diff options
author | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:33:31 -0400 |
---|---|---|
committer | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:33:31 -0400 |
commit | bac241ffc3e6835d691b357af5582a8b7a6aab06 (patch) | |
tree | 24a6efc26eeb6b4a2f10c3f4e67be72d57bed75e /ipa-server/ipaserver | |
parent | f7d005a854a0738b87be181007e3e53ee9985498 (diff) | |
download | freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.tar.gz freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.tar.xz freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.zip |
More reorgnization.
Diffstat (limited to 'ipa-server/ipaserver')
-rw-r--r-- | ipa-server/ipaserver/__init__.py | 1 | ||||
-rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 169 | ||||
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 177 | ||||
-rw-r--r-- | ipa-server/ipaserver/util.py | 58 |
4 files changed, 405 insertions, 0 deletions
diff --git a/ipa-server/ipaserver/__init__.py b/ipa-server/ipaserver/__init__.py new file mode 100644 index 000000000..8e20eb1b8 --- /dev/null +++ b/ipa-server/ipaserver/__init__.py @@ -0,0 +1 @@ +__all__ = ["dsinstance", "krbinstance"] diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py new file mode 100644 index 000000000..b16aa7c51 --- /dev/null +++ b/ipa-server/ipaserver/dsinstance.py @@ -0,0 +1,169 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +import pwd +import os +import stat +from util import * + + +SHARE_DIR = "/usr/share/ipa/" +SERVER_ROOT_64 = "/usr/lib64/fedora-ds-base" +SERVER_ROOT_32 = "/usr/lib/fedora-ds-base" + + +def generate_serverid(): + """Generate a UUID (universally unique identifier) suitable + for use as a unique identifier for a DS instance. + """ + try: + import uuid + id = str(uuid.uuid1()) + except ImportError: + import commands + id = commands.getoutput("/usr/bin/uuidgen") + return id + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x.lower() for x in s] + return ",".join(terms) + +def find_server_root(): + try: + mode = os.stat(SERVER_ROOT_64)[ST_MODE] + if stat.IS_DIR(mode): + return SERVER_ROOT_64 + except: + return SERVER_ROOT_32 + + +INF_TEMPLATE = """ +[General] +FullMachineName= $FQHN +SuiteSpotUserID= $USER +ServerRoot= $SERVER_ROOT +[slapd] +ServerPort= 389 +ServerIdentifier= $SERVERID +Suffix= $SUFFIX +RootDN= cn=Directory Manager +RootDNPwd= $PASSWORD +""" + +class DsInstance: + def __init__(self): + self.serverid = None + self.realm_name = None + self.host_name = None + self.admin_password = None + self.sub_dict = None + + def create_instance(self, ds_user, realm_name, host_name, admin_password): + self.ds_user = ds_user + self.serverid = generate_serverid() + self.realm_name = realm_name.upper() + self.host_name = host_name + self.admin_password = admin_password + self.__setup_sub_dict() + + self.__create_ds_user() + self.__create_instance() + self.__add_default_schemas() + self.__enable_ssl() + self.restart() + self.__add_default_layout() + + def config_dirname(self): + if not self.serverid: + raise RuntimeError("serverid not set") + return "/etc/fedora-ds/slapd-" + self.serverid + "/" + + def schema_dirname(self): + return self.config_dirname() + "/schema/" + + def stop(self): + run(["/sbin/service", "fedora-ds", "stop"]) + + def start(self): + run(["/sbin/service", "fedora-ds", "start"]) + + def restart(self): + run(["/sbin/service", "fedora-ds", "restart"]) + + def __setup_sub_dict(self): + suffix = realm_to_suffix(self.realm_name) + server_root = find_server_root() + self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, + PASSWORD=self.admin_password, SUFFIX=suffix, + REALM=self.realm_name, USER=self.ds_user, + SERVER_ROOT=server_root) + + def __create_ds_user(self): + try: + pwd.getpwnam(self.ds_user) + logging.debug("ds user %s exists" % self.ds_user) + except KeyError: + logging.debug("adding ds user %s" % self.ds_user) + args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] + run(args) + logging.debug("done adding user") + + def __create_instance(self): + logging.debug("creating ds instance . . . ") + inf_txt = template_str(INF_TEMPLATE, self.sub_dict) + logging.debug(inf_txt) + inf_fd = write_tmp_file(inf_txt) + logging.debug("writing inf template") + args = ["/usr/bin/ds_newinst.pl", inf_fd.name] + logging.debug("calling ds_newinst.pl") + run(args) + logging.debug("completed creating ds instance") + logging.debug("restarting ds instance") + self.restart() + logging.debug("done restarting ds instance") + + def __add_default_schemas(self): + shutil.copyfile(SHARE_DIR + "60kerberos.ldif", + self.schema_dirname() + "60kerberos.ldif") + shutil.copyfile(SHARE_DIR + "60samba.ldif", + self.schema_dirname() + "60samba.ldif") + + def __enable_ssl(self): + logging.debug("configuring ssl for ds instance") + dirname = self.config_dirname() + args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + dirname, self.host_name] + run(args) + logging.debug("done configuring ssl for ds instance") + + def __add_default_layout(self): + txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) + inf_fd = write_tmp_file(txt) + logging.debug("adding default ds layout") + args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", + "-w", self.admin_password, "-f", inf_fd.name] + run(args) + logging.debug("done adding default ds layout") diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py new file mode 100644 index 000000000..253c506f2 --- /dev/null +++ b/ipa-server/ipaserver/krbinstance.py @@ -0,0 +1,177 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +from random import Random +from time import gmtime +import os +import pwd +import socket +from util import * + +def host_to_domain(fqdn): + s = fqdn.split(".") + return ".".join(s[1:]) + +def generate_kdc_password(): + rndpwd = '' + r = Random() + r.seed(gmtime()) + for x in range(12): +# rndpwd += chr(r.randint(32,126)) + rndpwd += chr(r.randint(65,90)) #stricter set for testing + return rndpwd + +def ldap_mod(fd, dn, pwd): + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] + run(args) + +class KrbInstance: + def __init__(self): + self.ds_user = None + self.fqdn = None + self.realm = None + self.domain = None + self.host = None + self.admin_password = None + self.master_password = None + self.suffix = None + self.kdc_password = None + self.sub_dict = None + + def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): + self.ds_user = ds_user + self.fqdn = host_name + self.ip = socket.gethostbyname(host_name) + self.realm = realm_name.upper() + self.host = host_name.split(".")[0] + self.domain = host_to_domain(host_name) + self.admin_password = admin_password + self.master_password = master_password + + self.suffix = realm_to_suffix(self.realm) + self.kdc_password = generate_kdc_password() + self.__configure_kdc_account_password() + + self.__setup_sub_dict() + + self.__configure_ldap() + + self.__create_instance() + + self.__create_ds_keytab() + + self.__create_sample_bind_zone() + + self.start() + + def stop(self): + run(["/sbin/service", "krb5kdc", "stop"]) + + def start(self): + run(["/sbin/service", "krb5kdc", "start"]) + + def restart(self): + run(["/sbin/service", "krb5kdc", "restart"]) + + def __configure_kdc_account_password(self): + hexpwd = '' + for x in self.kdc_password: + hexpwd += (hex(ord(x))[2:]) + pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") + pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.close() + + def __setup_sub_dict(self): + self.sub_dict = dict(FQDN=self.fqdn, + IP=self.ip, + PASSWORD=self.kdc_password, + SUFFIX=self.suffix, + DOMAIN=self.domain, + HOST=self.host, + REALM=self.realm) + + def __configure_ldap(self): + + #TODO: test that the ldif is ok with any random charcter we may use in the password + kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) + kerberos_fd = write_tmp_file(kerberos_txt) + ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + kerberos_fd.close() + + #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes + aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) + aci_fd = write_tmp_file(aci_txt) + ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + aci_fd.close() + + def __create_instance(self): + kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) + kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") + kdc_fd.write(kdc_conf) + kdc_fd.close() + + krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) + krb5_fd = open("/etc/krb5.conf", "w+") + krb5_fd.write(krb5_conf) + krb5_fd.close() + + #populate the directory with the realm structure + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + run(args) + + # TODO: NOT called yet, need to find out how to make sure the plugin is available first + def __add_pwd_extop_module(self): + #add the password extop module + extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict) + extop_fd = write_tmp_file(extop_txt) + ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) + extop_fd.close() + + #add an ACL to let the DS user read the master key + args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] + run(args) + + def __create_sample_bind_zone(self): + bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) + [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") + os.write(bind_fd, bind_txt) + os.close(bind_fd) + print "Sample zone file for bind has been created in "+bind_name + + def __create_ds_keytab(self): + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.close() + kread.close() + kerr.close() + + cfg_fd = open("/etc/sysconfig/fedora-ds", "a") + cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n") + cfg_fd.close() + pent = pwd.getpwnam(self.ds_user) + os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/ipaserver/util.py b/ipa-server/ipaserver/util.py new file mode 100644 index 000000000..3dcfb760a --- /dev/null +++ b/ipa-server/ipaserver/util.py @@ -0,0 +1,58 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +SHARE_DIR = "/usr/share/ipa/" + +import string +import tempfile +import logging +import subprocess + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x.lower() for x in s] + return ",".join(terms) + + +def template_str(txt, vars): + return string.Template(txt).substitute(vars) + +def template_file(infilename, vars): + txt = open(infilename).read() + return template_str(txt, vars) + +def write_tmp_file(txt): + fd = tempfile.NamedTemporaryFile() + fd.write(txt) + fd.flush() + + return fd + +def run(args, stdin=None): + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if stdin: + stdout,stderr = p.communicate(stdin) + else: + stdout,stderr = p.communicate() + logging.info(stdout) + logging.info(stderr) + + if p.returncode != 0: + raise subprocess.CalledProcessError(p.returncode, args[0]) |