Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # # Copyright (C) 2007 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. #
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple # the first value is the *nix service name, the second the start order. 'KDC':('krb5kdc', 10), 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'MEMCACHE':('ipa_memcached', 39), 'HTTP':('httpd', 40), 'CA':('pki-cad', 50), 'ADTRUST':('smb', 60), 'EXTID':('winbind', 70) }
root_logger.debug(message) output_fd.write(message) output_fd.write("\n")
self.service_name = service_name self.service = ipaservices.service(service_name) self.steps = [] self.output_fd = sys.stdout self.dm_password = dm_password self.ldapi = ldapi
self.fqdn = socket.gethostname() self.admin_conn = None
if sstore: self.sstore = sstore else: self.sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
self.realm = None self.suffix = None self.principal = None self.dercert = None
if self.ldapi: if not self.realm: raise RuntimeError('realm must be set to use ldapi connection') self.admin_conn = self.__get_conn(None, None, ldapi=True, realm=self.realm) else: self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
self.admin_conn.unbind() self.admin_conn = None
pw_name = None fd = None path = ipautil.SHARE_DIR + ldif hostname = installutils.get_fqdn() nologlist=[]
if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name
# do not log passwords if sub_dict.has_key('PASSWORD'): nologlist.append(sub_dict['PASSWORD']) if sub_dict.has_key('RANDOM_PASSWORD'): nologlist.append(sub_dict['RANDOM_PASSWORD'])
if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, self.dm_password) os.close(pw_fd) auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] else: auth_parms = ["-Y", "GSSAPI"]
args = ["/usr/bin/ldapmodify", "-h", hostname, "-v", "-f", path] args += auth_parms
try: try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError, e: root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) finally: if pw_name: os.remove(pw_name)
if fd is not None: fd.close()
""" Used to move a principal entry created by kadmin.local from cn=kerberos to cn=services """
dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (principal, self.realm, self.suffix) try: entry = self.admin_conn.getEntry(dn, ldap.SCOPE_BASE) except errors.NotFound: # There is no service in the wrong location, nothing to do. # This can happen when installing a replica return newdn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix) hostdn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix) self.admin_conn.deleteEntry(dn) entry.dn = newdn classes = entry.getValues("objectclass") classes = classes + ["ipaobject", "ipaservice", "pkiuser"] entry.setValues("objectclass", list(set(classes))) entry.setValue("ipauniqueid", 'autogenerate') entry.setValue("managedby", hostdn) self.admin_conn.addEntry(entry) return newdn
""" Add a very basic IPA service.
The principal needs to be fully-formed: service/host@REALM """ if not self.admin_conn: self.ldap_connect()
dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix) hostdn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix) entry = ipaldap.Entry(dn) entry.setValues("objectclass", ["krbprincipal", "krbprincipalaux", "krbticketpolicyaux", "ipaobject", "ipaservice", "pkiuser"]) entry.setValue("krbprincipalname", principal) entry.setValue("ipauniqueid", 'autogenerate') entry.setValue("managedby", hostdn) self.admin_conn.addEntry(entry) return dn
""" Add a certificate to a service
This server cert should be in DER format. """
if not self.admin_conn: self.ldap_connect()
dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix) mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)] try: self.admin_conn.modify_s(dn, mod) except Exception, e: root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
return self.sstore.has_state(self.service_name)
self.output_fd = fd
self.service.stop(instance_name, capture_output=capture_output)
self.service.start(instance_name, capture_output=capture_output, wait=wait)
self.service.restart(instance_name, capture_output=capture_output, wait=wait)
return self.service.is_running()
self.service.install()
self.service.remove()
self.service.enable()
self.service.disable()
return self.service.is_enabled()
self.sstore.backup_state(self.service_name, key, value)
return self.sstore.restore_state(self.service_name, key)
print_msg(message, self.output_fd)
self.steps.append((message, method))
if runtime > 0: plural='' est = time.localtime(runtime) if est.tm_min > 0: if est.tm_min > 1: plural = 's' if est.tm_sec > 0: self.print_msg('%s: Estimated time %d minute%s %d seconds' % (message, est.tm_min, plural, est.tm_sec)) else: self.print_msg('%s: Estimated time %d minute%s' % (message, est.tm_min, plural)) else: if est.tm_sec > 1: plural = 's' self.print_msg('%s: Estimated time %d second%s' % (message, est.tm_sec, plural)) else: self.print_msg(message)
step = 0 for (message, method) in self.steps: self.print_msg(" [%d/%d]: %s" % (step+1, len(self.steps), message)) s = datetime.datetime.now() method() e = datetime.datetime.now() d = e - s root_logger.debug(" duration: %d seconds" % d.seconds) step += 1
self.print_msg("done configuring %s." % self.service_name)
self.steps = []
# If we are passed a password we'll use it as the DM password # otherwise we'll do a GSSAPI bind. try: # conn = ipaldap.IPAdmin(fqdn, port=636, cacert=CACERT) if ldapi: conn = ipaldap.IPAdmin(ldapi=ldapi, realm=realm) else: conn = ipaldap.IPAdmin(fqdn, port=389) if dm_password: conn.do_simple_bind(bindpw=dm_password) elif os.getegid() == 0 and self.ldapi: try: # autobind pw_name = pwd.getpwuid(os.geteuid()).pw_name conn.do_external_bind(pw_name) except errors.NotFound: # Fall back conn.do_sasl_gssapi_bind() else: conn.do_sasl_gssapi_bind() except Exception, e: root_logger.debug("Could not connect to the Directory Server on %s: %s" % (fqdn, str(e))) raise e
return conn
self.disable() if not self.admin_conn: self.ldap_connect()
entry_name = "cn=%s,cn=%s,%s,%s" % (name, fqdn, "cn=masters,cn=ipa,cn=etc", ldap_suffix) order = SERVICE_LIST[name][1] entry = ipaldap.Entry(entry_name) entry.setValues("objectclass", "nsContainer", "ipaConfigObject") entry.setValues("cn", name) entry.setValues("ipaconfigstring", "enabledService", "startOrder " + str(order))
try: self.admin_conn.addEntry(entry) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e: root_logger.debug("failed to add %s Service startup entry" % name) raise e
self.gensvc_name = gensvc_name self.fqdn = fqdn self.dm_password = dm_password self.suffix = ldap_suffix
self.step("starting %s " % self.service_name, self.__start) self.step("configuring %s to start on boot" % self.service_name, self.__enable) self.start_creation("Configuring %s" % self.service_name)
self.backup_state("running", self.is_running()) self.restart()
self.enable() self.backup_state("enabled", self.is_enabled()) if self.gensvc_name == None: self.enable() else: self.ldap_enable(self.gensvc_name, self.fqdn, self.dm_password, self.suffix)
if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running") enabled = not self.restore_state("enabled")
if not running is None and not running: self.stop() if not enabled is None and not enabled: self.disable() self.remove() |