More reorgnization.

4 files changed, 405 insertions, 0 deletions

diff --git a/ipa-server/ipaserver/__init__.py b/ipa-server/ipaserver/__init__.py
new file mode 100644
index 000000000..8e20eb1b8
--- /dev/null
+++ b/ipa-server/ipaserver/__init__.py
@@ -0,0 +1 @@
+__all__ = ["dsinstance", "krbinstance"]
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
new file mode 100644
index 000000000..b16aa7c51
--- /dev/null
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -0,0 +1,169 @@
+#! /usr/bin/python -E
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+import pwd
+import os
+import stat
+from util import *
+
+
+SHARE_DIR = "/usr/share/ipa/"
+SERVER_ROOT_64 = "/usr/lib64/fedora-ds-base"
+SERVER_ROOT_32 = "/usr/lib/fedora-ds-base"
+
+
+def generate_serverid():
+    """Generate a UUID (universally unique identifier) suitable
+    for use as a unique identifier for a DS instance.
+    """
+    try:
+        import uuid
+        id = str(uuid.uuid1())
+    except ImportError:
+        import commands
+        id = commands.getoutput("/usr/bin/uuidgen")
+    return id
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x.lower() for x in s]
+    return ",".join(terms)
+
+def find_server_root():
+    try:
+        mode = os.stat(SERVER_ROOT_64)[ST_MODE]
+        if stat.IS_DIR(mode):
+            return SERVER_ROOT_64
+    except:
+        return SERVER_ROOT_32
+
+
+INF_TEMPLATE = """
+[General]
+FullMachineName=   $FQHN
+SuiteSpotUserID=   $USER
+ServerRoot=    $SERVER_ROOT
+[slapd]
+ServerPort=   389
+ServerIdentifier=   $SERVERID
+Suffix=   $SUFFIX
+RootDN=   cn=Directory Manager
+RootDNPwd= $PASSWORD
+"""
+
+class DsInstance:
+    def __init__(self):
+        self.serverid = None
+        self.realm_name = None
+        self.host_name = None
+        self.admin_password = None
+        self.sub_dict = None
+
+    def create_instance(self, ds_user, realm_name, host_name, admin_password):
+        self.ds_user = ds_user
+        self.serverid = generate_serverid()
+        self.realm_name = realm_name.upper()
+        self.host_name = host_name
+        self.admin_password = admin_password
+        self.__setup_sub_dict()
+
+        self.__create_ds_user()
+        self.__create_instance()
+        self.__add_default_schemas()
+        self.__enable_ssl()
+        self.restart()
+        self.__add_default_layout()
+
+    def config_dirname(self):
+        if not self.serverid:
+            raise RuntimeError("serverid not set")
+        return "/etc/fedora-ds/slapd-" + self.serverid + "/"
+
+    def schema_dirname(self):
+        return self.config_dirname() + "/schema/"
+
+    def stop(self):
+        run(["/sbin/service", "fedora-ds", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "fedora-ds", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "fedora-ds", "restart"])
+
+    def __setup_sub_dict(self):
+        suffix = realm_to_suffix(self.realm_name)
+        server_root = find_server_root()
+        self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
+                             PASSWORD=self.admin_password, SUFFIX=suffix,
+                             REALM=self.realm_name, USER=self.ds_user,
+                             SERVER_ROOT=server_root)
+
+    def __create_ds_user(self):
+	try:
+            pwd.getpwnam(self.ds_user)
+            logging.debug("ds user %s exists" % self.ds_user)
+	except KeyError:
+            logging.debug("adding ds user %s" % self.ds_user)
+            args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
+            run(args)
+            logging.debug("done adding user")
+
+    def __create_instance(self):
+        logging.debug("creating ds instance . . . ")
+        inf_txt = template_str(INF_TEMPLATE, self.sub_dict)
+        logging.debug(inf_txt)
+        inf_fd = write_tmp_file(inf_txt)
+        logging.debug("writing inf template")
+        args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
+        logging.debug("calling ds_newinst.pl")
+        run(args)
+        logging.debug("completed creating ds instance")
+        logging.debug("restarting ds instance")
+        self.restart()
+        logging.debug("done restarting ds instance")
+
+    def __add_default_schemas(self):
+        shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
+                        self.schema_dirname() + "60kerberos.ldif")
+        shutil.copyfile(SHARE_DIR + "60samba.ldif",
+                        self.schema_dirname() + "60samba.ldif")
+
+    def __enable_ssl(self):
+        logging.debug("configuring ssl for ds instance")
+        dirname = self.config_dirname()
+        args = ["/usr/sbin/ipa-server-setupssl", self.admin_password,
+                dirname, self.host_name]
+        run(args)
+        logging.debug("done configuring ssl for ds instance")
+        
+    def __add_default_layout(self):
+        txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
+        inf_fd = write_tmp_file(txt)
+        logging.debug("adding default ds layout")
+        args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
+                "-w", self.admin_password, "-f", inf_fd.name]
+        run(args)
+        logging.debug("done adding default ds layout")
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
new file mode 100644
index 000000000..253c506f2
--- /dev/null
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -0,0 +1,177 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+from random import Random
+from time import gmtime
+import os
+import pwd
+import socket
+from util import *
+
+def host_to_domain(fqdn):
+    s = fqdn.split(".")
+    return ".".join(s[1:])
+
+def generate_kdc_password():
+    rndpwd = ''
+    r = Random()
+    r.seed(gmtime())
+    for x in range(12):
+#        rndpwd += chr(r.randint(32,126))
+        rndpwd += chr(r.randint(65,90)) #stricter set for testing
+    return rndpwd
+
+def ldap_mod(fd, dn, pwd):
+    args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
+    run(args)
+
+class KrbInstance:
+    def __init__(self):
+        self.ds_user = None
+        self.fqdn = None
+        self.realm = None
+	self.domain = None
+        self.host = None
+        self.admin_password = None
+        self.master_password = None
+        self.suffix = None
+        self.kdc_password = None
+        self.sub_dict = None
+
+    def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
+        self.ds_user = ds_user
+        self.fqdn = host_name
+        self.ip = socket.gethostbyname(host_name)
+        self.realm = realm_name.upper()
+        self.host = host_name.split(".")[0]
+        self.domain = host_to_domain(host_name)
+        self.admin_password = admin_password
+        self.master_password = master_password
+        
+	self.suffix = realm_to_suffix(self.realm)
+        self.kdc_password = generate_kdc_password()
+	self.__configure_kdc_account_password()
+
+        self.__setup_sub_dict()
+
+        self.__configure_ldap()
+
+        self.__create_instance()
+
+        self.__create_ds_keytab()
+
+        self.__create_sample_bind_zone()
+
+        self.start()
+
+    def stop(self):
+        run(["/sbin/service", "krb5kdc", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "krb5kdc", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "krb5kdc", "restart"])
+
+    def __configure_kdc_account_password(self):
+        hexpwd = ''
+	for x in self.kdc_password:
+            hexpwd += (hex(ord(x))[2:])
+        pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
+        pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+        pwd_fd.close()
+
+    def __setup_sub_dict(self):
+        self.sub_dict = dict(FQDN=self.fqdn,
+                             IP=self.ip,
+                             PASSWORD=self.kdc_password,
+                             SUFFIX=self.suffix,
+                             DOMAIN=self.domain,
+                             HOST=self.host,
+                             REALM=self.realm)
+
+    def __configure_ldap(self):
+
+	#TODO: test that the ldif is ok with any random charcter we may use in the password
+        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
+        kerberos_fd = write_tmp_file(kerberos_txt)
+        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        kerberos_fd.close()
+
+	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
+        aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
+        aci_fd = write_tmp_file(aci_txt) 
+        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        aci_fd.close()
+
+    def __create_instance(self):
+        kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
+        kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
+        kdc_fd.write(kdc_conf)
+        kdc_fd.close()
+
+        krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
+        krb5_fd = open("/etc/krb5.conf", "w+")
+        krb5_fd.write(krb5_conf)
+        krb5_fd.close()
+
+        #populate the directory with the realm structure
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+        run(args)
+
+    # TODO: NOT called yet, need to find out how to make sure the plugin is available first
+    def __add_pwd_extop_module(self):
+	#add the password extop module
+	extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
+	extop_fd = write_tmp_file(extop_txt)
+	ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+	extop_fd.close()
+
+	#add an ACL to let the DS user read the master key
+	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
+	run(args)
+
+    def __create_sample_bind_zone(self):
+        bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
+        os.write(bind_fd, bind_txt)
+        os.close(bind_fd)
+        print "Sample zone file for bind has been created in "+bind_name
+
+    def __create_ds_keytab(self):
+        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+        kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.close()
+        kread.close()
+        kerr.close()
+
+	cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
+        cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
+        cfg_fd.close()
+	pent = pwd.getpwnam(self.ds_user)
+        os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
diff --git a/ipa-server/ipaserver/util.py b/ipa-server/ipaserver/util.py
new file mode 100644
index 000000000..3dcfb760a
--- /dev/null
+++ b/ipa-server/ipaserver/util.py
@@ -0,0 +1,58 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+SHARE_DIR = "/usr/share/ipa/"
+
+import string
+import tempfile
+import logging
+import subprocess
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x.lower() for x in s]
+    return ",".join(terms)
+
+
+def template_str(txt, vars):
+    return string.Template(txt).substitute(vars)
+
+def template_file(infilename, vars):
+    txt = open(infilename).read()
+    return template_str(txt, vars)
+
+def write_tmp_file(txt):
+    fd = tempfile.NamedTemporaryFile()
+    fd.write(txt)
+    fd.flush()
+
+    return fd
+
+def run(args, stdin=None):
+    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if stdin:
+        stdout,stderr = p.communicate(stdin)
+    else:
+        stdout,stderr = p.communicate()
+    logging.info(stdout)
+    logging.info(stderr)
+
+    if p.returncode != 0:
+        raise subprocess.CalledProcessError(p.returncode, args[0])