Rob Crittenden 2f4f9054aa Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:

- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
  first data element. It was returning "host" from the service tgt
  and not host/
- fix the display of the managedby attribute in the service plugin

This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:

- if a service had a bad usercertificate it was impossible to delete the
  service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output

ticket 68
2010-08-16 17:13:56 -04:00

397 lines
13 KiB

# Authors:
# Jason Gerard DeRose <>
# Rob Crittenden <>
# Pavel Zuna <>
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Services (Identity)
A service represents a running service on a host. This service record
may store a kerberos principal or an SSL certificate (or both).
A service may be managed directly by a machine, if it has been given
the proper permission (even a machine other than the one the service is
associated with). An example of this is requesting an SSL certificate
using the host service principal credentials of the host.
Adding a service makes it possible to request an SSL certificate or
keytab for that service but this is done as a separate step later. The
creation of a service in itself doesn't generate these.
The certificate stored in a service is just the public portion. The
private key is not stored.
Add a service:
ipa service-add HTTP/
Allow a host to manage the service certificate:
ipa service-add-host HTTP/
ipa rolegroup-add-member certadmin
Remove a service:
ipa service-del HTTP/
Find all services for a host:
ipa service-find
Find all HTTP services:
ipa service-find HTTP
Disable a service kerberos key:
ipa service-disable HTTP/
import base64
from ipalib import api, errors, util
from ipalib import Str, Flag, Bytes
from ipalib.plugins.baseldap import *
from ipalib import x509
from ipalib import _, ngettext
from nss.error import NSPRError
output_params = (
label='Managed by',
def split_principal(principal):
service = hostname = realm = None
# Break down the principal into its component parts, which may or
# may not include the realm.
sp = principal.split('/')
if len(sp) != 2:
raise errors.MalformedServicePrincipal(reason='missing service')
service = sp[0]
sr = sp[1].split('@')
if len(sr) > 2:
raise errors.MalformedServicePrincipal(
reason='unable to determine realm'
hostname = sr[0].lower()
if len(sr) == 2:
realm = sr[1].upper()
# At some point we'll support multiple realms
if realm != api.env.realm:
raise errors.RealmMismatch()
realm = api.env.realm
# Note that realm may be None.
return (service, hostname, realm)
def validate_principal(ugettext, principal):
(service, hostname, principal) = split_principal(principal)
return None
def normalize_principal(principal):
# The principal is already validated when it gets here
(service, hostname, realm) = split_principal(principal)
# Put the principal back together again
principal = '%s/%s@%s' % (service, hostname, realm)
return unicode(principal)
def validate_certificate(ugettext, cert):
For now just verify that it is properly base64-encoded.
except Exception, e:
raise errors.Base64DecodeError(reason=str(e))
class service(LDAPObject):
Service object.
container_dn = api.env.container_service
object_name = 'service'
object_name_plural = 'services'
object_class = [
'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
'ipaservice', 'pkiuser'
search_attributes = ['krbprincipalname', 'managedby']
default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange']
uuid_attribute = 'ipauniqueid'
attribute_members = {
'managedby': ['host'],
label = _('Services')
takes_params = (
Str('krbprincipalname', validate_principal,
doc=_('Service principal'),
normalizer=lambda value: normalize_principal(value),
class service_add(LDAPCreate):
Add new service.
msg_summary = _('Added service "%(value)s"')
member_attributes = ['managedby']
has_output_params = LDAPCreate.has_output_params + output_params
takes_options = (
doc=_('force principal name even if not in DNS'),
Bytes('usercertificate?', validate_certificate,
doc=_('Base-64 encoded server certificate'),
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
(service, hostname, realm) = split_principal(keys[-1])
if service.lower() == 'host' and not options['force']:
raise errors.HostService()
hostresult = api.Command['host_show'](hostname)['result']
except errors.NotFound:
raise errors.NotFound(reason="The host '%s' does not exist to add a service to." % hostname)
cert = entry_attrs.get('usercertificate')
if cert:
cert = cert[0]
# FIXME: should be in a normalizer: need to fix normalizers
# to work on non-unicode data
entry_attrs['usercertificate'] = base64.b64decode(cert)
# FIXME: shouldn't we request signing at this point?
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
# really want to discourage creating services for hosts that
# don't exist in DNS.
util.validate_host_dns(self.log, hostname)
if not 'managedby' in entry_attrs:
entry_attrs['managedby'] = hostresult['dn']
return dn
class service_del(LDAPDelete):
Delete an existing service.
msg_summary = _('Deleted service "%(value)s"')
member_attributes = ['managedby']
def pre_callback(self, ldap, dn, *keys, **options):
if self.api.env.enable_ra:
(dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
if cert:
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
result = api.Command['cert_show'](unicode(serial))['result']
if 'revocation_reason' not in result:
api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
except errors.NotImplementedError:
# some CA's might not implement revoke
except errors.NotImplementedError:
# some CA's might not implement revoke
except NSPRError, nsprerr:
if nsprerr.errno == -8183:
# If we can't decode the cert them proceed with
# removing the service."Problem decoding certificate %s" % nsprerr.args[1])
raise nsprerr
return dn
class service_mod(LDAPUpdate):
Modify service.
msg_summary = _('Modified service "%(value)s"')
takes_options = LDAPUpdate.takes_options + (
Bytes('usercertificate?', validate_certificate,
doc=_('Base-64 encoded server certificate'),
has_output_params = LDAPUpdate.has_output_params + output_params
member_attributes = ['managedby']
def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'usercertificate' in options:
cert = options.get('usercertificate')
if cert:
(dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
if 'usercertificate' in entry_attrs_old:
# FIXME: what to do here? do we revoke the old cert?
fmt = 'entry already has a certificate, serial number: %s' % (
x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
raise errors.GenericError(format=fmt)
# FIXME: should be in normalizer; see service_add
entry_attrs['usercertificate'] = base64.b64decode(cert)
entry_attrs['usercertificate'] = None
return dn
class service_find(LDAPSearch):
Search for services.
msg_summary = ngettext(
'%(count)d service matched', '%(count)d services matched'
member_attributes = ['managedby']
takes_options = LDAPSearch.takes_options + (
Bytes('usercertificate?', validate_certificate,
doc=_('Base-64 encoded server certificate'),
has_output_params = LDAPSearch.has_output_params + output_params
def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options):
# lisp style!
custom_filter = '(&(objectclass=ipaService)' \
'(!(objectClass=posixAccount))' \
'(!(|(krbprincipalname=kadmin/*)' \
'(krbprincipalname=K/M@*)' \
'(krbprincipalname=krbtgt/*))' \
')' \
return ldap.combine_filters(
(custom_filter, filter), rules=ldap.MATCH_ALL
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
entry_attrs = entry[1]
if 'krblastpwdchange' in entry_attrs:
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
entry_attrs['has_keytab'] = False
class service_show(LDAPRetrieve):
Display service.
member_attributes = ['managedby']
takes_options = LDAPRetrieve.takes_options + (
Bytes('usercertificate?', validate_certificate,
doc=_('Base-64 encoded server certificate'),
has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
entry_attrs['has_keytab'] = False
return dn
class service_add_host(LDAPAddMember):
Add hosts that can manage this service.
member_attributes = ['managedby']
has_output_params = LDAPAddMember.has_output_params + output_params
class service_remove_host(LDAPRemoveMember):
Remove hosts that can manage this service.
member_attributes = ['managedby']
has_output_params = LDAPRemoveMember.has_output_params + output_params
class service_disable(LDAPQuery):
Disable the kerberos key of this service.
has_output = output.standard_value
msg_summary = _('Removed kerberos key from "%(value)s"')
has_output_params = LDAPQuery.has_output_params + output_params
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
(dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange'])
if 'krblastpwdchange' not in entry_attrs:
error_msg = _('Service principal has no kerberos key')
raise errors.NotFound(reason=error_msg)
return dict(