summaryrefslogtreecommitdiffstats
path: root/ipa-server/ipaserver
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2007-11-16 20:16:11 -0500
committerSimo Sorce <ssorce@redhat.com>2007-11-16 20:16:11 -0500
commitae97fcf94d37154046e9a8116c927dd5a5d518c6 (patch)
treef9dcf68e672a8ddc5fccfcd29a5cdf3b2f9208ae /ipa-server/ipaserver
parent816b3e2ea54392ae826429be955fdaedf53f11b2 (diff)
downloadfreeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.tar.gz
freeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.tar.xz
freeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.zip
- Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
Diffstat (limited to 'ipa-server/ipaserver')
-rw-r--r--ipa-server/ipaserver/krbinstance.py35
1 files changed, 31 insertions, 4 deletions
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index c4ebde50c..62c2cf10a 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -35,6 +35,10 @@ import time
import service
from ipa.ipautil import *
+from pyasn1.type import univ
+import pyasn1.codec.ber.encoder
+import struct
+import base64
def host_to_domain(fqdn):
s = fqdn.split(".")
@@ -215,12 +219,35 @@ class KrbInstance(service.Service):
logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e))
extop_fd.close()
- #add an ACL to let the DS user read the master key
- args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
+ #get the Master Key from the stash file
try:
- run(args)
+ stash = open("/var/kerberos/krb5kdc/.k5."+self.realm, "r")
+ keytype = struct.unpack('h', stash.read(2))[0]
+ keylen = struct.unpack('i', stash.read(4))[0]
+ keydata = stash.read(keylen)
+ except os.error:
+ logging.critical("Failed to retrieve Master Key from Stash file: %s")
+ #encode it in the asn.1 attribute
+ MasterKey = univ.Sequence()
+ MasterKey.setComponentByPosition(0, univ.Integer(keytype))
+ MasterKey.setComponentByPosition(1, univ.OctetString(keydata))
+ krbMKey = univ.Sequence()
+ krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno
+ krbMKey.setComponentByPosition(1, MasterKey)
+ asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
+
+ #put the attribute in the Directory
+ mod_txt = "dn: cn="+self.realm+",cn=kerberos,"+self.suffix+"\n"
+ mod_txt += "changetype: modify\n"
+ mod_txt += "add: krbMKey\n"
+ mod_txt += "krbMKey:: "+base64.encodestring(asn1key)+"\n"
+ mod_txt += "\n"
+ mod_fd = write_tmp_file(mod_txt)
+ try:
+ ldap_mod(mod_fd, "cn=Directory Manager", self.admin_password)
except subprocess.CalledProcessError, e:
- logging.critical("Failed to set the ACL on the master key: %s" % str(e))
+ logging.critical("Failed to load Master Key: %s" % str(e))
+ mod_fd.close()
def __create_ds_keytab(self):
self.step("creating a keytab for the directory")