mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
e9ae7c4b89
Introduce a script that configures a local testing environment with ipa default.conf, krb5.conf, and ca.crt from a server hostname. The lite server configuration allows easy and convenient testing of IPA server and client code. It uses an existing 389-DS and KRB5 KDC server on another machine: $ contrib/lite-setup.py master.ipa.example $ source ~/.ipa/activate.sh (ipaenv) $ kinit username (ipaenv) $ make lite-server IPA server UI is available on http://localhost:8888/ipa/ Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
193 lines
5.0 KiB
Python
Executable File
193 lines
5.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
#
|
|
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Configure lite-server environment.
|
|
|
|
See README.md for more details.
|
|
"""
|
|
import argparse
|
|
import os
|
|
import socket
|
|
from urllib.request import urlopen
|
|
|
|
DEFAULT_CONF = """\
|
|
[global]
|
|
host = {args.hostname}
|
|
server = {args.servername}
|
|
basedn = {args.basedn}
|
|
realm = {args.realm}
|
|
domain = {args.domain}
|
|
xmlrpc_uri = {args.xmlrpc_uri}
|
|
ldap_uri = ldap://{args.servername}
|
|
debug = {args.debug}
|
|
enable_ra = False
|
|
ra_plugin = dogtag
|
|
dogtag_version = 10
|
|
"""
|
|
|
|
KRB5_CONF = """\
|
|
[libdefaults]
|
|
default_realm = {args.realm}
|
|
dns_lookup_realm = false
|
|
dns_lookup_kdc = false
|
|
rdns = false
|
|
ticket_lifetime = 24h
|
|
forwardable = true
|
|
udp_preference_limit = 0
|
|
default_ccache_name = FILE:{args.ccache}
|
|
|
|
[realms]
|
|
{args.realm} = {{
|
|
kdc = {args.kdc}
|
|
master_kdc = {args.kdc}
|
|
admin_server = {args.kadmin}
|
|
default_domain = ipa.example
|
|
pkinit_anchors = FILE:{args.ca_crt}
|
|
pkinit_pool = FILE:{args.ca_crt}
|
|
http_anchors = FILE:{args.ca_crt}
|
|
}}
|
|
|
|
[domain_realm]
|
|
.ipa.example = {args.realm}
|
|
ipa.example = {args.realm}
|
|
{args.servername} = {args.realm}
|
|
"""
|
|
|
|
LDAP_CONF = """\
|
|
URI ldaps://{args.servername}
|
|
BASE {args.basedn}
|
|
TLS_CACERT {args.ca_crt}
|
|
SASL_MECH GSSAPI
|
|
SASL_NOCANON on
|
|
"""
|
|
|
|
IPA_BIN = """\
|
|
#!/bin/sh
|
|
exec python3 -m ipaclient $*
|
|
"""
|
|
|
|
ACTIVATE = """\
|
|
deactivate_ipaenv () {{
|
|
export PS1="${{_OLD_IPAENV_PS1}}"
|
|
export PATH="${{_OLD_IPAENV_PATH}}"
|
|
unset _OLD_IPAENV_PS1
|
|
unset _OLD_IPAENV_PATH
|
|
unset KRB5_CONFIG
|
|
unset KRB5CCNAME
|
|
unset LDAPCONF
|
|
unset IPA_CONFDIR
|
|
unset PYTHONPATH
|
|
unset -f deactivate_ipaenv
|
|
}}
|
|
|
|
export _OLD_IPAENV_PS1="${{PS1:-}}"
|
|
export _OLD_IPAENV_PATH="${{PATH:-}}"
|
|
export PS1="(ipaenv) ${{PS1:-}}"
|
|
export PATH="{args.dot_ipa}:${{PATH:-}}"
|
|
export KRB5_CONFIG="{args.krb5_conf}"
|
|
export KRB5CCNAME="{args.ccache}"
|
|
{args.tracecomment}export KRB5_TRACE=/dev/stderr
|
|
export LDAPCONF="{args.ldap_conf}"
|
|
export IPA_CONFDIR="{args.dot_ipa}"
|
|
export PYTHONPATH="{args.basedir}"
|
|
"""
|
|
|
|
MSG = """\
|
|
Configured for server '{args.servername}' and realm '{args.realm}'.
|
|
|
|
To activate the IPA test env:
|
|
|
|
source {args.activate}
|
|
kinit
|
|
make lite-server
|
|
|
|
To deactivate the IPA test env and to unset the env vars:
|
|
|
|
deactivate_ipaenv
|
|
|
|
The source file configures the env vars:
|
|
|
|
export KRB5_CONFIG="{args.krb5_conf}"
|
|
export KRB5CCNAME="{args.ccache}"
|
|
export LDAPCONF="{args.ldap_conf}"
|
|
export IPA_CONFDIR="{args.dot_ipa}"
|
|
export PYTHONPATH="{args.basedir}"
|
|
"""
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("servername", help="IPA server name")
|
|
parser.add_argument("domain", default=None, nargs="?")
|
|
parser.add_argument(
|
|
"--kdcproxy", action="store_true", help="Use KRB5 over HTTPS (KDC-Proxy)"
|
|
)
|
|
parser.add_argument(
|
|
"--debug",
|
|
action="store_true",
|
|
help="Enable debug mode for lite-server and KRB5",
|
|
)
|
|
parser.add_argument(
|
|
"--remote-server",
|
|
action="store_true",
|
|
help="Configure client to use a remote server instead of lite-server",
|
|
)
|
|
|
|
|
|
def main():
|
|
args = parser.parse_args()
|
|
if args.domain is None:
|
|
args.domain = args.servername.lower().split(".", 1)[1]
|
|
else:
|
|
args.domain = args.domain.lower().rstrip(".")
|
|
args.realm = args.domain.upper()
|
|
args.hostname = socket.gethostname()
|
|
args.basedn = ",".join(f"dc={part}" for part in args.domain.split("."))
|
|
args.tracecomment = "" if args.debug else "#"
|
|
|
|
if args.kdcproxy:
|
|
args.kdc = f"https://{args.servername}/KdcProxy"
|
|
args.kadmin = f"https://{args.servername}/KdcProxy"
|
|
else:
|
|
args.kdc = f"{args.servername}:88"
|
|
args.kadmin = f"{args.servername}:749"
|
|
|
|
if args.remote_server:
|
|
args.xmlrpc_uri = f"https://{args.servername}/ipa/xml"
|
|
else:
|
|
args.xmlrpc_uri = f"http://localhost:8888/ipa/xml"
|
|
|
|
args.basedir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
|
args.dot_ipa = os.path.expanduser("~/.ipa")
|
|
args.default_conf = os.path.join(args.dot_ipa, "default.conf")
|
|
args.ca_crt = os.path.join(args.dot_ipa, "ca.crt")
|
|
args.krb5_conf = os.path.join(args.dot_ipa, "krb5.conf")
|
|
args.ldap_conf = os.path.join(args.dot_ipa, "ldap.conf")
|
|
args.ccache = os.path.join(args.dot_ipa, "ccache")
|
|
args.ipa_bin = os.path.join(args.dot_ipa, "ipa")
|
|
args.activate = os.path.join(args.dot_ipa, "activate.sh")
|
|
|
|
if not os.path.isdir(args.dot_ipa):
|
|
os.makedirs(args.dot_ipa, mode=0o750)
|
|
|
|
with urlopen(f"http://{args.servername}/ipa/config/ca.crt") as req:
|
|
ca_data = req.read()
|
|
with open(args.ca_crt, "wb") as f:
|
|
f.write(ca_data)
|
|
with open(args.default_conf, "w") as f:
|
|
f.write(DEFAULT_CONF.format(args=args))
|
|
with open(args.krb5_conf, "w") as f:
|
|
f.write(KRB5_CONF.format(args=args))
|
|
with open(args.ldap_conf, "w") as f:
|
|
f.write(LDAP_CONF.format(args=args))
|
|
with open(args.ipa_bin, "w") as f:
|
|
f.write(IPA_BIN.format(args=args))
|
|
os.fchmod(f.fileno(), 0o755)
|
|
with open(args.activate, "w") as f:
|
|
f.write(ACTIVATE.format(args=args))
|
|
|
|
print(MSG.format(args=args))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|