diff options
author | Petr Spacek <pspacek@redhat.com> | 2014-10-19 17:04:40 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | 276e69de874f269f6e9089aebb650a5e0814a626 (patch) | |
tree | 829b68e2044ba4fd102b8eedf304f9b036f4c583 /daemons/dnssec/ipa-dnskeysyncd | |
parent | 5556b7f50e2939d0c61d852f2b0dcd82ba2fcf9c (diff) | |
download | freeipa-276e69de874f269f6e9089aebb650a5e0814a626.tar.gz freeipa-276e69de874f269f6e9089aebb650a5e0814a626.tar.xz freeipa-276e69de874f269f6e9089aebb650a5e0814a626.zip |
DNSSEC: add ipa dnssec daemons
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'daemons/dnssec/ipa-dnskeysyncd')
-rwxr-xr-x | daemons/dnssec/ipa-dnskeysyncd | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd new file mode 100755 index 000000000..c7475bd65 --- /dev/null +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -0,0 +1,106 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +import sys +import ldap +import ldapurl +import logging +import os +import signal +import systemd.journal +import time + +from ipalib import api +from ipapython.dn import DN +from ipapython.ipa_log_manager import root_logger, standard_logging_setup +from ipapython import ipaldap +from ipapython import ipautil +from ipaserver.plugins.ldap2 import ldap2 +from ipaplatform.paths import paths + +from ipapython.dnssec.keysyncer import KeySyncer + +DAEMONNAME = 'ipa-dnskeysyncd' +PRINCIPAL = None # not initialized yet +WORKDIR = '/tmp' # private temp +KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB + +# Shutdown handler +def commenceShutdown(signum, stack): + # Declare the needed global variables + global watcher_running, ldap_connection, log + log.info('Signal %s received: Shutting down!', signum) + + # We are no longer running + watcher_running = False + + # Tear down the server connection + if ldap_connection: + ldap_connection.close_db() + del ldap_connection + + # Shutdown + sys.exit(0) + + +os.umask(007) + +# Global state +watcher_running = True +ldap_connection = False + +# Signal handlers +signal.signal(signal.SIGTERM, commenceShutdown) +signal.signal(signal.SIGINT, commenceShutdown) + +# IPA framework initialization +api.bootstrap() +api.finalize() +standard_logging_setup(verbose=True, debug=api.env.debug) +log = root_logger +#log.addHandler(systemd.journal.JournalHandler()) + +# Kerberos initialization +PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host)) +log.debug('Kerberos principal: %s', PRINCIPAL) +ipautil.kinit_hostprincipal(KEYTAB_FB, WORKDIR, PRINCIPAL) + +# LDAP initialization +basedn = DN(api.env.container_dns, api.env.basedn) +ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri) +ldap_url.dn = str(basedn) +ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE +ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))' +log.debug('LDAP URL: %s', ldap_url.unparse()) + +# Real work +while watcher_running: + # Prepare the LDAP server connection (triggers the connection as well) + ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api) + + # Now we login to the LDAP server + try: + log.info('LDAP bind...') + ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) + except ldap.INVALID_CREDENTIALS, e: + log.exception('Login to LDAP server failed: %s', e) + sys.exit(1) + except ldap.SERVER_DOWN, e: + log.exception('LDAP server is down, going to retry: %s', e) + time.sleep(5) + continue + + # Commence the syncing + log.info('Commencing sync process') + ldap_search = ldap_connection.syncrepl_search( + ldap_url.dn, + ldap_url.scope, + mode='refreshAndPersist', + attrlist=ldap_url.attrs, + filterstr=ldap_url.filterstr + ) + + while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): + pass |