diff options
| author | Simo Sorce <ssorce@redhat.com> | 2007-11-16 20:16:11 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2007-11-16 20:16:11 -0500 |
| commit | ae97fcf94d37154046e9a8116c927dd5a5d518c6 (patch) | |
| tree | f9dcf68e672a8ddc5fccfcd29a5cdf3b2f9208ae /ipa-server/ipaserver | |
| parent | 816b3e2ea54392ae826429be955fdaedf53f11b2 (diff) | |
| download | freeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.tar.gz freeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.tar.xz freeipa-ae97fcf94d37154046e9a8116c927dd5a5d518c6.zip | |
- Store Master Key in Ldap (Makes it easier to set up replicas)
- Does not require dirsrv access to stash file
- Finalize password history support
- Fix strict password length default in pwd_extop (fix install sctript too)
- fix plugin configuration
- Introduce 3 kind of password change: normal, admin, and ds manager
- normal require adherence to policies
- admin does not but password is immediately expired
- ds manager can just change the password any way he likes.
Initial code to read the Kerberos Master Key from the Directory
Diffstat (limited to 'ipa-server/ipaserver')
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index c4ebde50c..62c2cf10a 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -35,6 +35,10 @@ import time import service from ipa.ipautil import * +from pyasn1.type import univ +import pyasn1.codec.ber.encoder +import struct +import base64 def host_to_domain(fqdn): s = fqdn.split(".") @@ -215,12 +219,35 @@ class KrbInstance(service.Service): logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e)) extop_fd.close() - #add an ACL to let the DS user read the master key - args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] + #get the Master Key from the stash file try: - run(args) + stash = open("/var/kerberos/krb5kdc/.k5."+self.realm, "r") + keytype = struct.unpack('h', stash.read(2))[0] + keylen = struct.unpack('i', stash.read(4))[0] + keydata = stash.read(keylen) + except os.error: + logging.critical("Failed to retrieve Master Key from Stash file: %s") + #encode it in the asn.1 attribute + MasterKey = univ.Sequence() + MasterKey.setComponentByPosition(0, univ.Integer(keytype)) + MasterKey.setComponentByPosition(1, univ.OctetString(keydata)) + krbMKey = univ.Sequence() + krbMKey.setComponentByPosition(0, univ.Integer(0)) #we have no kvno + krbMKey.setComponentByPosition(1, MasterKey) + asn1key = pyasn1.codec.ber.encoder.encode(krbMKey) + + #put the attribute in the Directory + mod_txt = "dn: cn="+self.realm+",cn=kerberos,"+self.suffix+"\n" + mod_txt += "changetype: modify\n" + mod_txt += "add: krbMKey\n" + mod_txt += "krbMKey:: "+base64.encodestring(asn1key)+"\n" + mod_txt += "\n" + mod_fd = write_tmp_file(mod_txt) + try: + ldap_mod(mod_fd, "cn=Directory Manager", self.admin_password) except subprocess.CalledProcessError, e: - logging.critical("Failed to set the ACL on the master key: %s" % str(e)) + logging.critical("Failed to load Master Key: %s" % str(e)) + mod_fd.close() def __create_ds_keytab(self): self.step("creating a keytab for the directory") |