diff options
author | Rob Crittenden <rcritten@redhat.com> | 2007-10-15 15:42:12 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2007-10-15 15:42:12 -0400 |
commit | ed8f506b0f96d6133899078530d3ff6a63b0c5b6 (patch) | |
tree | 884235d24f780eff0941a29b76ae905ba3fd48ee | |
parent | a4143789da67693e73d9ba78641f159fed30b4cc (diff) | |
download | freeipa-ed8f506b0f96d6133899078530d3ff6a63b0c5b6.tar.gz freeipa-ed8f506b0f96d6133899078530d3ff6a63b0c5b6.tar.xz freeipa-ed8f506b0f96d6133899078530d3ff6a63b0c5b6.zip |
First step in enabling SSL in the IPA web server
-rwxr-xr-x | ipa-server/freeipa-server.spec | 2 | ||||
-rw-r--r-- | ipa-server/freeipa-server.spec.in | 2 | ||||
-rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 7 | ||||
-rw-r--r-- | ipa-server/ipaserver/httpinstance.py | 76 |
4 files changed, 84 insertions, 3 deletions
diff --git a/ipa-server/freeipa-server.spec b/ipa-server/freeipa-server.spec index 0519c8191..eaca6ac17 100755 --- a/ipa-server/freeipa-server.spec +++ b/ipa-server/freeipa-server.spec @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss %define httpd_conf /etc/httpd/conf.d %define plugin_dir %{_libdir}/dirsrv/plugins diff --git a/ipa-server/freeipa-server.spec.in b/ipa-server/freeipa-server.spec.in index 914a7c051..1b7e219fc 100644 --- a/ipa-server/freeipa-server.spec.in +++ b/ipa-server/freeipa-server.spec.in @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss %define httpd_conf /etc/httpd/conf.d %define plugin_dir %{_libdir}/dirsrv/plugins diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index f970d5ef8..eb295e76c 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -43,6 +43,7 @@ from optparse import OptionParser import ipaserver.dsinstance import ipaserver.krbinstance import ipaserver.bindinstance +import ipaserver.httpinstance from ipa.ipautil import run def parse_options(): @@ -387,8 +388,8 @@ def main(): print "To accept the default shown in brackets, press the Enter key." print "" - check_ports() check_existing_installation() + check_ports() options = parse_options() logging_setup(options) @@ -508,6 +509,10 @@ def main(): krb = ipaserver.krbinstance.KrbInstance() krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) + # Create a HTTP instance + http = ipaserver.httpinstance.HTTPInstance() + http.create_instance() + bind.setup(host_name, ip_address, realm_name) if options.setup_bind: skipbind = False diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py new file mode 100644 index 000000000..818682785 --- /dev/null +++ b/ipa-server/ipaserver/httpinstance.py @@ -0,0 +1,76 @@ +# Authors: Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +import pwd +from ipa.ipautil import * +import fileinput +import sys + +HTTPD_DIR = "/etc/httpd" +SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" +NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" + +def update_file(filename, orig, subst): + if os.path.exists(filename): + pattern = "%s" % re.escape(orig) + p = re.compile(pattern) + for line in fileinput.input(filename, inplace=1): + if not p.search(line): + sys.stdout.write(line) + else: + sys.stdout.write(p.sub(subst, line)) + fileinput.close() + +class HTTPInstance: + def __init__(self): + pass + + def create_instance(self): + self.__disable_mod_ssl() + self.__set_mod_nss_port() + try: + self.restart() + except: + # TODO: roll back here? + print "Failed to restart httpd" + + def stop(self): + run(["/sbin/service", "httpd", "stop"]) + + def start(self): + run(["/sbin/service", "httpd", "start"]) + + def restart(self): + run(["/sbin/service", "httpd", "restart"]) + + def __disable_mod_ssl(self): + logging.debug("disabling mod_ssl in httpd") + if os.path.exists(SSL_CONF): + os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF) + logging.debug("done disabling mod_ssl") + + def __set_mod_nss_port(self): + logging.debug("Setting mod_nss port to 443") + update_file(NSS_CONF, '8443', '443') + logging.debug("done setting mod_nss port") |