managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543

10 files changed, 305 insertions, 4 deletions

diff --git a/install/po/Makefile.in b/install/po/Makefile.in
index 11d84a73c..e2273537f 100644
--- a/install/po/Makefile.in
+++ b/install/po/Makefile.in
@@ -45,6 +45,7 @@ PY_EXPLICIT_FILES = \
      install/tools/ipa-upgradeconfig \
      install/tools/ipa-replica-prepare \
      install/tools/ipa-compat-manage \
+     install/tools/ipa-host-net-manage \
      install/tools/ipa-server-install \
      install/tools/ipa-ldap-updater \
      ipa-client/ipa-install/ipa-client-install
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index c7e1c5c5a..f9cc980d8 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -43,6 +43,7 @@ app_DATA =				\
 	ldapi.ldif			\
 	wsgi.py				\
 	user_private_groups.ldif	\
+	host_nis_groups.ldif		\
 	uuid-ipauniqueid.ldif		\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
diff --git a/install/share/host_nis_groups.ldif b/install/share/host_nis_groups.ldif
new file mode 100644
index 000000000..cb2aca1a6
--- /dev/null
+++ b/install/share/host_nis_groups.ldif
@@ -0,0 +1,19 @@
+dn: cn=NGP HGP Template,$SUFFIX
+changetype: add
+objectclass: mepTemplateEntry
+cn: NGP HGP Template
+mepRDNAttr: cn
+mepStaticAttr: ipaUniqueId: autogenerate
+mepStaticAttr: objectclass: ipanisnetgroup
+mepMappedAttr: cn: $$cn
+mepMappedAttr: memberHost: $$dn
+mepMappedAttr: description: ipaNetgroup $$cn
+
+dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config
+changetype: add
+objectclass: extensibleObject
+cn: HGP Definition
+originScope: cn=hostgroups,cn=accounts,$SUFFIX
+originFilter: objectclass=ipahostgroup
+managedBase: cn=ng,cn=alt,$SUFFIX
+managedTemplate: cn=NGP HGP Template,$SUFFIX
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 931989638..70e65ee73 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -14,6 +14,7 @@ sbin_SCRIPTS =			\
 	ipactl			\
 	ipa-compat-manage	\
 	ipa-nis-manage		\
+	ipa-host-net-manage     \
 	ipa-ldap-updater	\
 	ipa-upgradeconfig	\
 	$(NULL)
diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage
new file mode 100755
index 000000000..3cb142421
--- /dev/null
+++ b/install/tools/ipa-host-net-manage
@@ -0,0 +1,219 @@
+#!/usr/bin/env python
+# Authors: Jr Aquino <jr.aquino@citrix.com>
+# Authors: Rob Crittenden <rcritten@redhat.com>
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+try:
+    from optparse import OptionParser
+    from ipapython import ipautil, config
+    from ipaserver.install import installutils
+    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
+    from ipaserver.plugins.ldap2 import ldap2
+    from ipalib import api, errors
+    import logging
+    import StringIO
+    import ldif
+except ImportError:
+    print >> sys.stderr, """\
+There was a problem importing one of the required Python modules. The
+error was:
+
+    %s
+""" % sys.exc_value
+    sys.exit(1)
+
+def parse_options():
+    usage = "%prog [options] <enable|disable>\n"
+    usage += "%prog [options]\n"
+    parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
+
+    parser.add_option("-d", "--debug", action="store_true", dest="debug",
+                      help="Display debugging information about the update(s)")
+    parser.add_option("-y", dest="password",
+                      help="File containing the Directory Manager password")
+
+    config.add_standard_options(parser)
+    options, args = parser.parse_args()
+
+    config.init_config(options)
+
+    return options, args
+
+def get_dirman_password():
+    """Prompt the user for the Directory Manager password and verify its
+       correctness.
+    """
+    password = installutils.read_password("Directory Manager", confirm=False,
+        validate=False)
+
+    return password
+
+def main():
+    retval = 0
+    loglevel = logging.ERROR
+    files = ['/usr/share/ipa/host_nis_groups.ldif']
+    def_dn = 'cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config'
+
+    options, args = parse_options()
+    if options.debug:
+        loglevel = logging.DEBUG
+
+    if len(args) != 1:
+        sys.exit("You must specify one action, either enable or disable")
+    elif args[0] != "enable" and args[0] != "disable" and args[0] != "status":
+        sys.exit("Unrecognized action [" + args[0] + "]")
+
+    logging.basicConfig(level=loglevel,
+                        format='%(levelname)s %(message)s')
+
+    dirman_password = ""
+    if options.password:
+        pw = ipautil.template_file(options.password, [])
+        dirman_password = pw.strip()
+    else:
+        dirman_password = get_dirman_password()
+
+    api.bootstrap(context='cli', debug=options.debug)
+    api.finalize()
+
+    conn = None
+    try:
+        ldapuri = 'ldap://%s' % installutils.get_fqdn()
+        try:
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn.connect(
+                bind_dn='cn=directory manager', bind_pw=dirman_password
+            )
+        except errors.LDAPError, lde:
+            sys.exit("An error occurred while connecting to the server.\n%s\n" %
+                str(lde))
+
+        if args[0] == "status":
+            try:
+                dn, current_attr = conn.get_entry(def_dn, ['originfilter'],
+                    normalize=False)
+                if current_attr['originfilter'] == [u'objectclass=ipahostgroup']:
+                    print "Plugin Enabled"
+                else:
+                    print "Plugin Disabled"
+            except errors.NotFound:
+                print "Plugin Disabled"
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
+            return 0
+
+        if args[0] == "enable":
+            try:
+                enable_attr = {'originfilter': 'objectclass=ipahostgroup'}
+                dn, current_attr = conn.get_entry(def_dn, ['originfilter'],
+                    normalize=False)
+                if current_attr['originfilter'] == [u'objectclass=ipahostgroup']:
+                    print "Plugin already Enabled"
+                else:
+                    conn.update_entry(dn, enable_attr)
+                    print "Enabling Plugin"
+                retval = 2
+            except errors.NotFound:
+                print "Enabling Plugin"
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
+                retval = 1
+
+            if retval == 0:
+                ldap_data = StringIO.StringIO()
+                ldapfile = open(files[0], 'r').readlines()
+                for line in ldapfile:
+                    if line == 'changetype: add\n':
+                        pass
+                    else:
+                        line = line.replace(
+                            '$SUFFIX', api.env.basedn).replace('$$', '$')
+                        ldap_data.write(line,)
+                parsing_data = ldif.LDIFRecordList(ldap_data)
+                print "Enabling Plugin"
+                print "This setting will not take effect until you restart \
+                    Directory Server."
+                for dn, entry_attr in parsing_data.all_records:
+                    try:
+                        conn.update_entry(dn, entry_attr)
+                        retval = 1
+                    except errors.LDAPError, lde:
+                        print "An error occurred while talking to the server."
+                        print lde
+                        retval = 1
+
+        elif args[0] == "disable":
+            # Make a quick hack for now, directly delete the entries by name,
+            # In future we should consider an alternative means for enabling/
+            # disabling.
+            try:
+                disable_attr = {'originfilter': 'objectclass=disabled'}
+                dn, current_attr = conn.get_entry(def_dn, ['originfilter'],
+                    normalize=False)
+                if current_attr['originfilter'] == [u'objectclass=disabled']:
+                    print "Plugin already disabled"
+                else:
+                    conn.update_entry(dn, disable_attr)
+                    print "Disabling Plugin"
+            except errors.NotFound:
+                print "Plugin is already disabled"
+                retval = 2
+            except errors.DatabaseError, dbe:
+                print "An error occurred while talking to the server."
+                print dbe
+                retval = 1
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
+                retval = 1
+
+        else:
+            retval = 1
+
+    finally:
+        if conn:
+            conn.disconnect()
+
+    return retval
+
+try:
+    if __name__ == "__main__":
+        sys.exit(main())
+except BadSyntax, e:
+    print "There is a syntax error in this update file:"
+    print "  %s" % e
+    sys.exit(1)
+except RuntimeError, e:
+    print "%s" % e
+    sys.exit(1)
+except SystemExit, e:
+    sys.exit(e)
+except KeyboardInterrupt, e:
+    sys.exit(1)
+except config.IPAConfigError, e:
+    print "An IPA server to update cannot be found. Has one been configured yet?"
+    print "The error was: %s" % e
+    sys.exit(1)
+except errors.LDAPError, e:
+    print "An error occurred while performing operations: %s" % e
+    sys.exit(1)
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index bcbea81ac..eae5c6067 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -12,7 +12,8 @@ man1_MANS = 				\
 	ipa-server-install.1		\
 	ipa-ldap-updater.1		\
 	ipa-compat-manage.1		\
-	ipa-nis-manage.1
+	ipa-nis-manage.1		\
+	ipa-host-net-manage.1
 
 man8_MANS =				\
 	ipactl.8			\
diff --git a/install/tools/man/ipa-host-net-manage.1 b/install/tools/man/ipa-host-net-manage.1
new file mode 100644
index 000000000..1b332e6f2
--- /dev/null
+++ b/install/tools/man/ipa-host-net-manage.1
@@ -0,0 +1,47 @@
+.\" A man page for ipa-host-net-manage
+.\" Copyright (C) 2010 Red Hat, Inc.
+.\"
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; version 2 only
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Author: Jr Aquino <jr.aquino@citrix.com>
+.\"
+.TH "ipa-host-net-manage" "1" "Dec 2 2010" "freeipa" ""
+.SH "NAME"
+ipa\-host\-net\-manage \- Enables or disables the schema Managed Entry Hostgroup -to- Netgroup plugin
+.SH "SYNOPSIS"
+ipa\-host\-net\-manage [options] <enable|disable|status>
+.SH "DESCRIPTION"
+Run the command with the \fBenable\fR option to enable the Managed Entry Hostgroup -to- Netgroup plugin.
+
+Run the command with the \fBdisable\fR option to disable the Managed Entry Hostgroup -to- Netgroup plugin.
+
+Run the command with the \fBstatus\fR to determine the current status of the Managed Entry Hostgroup -to- Netgroup plugin.
+
+In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
+
+Directory Server will need to be restarted after the schema compatibility plugin has been enabled.
+
+.SH "OPTIONS"
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug logging when more verbose output is needed
+.TP
+\fB\-y\fR \fIfile\fR
+File containing the Directory Manager password
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
+
+2 if the plugin is already in the required status (enabled or disabled)
diff --git a/ipa.1 b/ipa.1
index 9994aee29..a1c9ba933 100644
--- a/ipa.1
+++ b/ipa.1
@@ -175,5 +175,6 @@ IPA default configuration file.
 ipa-client-install(1), ipa-compat-manage(1), ipactl(1), ipa-dns-install(1),
 ipa-getcert(1), ipa-getkeytab(1), ipa-join(1), ipa_kpasswd(1), ipa-ldap-updater(1),
 ipa-nis-manage(1), ipa-replica-install(1), ipa-replica-manage(1), ipa-replica-prepare(1),
-ipa-rmkeytab(1), ipa-server-certinstall(1), ipa-server-install(1), ipa-upgradeconfig(1)
+ipa-rmkeytab(1), ipa-server-certinstall(2), ipa-server-install(1), ipa-upgradeconfig(1),
+ipa-host-net-manage(1)
 
diff --git a/ipa.spec.in b/ipa.spec.in
index f808e4158..95f6e109d 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -23,7 +23,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.2.7
+BuildRequires:  389-ds-base-devel >= 1.2.7.4
 BuildRequires:  mozldap-devel
 BuildRequires:  svrcore-devel
 BuildRequires:  nspr-devel
@@ -64,7 +64,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires(post): %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.2.7
+Requires: 389-ds-base >= 1.2.7.4
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
@@ -435,6 +435,7 @@ fi
 %{_mandir}/man8/ipactl.8.gz
 %{_mandir}/man1/ipa-compat-manage.1.gz
 %{_mandir}/man1/ipa-nis-manage.1.gz
+%{_mandir}/man1/ipa-host-net-manage.1.gz
 %{_mandir}/man1/ipa-ldap-updater.1.gz
 
 %files server-selinux
@@ -470,6 +471,7 @@ fi
 %{_sbindir}/ipa-ldap-updater
 %{_sbindir}/ipa-compat-manage
 %{_sbindir}/ipa-nis-manage
+%{_sbindir}/ipa-host-net-manage
 %{_sysconfdir}/bash_completion.d
 %{_mandir}/man1/ipa.1.gz
 %endif
@@ -508,6 +510,9 @@ fi
 %endif
 
 %changelog
+* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
+- Add ipa-host-net-manage script
+
 * Tue Dec  7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
 - Add ipa init script
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 735c885aa..751be78f6 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -209,6 +209,7 @@ class DsInstance(service.Service):
         self.step("configuring certmap.conf", self.__certmap_conf)
         self.step("restarting directory server", self.__restart_instance)
         self.step("configuring user private groups", self.__user_private_groups)
+        self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
 
     def __common_post_setup(self):
         self.step("initializing group membership", self.init_memberof)
@@ -464,6 +465,11 @@ class DsInstance(service.Service):
             raise errors.NotFound(reason='Missing Managed Entries Plugin')
         self._ldap_mod("user_private_groups.ldif", self.sub_dict)
 
+    def __host_nis_groups(self):
+        if not has_managed_entries(self.fqdn, self.dm_password):
+            raise errors.NotFound(reason='Missing Managed Entries Plugin')
+        self._ldap_mod("host_nis_groups.ldif", self.sub_dict)
+
     def __add_enrollment_module(self):
         self._ldap_mod("enrollment-conf.ldif", self.sub_dict)