returns a SimpleLDAPObject created via the SimpleLDAPObject constructor, thus ldap.initialize() did not allow subclassing, yet has no particular ease-of-use advantage thus we better off using the obvious class constructor mechanism. * Fix the use of _handle_errors(), it's not necessary to construct an empty dict to pass to it. If we follow the standard class derivation pattern for ldap we can make us of our own ldap utilities in a far easier, cleaner and more efficient manner.
333 lines
11 KiB
Python
333 lines
11 KiB
Python
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import sys
|
|
import os, socket
|
|
import tempfile
|
|
from ipapython import sysrestore
|
|
from ipapython import ipautil
|
|
from ipapython import services as ipaservices
|
|
from ipalib import errors
|
|
import ldap
|
|
from ipaserver import ipaldap
|
|
import base64
|
|
import time
|
|
import datetime
|
|
from ipaserver.install import installutils
|
|
from ipapython.ipa_log_manager import *
|
|
|
|
CACERT = "/etc/ipa/ca.crt"
|
|
|
|
SERVICE_LIST = {
|
|
'KDC':('krb5kdc', 10),
|
|
'KPASSWD':('kadmin', 20),
|
|
'DNS':('named', 30),
|
|
'HTTP':('httpd', 40),
|
|
'CA':('pki-cad', 50),
|
|
'ADTRUST':('smb', 60)
|
|
}
|
|
|
|
def print_msg(message, output_fd=sys.stdout):
|
|
root_logger.debug(message)
|
|
output_fd.write(message)
|
|
output_fd.write("\n")
|
|
|
|
|
|
class Service(object):
|
|
def __init__(self, service_name, sstore=None, dm_password=None):
|
|
self.service_name = service_name
|
|
self.service = ipaservices.service(service_name)
|
|
self.steps = []
|
|
self.output_fd = sys.stdout
|
|
self.dm_password = dm_password
|
|
|
|
self.fqdn = socket.gethostname()
|
|
self.admin_conn = None
|
|
|
|
if sstore:
|
|
self.sstore = sstore
|
|
else:
|
|
self.sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
|
|
|
|
self.realm = None
|
|
self.suffix = None
|
|
self.principal = None
|
|
self.dercert = None
|
|
|
|
def ldap_connect(self):
|
|
self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
|
|
|
|
def ldap_disconnect(self):
|
|
self.admin_conn.unbind()
|
|
self.admin_conn = None
|
|
|
|
def _ldap_mod(self, ldif, sub_dict = None):
|
|
|
|
pw_name = None
|
|
fd = None
|
|
path = ipautil.SHARE_DIR + ldif
|
|
hostname = installutils.get_fqdn()
|
|
nologlist=[]
|
|
|
|
if sub_dict is not None:
|
|
txt = ipautil.template_file(path, sub_dict)
|
|
fd = ipautil.write_tmp_file(txt)
|
|
path = fd.name
|
|
|
|
# do not log passwords
|
|
if sub_dict.has_key('PASSWORD'):
|
|
nologlist.append(sub_dict['PASSWORD'])
|
|
if sub_dict.has_key('RANDOM_PASSWORD'):
|
|
nologlist.append(sub_dict['RANDOM_PASSWORD'])
|
|
|
|
if self.dm_password:
|
|
[pw_fd, pw_name] = tempfile.mkstemp()
|
|
os.write(pw_fd, self.dm_password)
|
|
os.close(pw_fd)
|
|
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
|
|
else:
|
|
auth_parms = ["-Y", "GSSAPI"]
|
|
|
|
args = ["/usr/bin/ldapmodify", "-h", hostname, "-v", "-f", path]
|
|
args += auth_parms
|
|
|
|
try:
|
|
try:
|
|
ipautil.run(args, nolog=nologlist)
|
|
except ipautil.CalledProcessError, e:
|
|
root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
|
|
finally:
|
|
if pw_name:
|
|
os.remove(pw_name)
|
|
|
|
if fd is not None:
|
|
fd.close()
|
|
|
|
def move_service(self, principal):
|
|
"""
|
|
Used to move a principal entry created by kadmin.local from
|
|
cn=kerberos to cn=services
|
|
"""
|
|
|
|
dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (principal, self.realm, self.suffix)
|
|
try:
|
|
entry = self.admin_conn.getEntry(dn, ldap.SCOPE_BASE)
|
|
except errors.NotFound:
|
|
# There is no service in the wrong location, nothing to do.
|
|
# This can happen when installing a replica
|
|
return
|
|
newdn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix)
|
|
hostdn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix)
|
|
self.admin_conn.deleteEntry(dn)
|
|
entry.dn = newdn
|
|
classes = entry.getValues("objectclass")
|
|
classes = classes + ["ipaobject", "ipaservice", "pkiuser"]
|
|
entry.setValues("objectclass", list(set(classes)))
|
|
entry.setValue("ipauniqueid", 'autogenerate')
|
|
entry.setValue("managedby", hostdn)
|
|
self.admin_conn.addEntry(entry)
|
|
return newdn
|
|
|
|
def add_simple_service(self, principal):
|
|
"""
|
|
Add a very basic IPA service.
|
|
|
|
The principal needs to be fully-formed: service/host@REALM
|
|
"""
|
|
if not self.admin_conn:
|
|
self.ldap_connect()
|
|
|
|
dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix)
|
|
hostdn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix)
|
|
entry = ipaldap.Entry(dn)
|
|
entry.setValues("objectclass", ["krbprincipal", "krbprincipalaux", "krbticketpolicyaux", "ipaobject", "ipaservice", "pkiuser"])
|
|
entry.setValue("krbprincipalname", principal)
|
|
entry.setValue("ipauniqueid", 'autogenerate')
|
|
entry.setValue("managedby", hostdn)
|
|
self.admin_conn.addEntry(entry)
|
|
return dn
|
|
|
|
def add_cert_to_service(self):
|
|
"""
|
|
Add a certificate to a service
|
|
|
|
This server cert should be in DER format.
|
|
"""
|
|
|
|
if not self.admin_conn:
|
|
self.ldap_connect()
|
|
|
|
dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix)
|
|
mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)]
|
|
try:
|
|
self.admin_conn.modify_s(dn, mod)
|
|
except Exception, e:
|
|
root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
|
|
|
|
def is_configured(self):
|
|
return self.sstore.has_state(self.service_name)
|
|
|
|
def set_output(self, fd):
|
|
self.output_fd = fd
|
|
|
|
def stop(self, instance_name="", capture_output=True):
|
|
self.service.stop(instance_name, capture_output=capture_output)
|
|
|
|
def start(self, instance_name="", capture_output=True):
|
|
self.service.start(instance_name, capture_output=capture_output)
|
|
|
|
def restart(self, instance_name="", capture_output=True):
|
|
self.service.restart(instance_name, capture_output=capture_output)
|
|
|
|
def is_running(self):
|
|
return self.service.is_running()
|
|
|
|
def install(self):
|
|
self.service.install()
|
|
|
|
def remove(self):
|
|
self.service.remove()
|
|
|
|
def enable(self):
|
|
self.service.enable()
|
|
|
|
def disable(self):
|
|
self.service.disable()
|
|
|
|
def is_enabled(self):
|
|
return self.service.is_enabled()
|
|
|
|
def backup_state(self, key, value):
|
|
self.sstore.backup_state(self.service_name, key, value)
|
|
|
|
def restore_state(self, key):
|
|
return self.sstore.restore_state(self.service_name, key)
|
|
|
|
def print_msg(self, message):
|
|
print_msg(message, self.output_fd)
|
|
|
|
def step(self, message, method):
|
|
self.steps.append((message, method))
|
|
|
|
def start_creation(self, message, runtime=-1):
|
|
if runtime > 0:
|
|
plural=''
|
|
est = time.localtime(runtime)
|
|
if est.tm_min > 0:
|
|
if est.tm_min > 1:
|
|
plural = 's'
|
|
if est.tm_sec > 0:
|
|
self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec))
|
|
else:
|
|
self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural))
|
|
else:
|
|
if est.tm_sec > 1:
|
|
plural = 's'
|
|
self.print_msg('%s: Estimated time %d second%s' % (message, est.tm_sec, plural))
|
|
else:
|
|
self.print_msg(message)
|
|
|
|
step = 0
|
|
for (message, method) in self.steps:
|
|
self.print_msg(" [%d/%d]: %s" % (step+1, len(self.steps), message))
|
|
s = datetime.datetime.now()
|
|
method()
|
|
e = datetime.datetime.now()
|
|
d = e - s
|
|
root_logger.debug(" duration: %d seconds" % d.seconds)
|
|
step += 1
|
|
|
|
self.print_msg("done configuring %s." % self.service_name)
|
|
|
|
self.steps = []
|
|
|
|
def __get_conn(self, fqdn, dm_password):
|
|
# If we are passed a password we'll use it as the DM password
|
|
# otherwise we'll do a GSSAPI bind.
|
|
try:
|
|
# conn = ipaldap.IPAdmin(fqdn, port=636, cacert=CACERT)
|
|
conn = ipaldap.IPAdmin(fqdn, port=389)
|
|
if dm_password:
|
|
conn.do_simple_bind(bindpw=dm_password)
|
|
else:
|
|
conn.do_sasl_gssapi_bind()
|
|
except Exception, e:
|
|
root_logger.debug("Could not connect to the Directory Server on %s: %s" % (fqdn, str(e)))
|
|
raise e
|
|
|
|
return conn
|
|
|
|
def ldap_enable(self, name, fqdn, dm_password, ldap_suffix):
|
|
self.disable()
|
|
conn = self.__get_conn(fqdn, dm_password)
|
|
|
|
entry_name = "cn=%s,cn=%s,%s,%s" % (name, fqdn,
|
|
"cn=masters,cn=ipa,cn=etc",
|
|
ldap_suffix)
|
|
order = SERVICE_LIST[name][1]
|
|
entry = ipaldap.Entry(entry_name)
|
|
entry.setValues("objectclass",
|
|
"nsContainer", "ipaConfigObject")
|
|
entry.setValues("cn", name)
|
|
entry.setValues("ipaconfigstring",
|
|
"enabledService", "startOrder " + str(order))
|
|
|
|
try:
|
|
conn.addEntry(entry)
|
|
except ldap.ALREADY_EXISTS, e:
|
|
root_logger.critical("failed to add %s Service startup entry" % name)
|
|
raise e
|
|
|
|
class SimpleServiceInstance(Service):
|
|
def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None):
|
|
self.gensvc_name = gensvc_name
|
|
self.fqdn = fqdn
|
|
self.dm_password = dm_password
|
|
self.suffix = ldap_suffix
|
|
|
|
self.step("starting %s " % self.service_name, self.__start)
|
|
self.step("configuring %s to start on boot" % self.service_name, self.__enable)
|
|
self.start_creation("Configuring %s" % self.service_name)
|
|
|
|
def __start(self):
|
|
self.backup_state("running", self.is_running())
|
|
self.restart()
|
|
|
|
def __enable(self):
|
|
self.enable()
|
|
self.backup_state("enabled", self.is_enabled())
|
|
if self.gensvc_name == None:
|
|
self.enable()
|
|
else:
|
|
self.ldap_enable(self.gensvc_name, self.fqdn,
|
|
self.dm_password, self.suffix)
|
|
|
|
def uninstall(self):
|
|
if self.is_configured():
|
|
self.print_msg("Unconfiguring %s" % self.service_name)
|
|
|
|
running = self.restore_state("running")
|
|
enabled = not self.restore_state("enabled")
|
|
|
|
if not running is None and not running:
|
|
self.stop()
|
|
if not enabled is None and not enabled:
|
|
self.disable()
|
|
self.remove()
|