diff options
author | Simo Sorce <ssorce@redhat.com> | 2007-08-31 18:40:01 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2007-08-31 18:40:01 -0400 |
commit | abeda55e34ff19d34bf48f7e8c7f1df42b86136f (patch) | |
tree | 06973ab3214f7b2c715657d88a786dbef0609a16 /ipa-server/ipaserver | |
parent | 7a0629ea55940169007d6a1c5c9e6e66c406f724 (diff) | |
download | freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.gz freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.tar.xz freeipa-abeda55e34ff19d34bf48f7e8c7f1df42b86136f.zip |
Add password request for admin user
Set password for admin user using the Directory Mangaer account
and the mozldapldappaswd binary to get and SSL connection
Fix some timeout problems with deploying keytabs
Fix ipa_pwd_extop to actuallt correctly detect an SSL connection
Do not ask for the user to use for the directory unless 'dirsrv' is
an existing user which may clash, create it silently
Diffstat (limited to 'ipa-server/ipaserver')
-rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 27 | ||||
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 29 |
2 files changed, 46 insertions, 10 deletions
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 2c7e0c7db..841bc31f2 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -72,16 +72,18 @@ class DsInstance: def __init__(self): self.serverid = None self.realm_name = None + self.suffix = None self.host_name = None - self.admin_password = None + self.dm_password = None self.sub_dict = None - def create_instance(self, ds_user, realm_name, host_name, admin_password): + def create_instance(self, ds_user, realm_name, host_name, dm_password): self.ds_user = ds_user self.serverid = generate_serverid() self.realm_name = realm_name.upper() + self.suffix = realm_to_suffix(self.realm_name) self.host_name = host_name - self.admin_password = admin_password + self.dm_password = dm_password self.__setup_sub_dict() self.__create_ds_user() @@ -111,10 +113,9 @@ class DsInstance: run(["/sbin/service", "dirsrv", "restart"]) def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) server_root = find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, + PASSWORD=self.dm_password, SUFFIX=self.suffix, REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root) @@ -155,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") @@ -165,7 +166,7 @@ class DsInstance: inf_fd = write_tmp_file(txt) logging.debug("adding default ds layout") args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] + "-w", self.dm_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") @@ -184,5 +185,15 @@ class DsInstance: certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd.write(certmap_conf) certmap_fd.close() - logging.debug("done configuring certmap.conf for ds instance") + + def change_admin_password(self, password): + logging.debug("Changing admin password") + dirname = self.config_dirname() + args = ["/usr/lib/mozldap/ldappasswd", + "-D", "cn=Directory Manager", "-w", self.dm_password, + "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, + "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + run(args) + logging.debug("ldappasswd done") + diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 1c77b086f..e17ab525b 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -109,7 +109,7 @@ class KrbInstance: for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() def __setup_sub_dict(self): @@ -147,7 +147,7 @@ class KrbInstance: krb5_fd.close() #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] run(args) #add the password extop module @@ -178,6 +178,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/dirsrv/ds.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.close() @@ -199,6 +208,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.close() @@ -215,8 +233,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 while not file_exists("/etc/httpd/conf/ipa.keytab"): time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) |