Add password request for admin user

Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
author: Simo Sorce <ssorce@redhat.com> 2007-08-31 18:40:01 -0400
committer: Simo Sorce <ssorce@redhat.com> 2007-08-31 18:40:01 -0400
commit: abeda55e34ff19d34bf48f7e8c7f1df42b86136f (patch)
tree: 06973ab3214f7b2c715657d88a786dbef0609a16 /ipa-server/ipaserver
parent: 7a0629ea55940169007d6a1c5c9e6e66c406f724 (diff)
download: freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.gz
freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.xz
freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.zip
2 files changed, 46 insertions, 10 deletions
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 2c7e0c7db..841bc31f2 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -72,16 +72,18 @@ class DsInstance:
     def __init__(self):
         self.serverid = None
         self.realm_name = None
+        self.suffix = None
         self.host_name = None
-        self.admin_password = None
+        self.dm_password = None
         self.sub_dict = None
 
-    def create_instance(self, ds_user, realm_name, host_name, admin_password):
+    def create_instance(self, ds_user, realm_name, host_name, dm_password):
         self.ds_user = ds_user
         self.serverid = generate_serverid()
         self.realm_name = realm_name.upper()
+        self.suffix = realm_to_suffix(self.realm_name)
         self.host_name = host_name
-        self.admin_password = admin_password
+        self.dm_password = dm_password
         self.__setup_sub_dict()
 
         self.__create_ds_user()
@@ -111,10 +113,9 @@ class DsInstance:
         run(["/sbin/service", "dirsrv", "restart"])
 
     def __setup_sub_dict(self):
-        suffix = realm_to_suffix(self.realm_name)
         server_root = find_server_root()
         self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
-                             PASSWORD=self.admin_password, SUFFIX=suffix,
+                             PASSWORD=self.dm_password, SUFFIX=self.suffix,
                              REALM=self.realm_name, USER=self.ds_user,
                              SERVER_ROOT=server_root)
 
@@ -155,7 +156,7 @@ class DsInstance:
     def __enable_ssl(self):
         logging.debug("configuring ssl for ds instance")
         dirname = self.config_dirname()
-        args = ["/usr/sbin/ipa-server-setupssl", self.admin_password,
+        args = ["/usr/sbin/ipa-server-setupssl", self.dm_password,
                 dirname, self.host_name]
         run(args)
         logging.debug("done configuring ssl for ds instance")
@@ -165,7 +166,7 @@ class DsInstance:
         inf_fd = write_tmp_file(txt)
         logging.debug("adding default ds layout")
         args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
-                "-w", self.admin_password, "-f", inf_fd.name]
+                "-w", self.dm_password, "-f", inf_fd.name]
         run(args)
         logging.debug("done adding default ds layout")
         
@@ -184,5 +185,15 @@ class DsInstance:
         certmap_fd = open(dirname+"certmap.conf", "w+")
         certmap_fd.write(certmap_conf)
         certmap_fd.close()
-
         logging.debug("done configuring certmap.conf for ds instance")
+
+    def change_admin_password(self, password):
+        logging.debug("Changing admin password")
+        dirname = self.config_dirname()
+        args = ["/usr/lib/mozldap/ldappasswd",
+                "-D", "cn=Directory Manager", "-w", self.dm_password,
+                "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
+                "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
+        run(args)
+        logging.debug("ldappasswd done")
+
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 1c77b086f..e17ab525b 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -109,7 +109,7 @@ class KrbInstance:
 	for x in self.kdc_password:
             hexpwd += (hex(ord(x))[2:])
         pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
-        pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+        pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
         pwd_fd.close()
 
     def __setup_sub_dict(self):
@@ -147,7 +147,7 @@ class KrbInstance:
         krb5_fd.close()
 
         #populate the directory with the realm structure
-        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
         run(args)
 
     #add the password extop module
@@ -178,6 +178,15 @@ class KrbInstance:
         kread.close()
         kerr.close()
 
+        # give kadmin time to actually write the file before we go on
+	retry = 0
+        while not file_exists("/etc/dirsrv/ds.keytab"):
+            time.sleep(1)
+            retry += 1
+            if retry > 15:
+                print "Error timed out waiting for kadmin to finish operations\n"
+                os.exit()
+
         cfg_fd = open("/etc/sysconfig/dirsrv", "a")
         cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n")
         cfg_fd.close()
@@ -199,6 +208,15 @@ class KrbInstance:
         kread.close()
         kerr.close()
 
+        # give kadmin time to actually write the file before we go on
+	retry = 0
+        while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
+            time.sleep(1)
+            retry += 1
+            if retry > 15:
+                print "Error timed out waiting for kadmin to finish operations\n"
+                os.exit()
+
         cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a")
         cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n")
         cfg_fd.close()
@@ -215,8 +233,15 @@ class KrbInstance:
         kread.close()
         kerr.close()
 
+        # give kadmin time to actually write the file before we go on
+	retry = 0
         while not file_exists("/etc/httpd/conf/ipa.keytab"):
             time.sleep(1)
+            retry += 1
+            if retry > 15:
+                print "Error timed out waiting for kadmin to finish operations\n"
+                os.exit()
+
         pent = pwd.getpwnam("apache")
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
author	Simo Sorce <ssorce@redhat.com>	2007-08-31 18:40:01 -0400
committer	Simo Sorce <ssorce@redhat.com>	2007-08-31 18:40:01 -0400
commit	abeda55e34ff19d34bf48f7e8c7f1df42b86136f (patch)
tree	06973ab3214f7b2c715657d88a786dbef0609a16 /ipa-server/ipaserver
parent	7a0629ea55940169007d6a1c5c9e6e66c406f724 (diff)
download	freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.gz freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.xz freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.zip