diff options
| author | JR Aquino <jr.aquino@citrix.com> | 2011-09-20 09:13:42 -0700 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-09-21 09:22:13 +0200 |
| commit | 1ac613fc183f03420fa6321e39ad47d15a209e0a (patch) | |
| tree | 45c5ed3383ddb473f730d769c28d7dd247d601c2 | |
| parent | 06ccb38c69112b4f21b85af2e6de91a8e5af5a05 (diff) | |
| download | freeipa-1ac613fc183f03420fa6321e39ad47d15a209e0a.tar.gz freeipa-1ac613fc183f03420fa6321e39ad47d15a209e0a.tar.xz freeipa-1ac613fc183f03420fa6321e39ad47d15a209e0a.zip | |
25 Create Tool for Enabling/Disabling Managed Entry Plugins
Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool
https://fedorahosted.org/freeipa/ticket/1181
| -rw-r--r-- | freeipa.spec.in | 4 | ||||
| -rw-r--r-- | install/po/Makefile.in | 2 | ||||
| -rw-r--r-- | install/tools/Makefile.am | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-host-net-manage | 220 | ||||
| -rwxr-xr-x | install/tools/ipa-managed-entries | 252 | ||||
| -rw-r--r-- | install/tools/man/Makefile.am | 2 | ||||
| -rw-r--r-- | install/tools/man/ipa-managed-entries.1 (renamed from install/tools/man/ipa-host-net-manage.1) | 29 |
7 files changed, 275 insertions, 236 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 2a9df831f..ca6d294f5 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -413,7 +413,7 @@ fi %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage -%{_sbindir}/ipa-host-net-manage +%{_sbindir}/ipa-managed-entries %{_sbindir}/ipactl %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-compliance @@ -488,7 +488,7 @@ fi %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz -%{_mandir}/man1/ipa-host-net-manage.1.gz +%{_mandir}/man1/ipa-managed-entries.1.gz %{_mandir}/man1/ipa-ldap-updater.1.gz %{_mandir}/man8/ipactl.8.gz %{_mandir}/man1/ipa-compliance.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index ac08b4792..07073f177 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -47,7 +47,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-upgradeconfig \ install/tools/ipa-replica-prepare \ install/tools/ipa-compat-manage \ - install/tools/ipa-host-net-manage \ + install/tools/ipa-managed-entries \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 96da75317..7f1504cd5 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -18,7 +18,7 @@ sbin_SCRIPTS = \ ipactl \ ipa-compat-manage \ ipa-nis-manage \ - ipa-host-net-manage \ + ipa-managed-entries \ ipa-ldap-updater \ ipa-upgradeconfig \ ipa-compliance \ diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage deleted file mode 100755 index 5da7b9222..000000000 --- a/install/tools/ipa-host-net-manage +++ /dev/null @@ -1,220 +0,0 @@ -#!/usr/bin/python -# Authors: Jr Aquino <jr.aquino@citrix.com> -# Authors: Rob Crittenden <rcritten@redhat.com> -# Authors: Simo Sorce <ssorce@redhat.com> -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -import sys -try: - from optparse import OptionParser - from ipapython import ipautil, config - from ipaserver.install import installutils - from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax - from ipaserver.plugins.ldap2 import ldap2 - from ipalib import api, errors - import logging - import StringIO - import ldif -except ImportError: - print >> sys.stderr, """\ -There was a problem importing one of the required Python modules. The -error was: - - %s -""" % sys.exc_value - sys.exit(1) - -def parse_options(): - usage = "%prog [options] <enable|disable>\n" - usage += "%prog [options]\n" - parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) - - parser.add_option("-d", "--debug", action="store_true", dest="debug", - help="Display debugging information about the update(s)") - parser.add_option("-y", dest="password", - help="File containing the Directory Manager password") - - config.add_standard_options(parser) - options, args = parser.parse_args() - - config.init_config(options) - - return options, args - -def get_dirman_password(): - """Prompt the user for the Directory Manager password and verify its - correctness. - """ - password = installutils.read_password("Directory Manager", confirm=False, - validate=False) - - return password - -def main(): - retval = 0 - loglevel = logging.ERROR - files = ['/usr/share/ipa/host_nis_groups.ldif'] - def_dn = 'cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config' - - options, args = parse_options() - if options.debug: - loglevel = logging.DEBUG - - if len(args) != 1: - sys.exit("You must specify one action, either enable or disable") - elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": - sys.exit("Unrecognized action [" + args[0] + "]") - - logging.basicConfig(level=loglevel, - format='%(levelname)s %(message)s') - - dirman_password = "" - if options.password: - pw = ipautil.template_file(options.password, []) - dirman_password = pw.strip() - else: - dirman_password = get_dirman_password() - - api.bootstrap(context='cli', debug=options.debug) - api.finalize() - - conn = None - try: - try: - conn = ldap2(shared_instance=False, base_dn='') - conn.connect( - bind_dn='cn=directory manager', bind_pw=dirman_password - ) - except errors.ExecutionError, lde: - sys.exit("An error occurred while connecting to the server.\n%s\n" % - str(lde)) - except errors.ACIError, e: - sys.exit("Authentication failed: %s" % e.info) - - if args[0] == "status": - try: - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: - print "Plugin Enabled" - else: - print "Plugin Disabled" - except errors.NotFound: - print "Plugin Disabled" - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - return 0 - - if args[0] == "enable": - try: - enable_attr = {'originfilter': 'objectclass=ipahostgroup'} - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: - print "Plugin already Enabled" - else: - conn.update_entry(dn, enable_attr) - print "Enabling Plugin" - retval = 2 - except errors.NotFound: - print "Enabling Plugin" - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - if retval == 0: - ldap_data = StringIO.StringIO() - ldapfile = open(files[0], 'r').readlines() - for line in ldapfile: - if line == 'changetype: add\n': - pass - else: - line = line.replace( - '$SUFFIX', api.env.basedn).replace('$$', '$') - ldap_data.write(line,) - parsing_data = ldif.LDIFRecordList(ldap_data) - print "Enabling Plugin" - print "This setting will not take effect until you restart \ - Directory Server." - for dn, entry_attr in parsing_data.all_records: - try: - conn.update_entry(dn, entry_attr) - retval = 1 - except errors.LDAPError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - elif args[0] == "disable": - # Make a quick hack for now, directly delete the entries by name, - # In future we should consider an alternative means for enabling/ - # disabling. - try: - disable_attr = {'originfilter': 'objectclass=disabled'} - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=disabled']: - print "Plugin already disabled" - else: - conn.update_entry(dn, disable_attr) - print "Disabling Plugin" - except errors.NotFound: - print "Plugin is already disabled" - retval = 2 - except errors.DatabaseError, dbe: - print "An error occurred while talking to the server." - print dbe - retval = 1 - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - else: - retval = 1 - - finally: - if conn and conn.isconnected(): - conn.disconnect() - - return retval - -try: - if __name__ == "__main__": - sys.exit(main()) -except BadSyntax, e: - print "There is a syntax error in this update file:" - print " %s" % e - sys.exit(1) -except RuntimeError, e: - print "%s" % e - sys.exit(1) -except SystemExit, e: - sys.exit(e) -except KeyboardInterrupt, e: - sys.exit(1) -except config.IPAConfigError, e: - print "An IPA server to update cannot be found. Has one been configured yet?" - print "The error was: %s" % e - sys.exit(1) -except errors.LDAPError, e: - print "An error occurred while performing operations: %s" % e - sys.exit(1) diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries new file mode 100755 index 000000000..9b3f54714 --- /dev/null +++ b/install/tools/ipa-managed-entries @@ -0,0 +1,252 @@ +#!/usr/bin/python +# Authors: Jr Aquino <jr.aquino@citrix.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import ldap +import re +import sys +try: + from optparse import OptionParser + from ipapython import ipautil, config + from ipaserver.install import installutils + from ipaserver import ipaldap + from ipaserver.plugins.ldap2 import ldap2 + from ipalib import api, errors + from ipalib.dn import * + import logging +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +CACERT = "/etc/ipa/ca.crt" + +def parse_options(): + usage = "%prog [options] <status|enable|disable>\n" + usage += "%prog [options]\n" + parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information about the update(s)") + parser.add_option("-e", "--entry", dest="managed_entry", + default=None, type="string", + help="DN for the Managed Entry Definition") + parser.add_option("-l", "--list", dest="list_managed_entries", + action="store_true", + help="DN for the Managed Entry Definition") + parser.add_option("-p", dest="dirman_password", + help="Directory Manager password") + + config.add_standard_options(parser) + options, args = parser.parse_args() + + config.init_config(options) + + return options, args + +def get_dirman_password(): + """Prompt the user for the Directory Manager password and verify its + correctness. + """ + password = installutils.read_password("Directory Manager", confirm=False, + validate=True) + + return password + +def main(): + retval = 0 + loglevel = logging.ERROR + def_dn = None + options, args = parse_options() + if options.debug: + loglevel = logging.DEBUG + + if options.list_managed_entries: + pass + elif len(args) != 1: + sys.exit("You must specify an action, either status, enable or disable") + elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": + sys.exit("Unrecognized action [" + args[0] + "]") + logging.basicConfig(level=loglevel, + format='%(levelname)s %(message)s') + + host = installutils.get_fqdn() + api.bootstrap(context='cli', debug=options.debug) + api.finalize() + + managed_entry_definitions_dn = DN( + ('cn', 'Definitions'), + ('cn', 'Managed Entries'), + ('cn', 'etc'), + DN(api.env.basedn) + ) + managed_entry_definitions_dn = str(managed_entry_definitions_dn) + + conn = None + try: + filter = '(objectClass=extensibleObject)' + conn = ipaldap.IPAdmin(host, 636, cacert=CACERT) + conn.do_sasl_gssapi_bind() + except ldap.LOCAL_ERROR: + if options.dirman_password: + dirman_password = options.dirman_password + else: + dirman_password = get_dirman_password() + conn.do_simple_bind(bindpw=dirman_password) + except errors.ExecutionError, lde: + sys.exit("An error occurred while connecting to the server.\n%s\n" % + str(lde)) + except errors.ACIError, e: + sys.exit("Authentication failed: %s" % e.info) + + if options.list_managed_entries: + # List available Managed Entry Plugins + managed_entries = None + entries = conn.search_s( + managed_entry_definitions_dn, ldap.SCOPE_SUBTREE, filter + ) + managed_entries = [entry.dn for entry in entries] + if managed_entries: + print "Available Managed Entry Definitions:" + for managed_entry in managed_entries: + rdn = DN(managed_entry) + managed_entry = rdn[0].value + print managed_entry + retval = 0 + sys.exit() + + if not options.managed_entry: + sys.exit("\nYou must specify a managed entry definition") + else: + rdn = DN( + ('cn', options.managed_entry), + DN(managed_entry_definitions_dn) + ) + def_dn = str(rdn) + + disabled = True + try: + entries = conn.search_s(def_dn, + ldap.SCOPE_BASE, + filter, + ['originfilter'], + ) + disable_attr = '(objectclass=disable)' + try: + org_filter = entries[0].originfilter + disabled = re.search(r'%s' % disable_attr, org_filter) + except KeyError: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except ldap.NO_SUCH_OBJECT: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except errors.NotFound: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + + if args[0] == "status": + if not disabled: + print "Plugin Enabled" + else: + print "Plugin Disabled" + return 0 + + if args[0] == "enable": + try: + if not disabled: + print "Plugin already Enabled" + retval = 2 + else: + # Remove disable_attr from filter + enable_attr = org_filter.replace(disable_attr, '') + #enable_attr = {'originfilter': enable_attr} + conn.modify_s( + def_dn, + [(ldap.MOD_REPLACE, + 'originfilter', + enable_attr)] + ) + print "Enabling Plugin" + retval = 0 + except errors.NotFound: + print "Enabling Plugin" + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + elif args[0] == "disable": + # Set originFilter to objectclass=disabled + # In future we should we should dedicate an attribute for enabling/ + # disabling. + try: + if disabled: + print "Plugin already disabled" + retval = 2 + else: + if org_filter[:2] == '(&' and org_filter[-1] == ')': + disable_attr = org_filter[:2] + disable_attr + org_filter[2:] + else: + disable_attr = '(&%s(%s))' % (disable_attr, org_filter) + conn.modify_s( + def_dn, + [(ldap.MOD_REPLACE, + 'originfilter', + disable_attr)] + ) + print "Disabling Plugin" + except errors.NotFound: + print "Plugin is already disabled" + retval = 2 + except errors.DatabaseError, dbe: + print "An error occurred while talking to the server." + print dbe + retval = 1 + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + else: + retval = 1 + + return retval + +try: + if __name__ == "__main__": + sys.exit(main()) +except RuntimeError, e: + print "%s" % e + sys.exit(1) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt, e: + sys.exit(1) +except config.IPAConfigError, e: + print "An IPA server to update cannot be found. Has one been configured yet?" + print "The error was: %s" % e + sys.exit(1) +except errors.LDAPError, e: + print "An error occurred while performing operations: %s" % e + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index d5b5976b0..91aa23ca1 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -18,7 +18,7 @@ man1_MANS = \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ ipa-nis-manage.1 \ - ipa-host-net-manage.1 \ + ipa-managed-entries.1 \ ipa-compliance.1 man8_MANS = \ diff --git a/install/tools/man/ipa-host-net-manage.1 b/install/tools/man/ipa-managed-entries.1 index 8b8f0237d..24d8d56c9 100644 --- a/install/tools/man/ipa-host-net-manage.1 +++ b/install/tools/man/ipa-managed-entries.1 @@ -1,5 +1,5 @@ -.\" A man page for ipa-host-net-manage -.\" Copyright (C) 2010 Red Hat, Inc. +.\" A man page for ipa-managed-entries +.\" Copyright (C) 2011 Red Hat, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by @@ -16,29 +16,36 @@ .\" .\" Author: Jr Aquino <jr.aquino@citrix.com> .\" -.TH "ipa-host-net-manage" "1" "Dec 2 2010" "FreeIPA" "FreeIPA Manual Pages" +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual +Pages" .SH "NAME" -ipa\-host\-net\-manage \- Enables or disables the schema Managed Entry Hostgroup -to- Netgroup plugin +ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins .SH "SYNOPSIS" -ipa\-host\-net\-manage [options] <enable|disable|status> +ipa\-managed\-entries [options] <enable|disable|status> .SH "DESCRIPTION" -Run the command with the \fBenable\fR option to enable the Managed Entry Hostgroup -to- Netgroup plugin. +Run the command with the \fBenable\fR option to enable the Managed Entry plugin. -Run the command with the \fBdisable\fR option to disable the Managed Entry Hostgroup -to- Netgroup plugin. +Run the command with the \fBdisable\fR option to disable the Managed Entry plugin. -Run the command with the \fBstatus\fR to determine the current status of the Managed Entry Hostgroup -to- Netgroup plugin. +Run the command with the \fBstatus\fR to determine the current status of the Managed Entry plugin. In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. -Directory Server will need to be restarted after the schema compatibility plugin has been enabled. +Directory Server will need to be restarted after the Managed Entry plugin has been enabled. .SH "OPTIONS" .TP \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed .TP -\fB\-y\fR \fIfile\fR -File containing the Directory Manager password +\fB\-e\fR, \fB\-\-entries\fR +DN for the Managed Entry Definition +.TP +\fB\-l\fR, \fB-\-list\fR +List available Managed Entries +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR +The Directory Manager password to use for authentication .SH "EXIT STATUS" 0 if the command was successful |