summaryrefslogtreecommitdiffstats
path: root/ipa-server
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2007-12-11 14:19:10 -0500
committerSimo Sorce <ssorce@redhat.com>2007-12-11 14:19:10 -0500
commit5215b21ea404f2370bfdd4a2e452577e065a718c (patch)
tree8893bdeebf94979c66febd0d1f84fde9d311ed4e /ipa-server
parent4f0b2154146cc3ed3b32b34713089323d96c1c74 (diff)
parent01131e2a37a9aec197b4e286e0559165d403fe73 (diff)
downloadfreeipa-5215b21ea404f2370bfdd4a2e452577e065a718c.tar.gz
freeipa-5215b21ea404f2370bfdd4a2e452577e065a718c.tar.xz
freeipa-5215b21ea404f2370bfdd4a2e452577e065a718c.zip
merge with upstream
Diffstat (limited to 'ipa-server')
-rw-r--r--ipa-server/ipa-gui/ipagui/forms/user.py4
-rw-r--r--ipa-server/ipa-gui/ipagui/templates/principallist.kid10
-rw-r--r--ipa-server/ipa-install/Makefile.am6
-rw-r--r--ipa-server/ipa-install/ipa-server-setupssl216
-rw-r--r--ipa-server/ipa-install/share/60radius.ldif38
-rw-r--r--ipa-server/ipa-install/share/bootstrap-template.ldif24
-rw-r--r--ipa-server/ipa-install/share/default-aci.ldif3
-rw-r--r--ipa-server/ipa-install/share/encrypted_attribute.ldif6
-rw-r--r--ipa-server/ipa-install/share/radius.radiusd.conf.template23
-rw-r--r--ipa-server/ipaserver/Makefile.am1
-rw-r--r--ipa-server/ipaserver/certs.py213
-rw-r--r--ipa-server/ipaserver/dsinstance.py39
-rw-r--r--ipa-server/ipaserver/httpinstance.py15
-rw-r--r--ipa-server/ipaserver/radiusinstance.py93
-rw-r--r--ipa-server/xmlrpc-server/funcs.py201
-rw-r--r--ipa-server/xmlrpc-server/ipaxmlrpc.py24
16 files changed, 608 insertions, 308 deletions
diff --git a/ipa-server/ipa-gui/ipagui/forms/user.py b/ipa-server/ipa-gui/ipagui/forms/user.py
index b0c4d0aa7..74369a6ae 100644
--- a/ipa-server/ipa-gui/ipagui/forms/user.py
+++ b/ipa-server/ipa-gui/ipagui/forms/user.py
@@ -3,8 +3,8 @@ from turbogears import validators, widgets
from tg_expanding_form_widget.tg_expanding_form_widget import ExpandingForm
class UserFields(object):
- givenname = widgets.TextField(name="givenname", label="Given Name")
- sn = widgets.TextField(name="sn", label="Family Name")
+ givenname = widgets.TextField(name="givenname", label="First Name")
+ sn = widgets.TextField(name="sn", label="Last Name")
cn = widgets.TextField(name="cn", label="Common Names")
cns = ExpandingForm(name="cns", label="Common Names", fields=[cn])
title = widgets.TextField(name="title", label="Title")
diff --git a/ipa-server/ipa-gui/ipagui/templates/principallist.kid b/ipa-server/ipa-gui/ipagui/templates/principallist.kid
index dcd9dd4b8..d4177d8d7 100644
--- a/ipa-server/ipa-gui/ipagui/templates/principallist.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/principallist.kid
@@ -16,6 +16,14 @@
<script type="text/javascript">
document.getElementById("hostname").focus();
</script>
+ <script type="text/javascript">
+ function confirmDownload() {
+ if (confirm("Are you sure you want to download this principal? It will reset the secret, invalidating any existing keytabs")) {
+ return true;
+ }
+ return false;
+ }
+ </script>
</div>
<div py:if='(principals != None) and (len(principals) > 0)'>
<h2>${len(principals)} results returned:</h2>
@@ -33,7 +41,7 @@
<tbody>
<tr py:for="principal in principals">
<td>
- <a href="${tg.url('/principal/show',principal=principal.krbprincipalname)}"
+ <a href="${tg.url('/principal/show',principal=principal.krbprincipalname)}" onclick="return confirmDownload();"
>${principal.hostname}</a>
</td>
<td>
diff --git a/ipa-server/ipa-install/Makefile.am b/ipa-server/ipa-install/Makefile.am
index 4765cfb54..1b46d354b 100644
--- a/ipa-server/ipa-install/Makefile.am
+++ b/ipa-server/ipa-install/Makefile.am
@@ -10,14 +10,8 @@ sbin_SCRIPTS = \
ipa-replica-prepare \
$(NULL)
-appdir = $(IPA_DATA_DIR)
-app_SCRIPTS = \
- ipa-server-setupssl \
- $(NULL)
-
EXTRA_DIST = \
README \
- $(app_SCRIPTS) \
$(sbin_SCRIPTS) \
$(NULL)
diff --git a/ipa-server/ipa-install/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl
deleted file mode 100644
index 1774f214d..000000000
--- a/ipa-server/ipa-install/ipa-server-setupssl
+++ /dev/null
@@ -1,216 +0,0 @@
-#!/bin/bash
-
-if [ "$1" ] ; then
- password=$1
-else
- echo "password required"
- exit 1
-fi
-
-if [ "$2" -a -d "$2" ] ; then
- secdir="$2"
-else
- secdir=/etc/dirsrv/slapd-localhost
-fi
-
-if [ "$3" ] ; then
- myhost=$3
-else
- myhost=`hostname --fqdn`
-fi
-
-
-if [ "$4" ] ; then
- ldapport=$4
-else
- ldapport=389
-fi
-
-me=`whoami`
-if [ "$me" = "root" ] ; then
- isroot=1
-fi
-
-# see if there are already certs and keys
-if [ -f $secdir/cert8.db ] ; then
- # look for CA cert
- if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then
- echo "Using existing CA certificate"
- else
- echo "No CA certificate found - will create new one"
- needCA=1
- fi
-
- # look for server cert
- if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then
- echo "Using existing directory Server-Cert"
- else
- echo "No Server Cert found - will create new one"
- needServerCert=1
- fi
-
- prefix="new-"
- prefixarg="-P $prefix"
-else
- needCA=1
- needServerCert=1
-fi
-
-if test -z "$needCA" -a -z "$needServerCert" ; then
- echo "No certs needed - exiting"
- exit 0
-fi
-
-# get our user and group
-if test -n "$isroot" ; then
- uid=`/bin/ls -ald $secdir | awk '{print $3}'`
- gid=`/bin/ls -ald $secdir | awk '{print $4}'`
-fi
-
-# 2. Create a password file for your security token password:
-if [ -f $secdir/pwdfile.txt ] ; then
- echo "Using existing $secdir/pwdfile.txt"
-else
- (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt
- if test -n "$isroot" ; then
- chown $uid:$gid $secdir/pwdfile.txt
- fi
- chmod 400 $secdir/pwdfile.txt
-fi
-
-# 3. Create a "noise" file for your encryption mechanism:
-if [ -f $secdir/noise.txt ] ; then
- echo "Using existing $secdir/noise.txt file"
-else
- (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt
- if test -n "$isroot" ; then
- chown $uid:$gid $secdir/noise.txt
- fi
- chmod 400 $secdir/noise.txt
-fi
-
-# 4. Create the key3.db and cert8.db databases:
-certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt
-if test -n "$isroot" ; then
- chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
-fi
-chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db
-
-
-if test -n "$needCA" ; then
-# 5. Generate the encryption key:
- certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
-# 6. Generate the self-signed certificate:
- certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
-# export the CA cert for use with other apps
- certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc
- pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
-fi
-
-if test -n "$needServerCert" ; then
-# 7. Generate the server certificate:
- certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt
-fi
-
-# create the pin file
-if [ ! -f $secdir/pin.txt ] ; then
- pinfile=$secdir/pin.txt
- echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile
- if test -n "$isroot" ; then
- chown $uid:$gid $pinfile
- fi
- chmod 400 $pinfile
-else
- echo Using existing $secdir/pin.txt
-fi
-
-if [ -n "$prefix" ] ; then
- # move the old files out of the way
- mv $secdir/cert8.db $secdir/orig-cert8.db
- mv $secdir/key3.db $secdir/orig-key3.db
- # move in the new files - will be used after server restart
- mv $secdir/${prefix}cert8.db $secdir/cert8.db
- mv $secdir/${prefix}key3.db $secdir/key3.db
-fi
-
-modnssdir=/etc/httpd/alias
-
-# Setup SSL in Apache
-if [ -e $modnssdir ]; then
- mkdir ${modnssdir}.ipa
- mv $modnssdir/cert8.db ${modnssdir}.ipa
- mv $modnssdir/key3.db ${modnssdir}.ipa
-fi
-
-# Create a new database for mod_nss
-echo -e "\n" > $modnssdir/pw.txt
-certutil -N -d $modnssdir -f $modnssdir/pw.txt
-
-# Add the CA we created
-certutil -A -d $modnssdir -n "CA certificate" -t "CT,CT," -a -i $secdir/cacert.asc
-
-# Request a new server cert
-certutil -R -d $modnssdir \
- -s "cn=$myhost,ou=Apache Web Server" \
- -o $modnssdir/tmpcertreq \
- -g 1024 \
- -z $secdir/noise.txt \
- -f $modnssdir/pw.txt
-
-# Have the FDS CA issue the cert
-echo -e "2\n9\nn\n1\n9\nn\n" | \
-certutil -C -d $secdir \
- -c "CA certificate" \
- -i $modnssdir/tmpcertreq \
- -o $modnssdir/tmpcert.der \
- -m 1002 \
- -v 120 \
- -f $secdir/pwdfile.txt \
- -1 \
- -5
-
-# Now add this cert to the Apache database
-certutil -A -d $modnssdir -n "Server-Cert"\
- -t u,u,u \
- -i $modnssdir/tmpcert.der \
- -f $modnsdir/tmpcert.der
-
-rm -f $modnssdir/pw.txt $modnssdir/tmpcertreq $modnssder/tmpcert.der
-
-# enable SSL in the directory server
-
-ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF
-dn: cn=encryption,cn=config
-changetype: modify
-replace: nsSSL3
-nsSSL3: on
--
-replace: nsSSLClientAuth
-nsSSLClientAuth: allowed
--
-add: nsSSL3Ciphers
-nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
- +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
- +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
- +tls_rsa_export1024_with_des_cbc_sha
-
-dn: cn=config
-changetype: modify
-add: nsslapd-security
-nsslapd-security: on
--
-replace: nsslapd-ssl-check-hostname
-nsslapd-ssl-check-hostname: off
-
-dn: cn=RSA,cn=encryption,cn=config
-changetype: add
-objectclass: top
-objectclass: nsEncryptionModule
-cn: RSA
-nsSSLPersonalitySSL: Server-Cert
-nsSSLToken: internal (software)
-nsSSLActivation: on
-
-EOF
-
-
diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif
index 1802029ea..93a5ba319 100644
--- a/ipa-server/ipa-install/share/60radius.ldif
+++ b/ipa-server/ipa-install/share/60radius.ldif
@@ -4,6 +4,11 @@
# LDAP v3 version by Jochen Friedrich <jochen@scram.de>
# Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
# Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA
+#
+# Note: These OID's do not seem to be registered, the closest I could find
+# was 1.3.6.1.4.1.3317
+# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)}
+#
##############
dn: cn=schema
attributeTypes:
@@ -487,7 +492,7 @@ objectClasses:
NAME 'radiusprofile'
SUP top AUXILIARY
DESC ''
- MUST cn
+ MUST uid
MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $
@@ -521,3 +526,34 @@ objectClasses:
MUST cn
MAY ( uid $ userPassword $ description )
)
+attributeTypes:
+ ( 1.3.6.1.4.1.3317.4.3.1.64
+ NAME 'radiusClientSecret'
+ DESC ''
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE
+ )
+attributeTypes:
+ ( 1.3.6.1.4.1.3317.4.3.1.65
+ NAME 'radiusClientNASType'
+ DESC ''
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ SINGLE-VALUE
+ )
+attributeTypes:
+ ( 1.3.6.1.4.1.3317.4.3.1.66
+ NAME 'radiusClientShortName'
+ DESC ''
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ )
+objectClasses:
+ ( 1.3.6.1.4.1.3317.4.3.2.3
+ NAME 'radiusClientProfile'
+ SUP top STRUCTURAL
+ DESC 'A Container Objectclass to be used for describing radius clients'
+ MUST (radiusClientIPAddress $ radiusClientSecret)
+ MAY ( radiusClientNASType $ radiusClientShortName $ description )
+ )
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 3f0558d11..9642070c7 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -81,6 +81,30 @@ homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
+dn: cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: radius
+
+dn: cn=clients,cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: clients
+
+dn: cn=profiles,cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: profiles
+
+dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: radiusprofile
+uid: ipa_default
+
dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
changetype: add
objectClass: top
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 6b8afd28b..95743eebb 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -9,9 +9,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaN
aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn = "ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
+aci: (target="ldap:///cn=radius,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
dn: cn=ipaConfig,cn=etc,$SUFFIX
changetype: modify
diff --git a/ipa-server/ipa-install/share/encrypted_attribute.ldif b/ipa-server/ipa-install/share/encrypted_attribute.ldif
new file mode 100644
index 000000000..3f5e1b43d
--- /dev/null
+++ b/ipa-server/ipa-install/share/encrypted_attribute.ldif
@@ -0,0 +1,6 @@
+dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
+changetype: add
+objectClass: top
+objectClass: nsAttributeEncryption
+cn: $ENCRYPTED_ATTRIBUTE
+nsEncryptionAlgorithm: AES
diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template
index d03105485..3bc4927dd 100644
--- a/ipa-server/ipa-install/share/radius.radiusd.conf.template
+++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template
@@ -57,9 +57,6 @@ thread pool {
max_requests_per_server = 0
}
modules {
- pap {
- auto_header = yes
- }
chap {
authtype = CHAP
}
@@ -85,13 +82,19 @@ $$INCLUDE $${confdir}/eap.conf
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
- access_attr = "$ACCESS_ATTRIBUTE"
+ profile_attribute = "radiusProfileDn"
+ default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
+ # FIXME: we'll want to toggle the access_attr feature on/off,
+ # but it needs a control, so disable it for now.
+ #access_attr = "$ACCESS_ATTRIBUTE"
+ #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
dictionary_mapping = $${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
+ clients_basedn = "$CLIENTS_BASEDN"
}
realm IPASS {
format = prefix
@@ -229,6 +232,10 @@ $$INCLUDE $${confdir}/eap.conf
override = no
maximum-timeout = 0
}
+ krb5 {
+ keytab = "$RADIUS_KEYTAB"
+ service_principal = "$RADIUS_PRINCIPAL"
+ }
}
instantiate {
exec
@@ -242,20 +249,18 @@ authorize {
eap
#files
ldap
- pap
}
authenticate {
- Auth-Type PAP {
- pap
- }
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
- unix
eap
+ Auth-Type Kerberos {
+ krb5
+ }
}
preacct {
preprocess
diff --git a/ipa-server/ipaserver/Makefile.am b/ipa-server/ipaserver/Makefile.am
index c2d164b96..f1c094b36 100644
--- a/ipa-server/ipaserver/Makefile.am
+++ b/ipa-server/ipaserver/Makefile.am
@@ -14,6 +14,7 @@ app_PYTHON = \
service.py \
installutils.py \
replication.py \
+ certs.py \
$(NULL)
EXTRA_DIST = \
diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
new file mode 100644
index 000000000..fb6b01d0e
--- /dev/null
+++ b/ipa-server/ipaserver/certs.py
@@ -0,0 +1,213 @@
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import os, stat, subprocess
+import sha
+
+from ipa import ipautil
+
+class CertDB(object):
+ def __init__(self, dir):
+ self.secdir = dir
+
+ self.noise_fname = self.secdir + "/noise.txt"
+ self.passwd_fname = self.secdir + "/pwdfile.txt"
+ self.certdb_fname = self.secdir + "/cert8.db"
+ self.keydb_fname = self.secdir + "/key3.db"
+ self.secmod_fname = self.secdir + "/secmod.db"
+ self.cacert_fname = self.secdir + "/cacert.asc"
+ self.pk12_fname = self.secdir + "/cacert.p12"
+ self.pin_fname = self.secdir + "/pin.txt"
+ self.certreq_fname = self.secdir + "/tmpcertreq"
+ self.certder_fname = self.secdir + "/tmpcert.der"
+
+ # Making this a starting value that will generate
+ # unique values for the current DB is the
+ # responsibility of the caller for now. In the
+ # future we might automatically determine this
+ # for a given db.
+ self.cur_serial = 1000
+
+ self.cacert_name = "CA certificate"
+ self.valid_months = "120"
+ self.keysize = "1024"
+
+ # We are going to set the owner of all of the cert
+ # files to the owner of the containing directory
+ # instead of that of the process. This works when
+ # this is called by root for a daemon that runs as
+ # a normal user
+ mode = os.stat(self.secdir)
+ self.uid = mode[stat.ST_UID]
+ self.gid = mode[stat.ST_GID]
+
+ def next_serial(self):
+ r = self.cur_serial
+ self.cur_serial += 1
+ return str(r)
+
+ def set_perms(self, fname, write=False):
+ os.chown(fname, self.uid, self.gid)
+ perms = stat.S_IRUSR
+ if write:
+ perms |= stat.S_IWUSR
+ os.chmod(fname, perms)
+
+ def gen_password(self):
+ return sha.sha(ipautil.ipa_generate_password()).hexdigest()
+
+ def run_certutil(self, args, stdin=None):
+ new_args = ["/usr/bin/certutil", "-d", self.secdir]
+ new_args = new_args + args
+ ipautil.run(new_args, stdin)
+
+ def create_noise_file(self):
+ ipautil.backup_file(self.noise_fname)
+ f = open(self.noise_fname, "w")
+ f.write(self.gen_password())
+ self.set_perms(self.noise_fname)
+
+ def create_passwd_file(self, passwd=True):
+ ipautil.backup_file(self.passwd_fname)
+ f = open(self.passwd_fname, "w")
+ if passwd:
+ f.write(self.gen_password())
+ else:
+ f.write("\n")
+ f.close()
+ self.set_perms(self.passwd_fname)
+
+ def create_certdbs(self):
+ ipautil.backup_file(self.certdb_fname)
+ ipautil.backup_file(self.keydb_fname)
+ ipautil.backup_file(self.secmod_fname)
+ self.run_certutil(["-N",
+ "-f", self.passwd_fname])
+ self.set_perms(self.passwd_fname, write=True)
+
+ def create_ca_cert(self):
+ # Generate the encryption key
+ self.run_certutil(["-G", "-z", self.noise_fname, "-f", self.passwd_fname])
+ # Generate the self-signed cert
+ self.run_certutil(["-S", "-n", self.cacert_name,
+ "-s", "cn=CAcert",
+ "-x",
+ "-t", "CT,,",
+ "-m", self.next_serial(),
+ "-v", self.valid_months,
+ "-z", self.noise_fname,
+ "-f", self.passwd_fname])
+
+ # export the CA cert for use with other apps
+ ipautil.backup_file(self.cacert_fname)
+ self.run_certutil(["-L", "-n", "CA certificate",
+ "-a",
+ "-o", self.cacert_fname])
+ self.set_perms(self.cacert_fname)
+ ipautil.backup_file(self.pk12_fname)
+ ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
+ "-o", self.pk12_fname,
+ "-n", "CA certificate",
+ "-w", self.passwd_fname,
+ "-k", self.passwd_fname])
+ self.set_perms(self.pk12_fname)
+
+ def load_cacert(self, cacert_fname):
+ self.run_certutil(["-A", "-n", self.cacert_name,
+ "-t", "CT,CT,",
+ "-a",
+ "-i", cacert_fname])
+
+ def create_server_cert(self, nickname, name, other_certdb=None):
+ cdb = other_certdb
+ if not cdb:
+ cdb = self
+ self.request_cert(name)
+ cdb.issue_cert(self.certreq_fname, self.certder_fname)
+ self.add_cert(self.certder_fname, nickname)
+ os.unlink(self.certreq_fname)
+ os.unlink(self.certder_fname)
+
+ def request_cert(self, name):
+ self.run_certutil(["-R", "-s", name,
+ "-o", self.certreq_fname,
+ "-g", self.keysize,
+ "-z", self.noise_fname,
+ "-f", self.passwd_fname])
+
+ def issue_cert(self, certreq_fname, cert_fname):
+ p = subprocess.Popen(["/usr/bin/certutil",
+ "-d", self.secdir,
+ "-C", "-c", self.cacert_name,
+ "-i", certreq_fname,
+ "-o", cert_fname,
+ "-m", self.next_serial(),
+ "-v", self.valid_months,
+ "-f", self.passwd_fname,
+ "-1", "-5"],
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE)
+
+ # Bah - this sucks, but I guess it isn't possible to fully
+ # control this with command line arguments.
+ #
+ # What this is requesting is:
+ # -1 (Create key usage extension)
+ # 2 - Key encipherment
+ # 9 - done
+ # n - not critical
+ #
+ # -5 (Create netscape cert type extension)
+ # 1 - SSL Server
+ # 9 - done
+ # n - not critical
+ p.stdin.write("2\n9\nn\n1\n9\nn\n")
+ p.wait()
+
+
+ def add_cert(self, cert_fname, nickname):
+ self.run_certutil(["-A", "-n", nickname,
+ "-t", "u,u,u",
+ "-i", cert_fname,
+ "-f", cert_fname])
+
+ def create_pin_file(self):
+ ipautil.backup_file(self.pin_fname)
+ f = open(self.pin_fname, "w")
+ f.write("Internal (Software) Token:")
+ pwd = open(self.passwd_fname)
+ f.write(pwd.read())
+ f.close()
+ self.set_perms(self.pin_fname)
+
+ def create_self_signed(self, passwd=True):
+ self.create_noise_file()
+ self.create_passwd_file(passwd)
+ self.create_certdbs()
+ self.create_ca_cert()
+ self.create_pin_file()
+
+ def create_from_cacert(self, cacert_fname, passwd=False):
+ self.create_noise_file()
+ self.create_passwd_file(passwd)
+ self.create_certdbs()
+ self.load_cacert(cacert_fname)
+
+
+
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 6ba721c3b..5edc3879e 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -29,6 +29,8 @@ from ipa import ipautil
import service
import installutils
+import certs
+import ipaldap, ldap
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -290,13 +292,36 @@ class DsInstance(service.Service):
def __enable_ssl(self):
self.step("configuring ssl for ds instance")
dirname = config_dirname(self.realm_name)
- args = ["/usr/share/ipa/ipa-server-setupssl", self.dm_password,
- dirname, self.host_name]
- try:
- ipautil.run(args)
- logging.debug("done configuring ssl for ds instance")
- except ipautil.CalledProcessError, e:
- logging.critical("Failed to configure ssl in ds instance %s" % e)
+ ca = certs.CertDB(dirname)
+ ca.create_self_signed()
+ ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name)
+
+ conn = ipaldap.IPAdmin("127.0.0.1")
+ conn.simple_bind_s("cn=directory manager", self.dm_password)
+
+ mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers",
+ "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
++rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
++fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
++tls_rsa_export1024_with_des_cbc_sha")]
+ conn.modify_s("cn=encryption,cn=config", mod)
+
+ mod = [(ldap.MOD_ADD, "nsslapd-security", "on"),
+ (ldap.MOD_REPLACE, "nsslapd-ssl-check-hostname", "off")]
+ conn.modify_s("cn=config", mod)
+
+ entry = ipaldap.Entry("cn=RSA,cn=encryption,cn=config")
+
+ entry.setValues("objectclass", "top", "nsEncryptionModule")
+ entry.setValues("cn", "RSA")
+ entry.setValues("nsSSLPersonalitySSL", "Server-Cert")
+ entry.setValues("nsSSLToken", "internal (software)")
+ entry.setValues("nsSSLActivation", "on")
+
+ conn.addEntry(entry)
+
+ conn.unbind()
def __add_default_layout(self):
self.step("adding default layout")
diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index 301035130..1799cca07 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -27,11 +27,14 @@ import sys
import time
import service
+import certs
+import dsinstance
from ipa.ipautil import *
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
+NSS_DIR = HTTPD_DIR + "/alias"
selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
The web interface may not function correctly until this boolean is
@@ -64,12 +67,13 @@ class HTTPInstance(service.Service):
self.fqdn = fqdn
self.realm = realm
- self.start_creation(6, "Configuring the web interface")
+ self.start_creation(7, "Configuring the web interface")
self.__disable_mod_ssl()
self.__set_mod_nss_port()
self.__configure_http()
self.__create_http_keytab()
+ self.__setup_ssl()
self.step("restarting httpd")
self.restart()
@@ -143,3 +147,12 @@ class HTTPInstance(service.Service):
self.step("Setting mod_nss port to 443")
if update_file(NSS_CONF, '8443', '443') != 0:
print "Updating %s failed." % NSS_CONF
+
+ def __setup_ssl(self):
+ self.step("Setting up ssl")
+ ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
+ ca = certs.CertDB(NSS_DIR)
+ ds_ca.cur_serial = 2000
+ ca.create_from_cacert(ds_ca.cacert_fname)
+ ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
+
diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py
index 72cfe6cb6..3b89018f0 100644
--- a/ipa-server/ipaserver/radiusinstance.py
+++ b/ipa-server/ipaserver/radiusinstance.py
@@ -18,6 +18,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
+import sys
import subprocess
import string
import tempfile
@@ -27,6 +28,7 @@ import pwd
import time
import sys
from ipa.ipautil import *
+from ipa import radius_util
import service
@@ -34,28 +36,20 @@ import os
import re
IPA_RADIUS_VERSION = '0.0.0'
-PKG_NAME = 'freeradius'
-PKG_CONFIG_DIR = '/etc/raddb'
-
-RADIUS_SERVICE_NAME = 'radius'
-RADIUS_USER = 'radiusd'
-
-IPA_KEYTAB_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'ipa.keytab')
-LDAP_ATTR_MAP_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'ldap.attrmap')
-RADIUSD_CONF_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'radiusd.conf')
-RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(SHARE_DIR, 'radius.radiusd.conf.template')
-
-RADIUSD = '/usr/sbin/radiusd'
# FIXME there should a utility to get the user base dn
from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer
#-------------------------------------------------------------------------------
+def ldap_mod(fd, dn, pwd):
+ args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
+ run(args)
+
def get_radius_version():
version = None
try:
- p = subprocess.Popen([RADIUSD, '-v'], stdout=subprocess.PIPE,
+ p = subprocess.Popen([radius_util.RADIUSD, '-v'], stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = p.communicate()
status = p.returncode
@@ -80,10 +74,11 @@ class RadiusInstance(service.Service):
def create_instance(self, realm_name, host_name, ldap_server):
self.realm = realm_name.upper()
+ self.suffix = realm_to_suffix(self.realm)
self.fqdn = host_name
self.ldap_server = ldap_server
- self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm)
- self.basedn = realm_to_suffix(self.realm)
+ self.principal = "%s/%s@%s" % (radius_util.RADIUS_SERVICE_NAME, self.fqdn, self.realm)
+ self.basedn = self.suffix
self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this
self.radius_version = get_radius_version()
self.start_creation(4, "Configuring radiusd")
@@ -113,31 +108,34 @@ class RadiusInstance(service.Service):
version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version)
sub_dict = {'CONFIG_FILE_VERSION_INFO' : version,
'LDAP_SERVER' : self.ldap_server,
- 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH,
+ 'RADIUS_KEYTAB' : radius_util.RADIUS_IPA_KEYTAB_FILEPATH,
'RADIUS_PRINCIPAL' : self.principal,
'RADIUS_USER_BASE_DN' : self.user_basedn,
- 'ACCESS_ATTRIBUTE' : 'dialupAccess'
+ 'ACCESS_ATTRIBUTE' : '',
+ 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE',
+ 'CLIENTS_BASEDN' : radius_util.radius_clients_basedn(None, self.suffix),
+ 'SUFFIX' : self.suffix,
}
try:
- radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
- radiusd_fd = open(RADIUSD_CONF_FILEPATH, 'w+')
+ radiusd_conf = template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)
+ radiusd_fd = open(radius_util.RADIUSD_CONF_FILEPATH, 'w+')
radiusd_fd.write(radiusd_conf)
radiusd_fd.close()
except Exception, e:
- logging.error("could not create %s: %s", RADIUSD_CONF_FILEPATH, e)
+ logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e)
def __create_radius_keytab(self):
- self.step("create radiusd keytab")
+ self.step("creating a keytab for httpd")
try:
- if file_exists(IPA_KEYTAB_FILEPATH):
- os.remove(IPA_KEYTAB_FILEPATH)
+ if file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
+ os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
except os.error:
- logging.error("Failed to remove %s", IPA_KEYTAB_FILEPATH)
+ logging.error("Failed to remove %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH)
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
kwrite.write("addprinc -randkey %s\n" % (self.principal))
kwrite.flush()
- kwrite.write("ktadd -k %s %s\n" % (IPA_KEYTAB_FILEPATH, self.principal))
+ kwrite.write("ktadd -k %s %s\n" % (radius_util.RADIUS_IPA_KEYTAB_FILEPATH, self.principal))
kwrite.flush()
kwrite.close()
kread.close()
@@ -145,42 +143,29 @@ class RadiusInstance(service.Service):
# give kadmin time to actually write the file before we go on
retry = 0
- while not file_exists(IPA_KEYTAB_FILEPATH):
+ while not file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH):
time.sleep(1)
retry += 1
if retry > 15:
print "Error timed out waiting for kadmin to finish operations\n"
sys.exit(1)
-
try:
- pent = pwd.getpwnam(RADIUS_USER)
- os.chown(IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid)
+ pent = pwd.getpwnam(radius_util.RADIUS_USER)
+ os.chown(radius_util.RADIUS_IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid)
except Exception, e:
- logging.error("could not chown on %s to %s: %s", IPA_KEYTAB_FILEPATH, RADIUS_USER, e)
+ logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e)
+
+ #FIXME, should use IPAdmin method
+ def __set_ldap_encrypted_attributes(self):
+ ldif_file = 'encrypted_attribute.ldif'
+ self.step("setting ldap encrypted attributes")
+ ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'})
+ ldif_fd = write_tmp_file(ldif_txt)
+ try:
+ ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password)
+ except subprocess.CalledProcessError, e:
+ logging.critical("Failed to load %s: %s" % (ldif_file, str(e)))
+ ldif_fd.close()
#-------------------------------------------------------------------------------
-# FIXME: this should be in a common area so it can be shared
-def get_ldap_attr_translations():
- comment_re = re.compile('#.*$')
- radius_attr_to_ldap_attr = {}
- ldap_attr_to_radius_attr = {}
- try:
- f = open(LDAP_ATTR_MAP_FILEPATH)
- for line in f.readlines():
- line = comment_re.sub('', line).strip()
- if not line: continue
- attr_type, radius_attr, ldap_attr = line.split()
- print 'type="%s" radius="%s" ldap="%s"' % (attr_type, radius_attr, ldap_attr)
- radius_attr_to_ldap_attr[radius_attr] = {'ldap_attr':ldap_attr, 'attr_type':attr_type}
- ldap_attr_to_radius_attr[ldap_attr] = {'radius_attr':radius_attr, 'attr_type':attr_type}
- f.close()
- except Exception, e:
- logging.error('cold not read radius ldap attribute map file (%s): %s', LDAP_ATTR_MAP_FILEPATH, e)
- pass # FIXME
-
- #for k,v in radius_attr_to_ldap_attr.items():
- # print '%s --> %s' % (k,v)
- #for k,v in ldap_attr_to_radius_attr.items():
- # print '%s --> %s' % (k,v)
-
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 8a49488b8..4943da24d 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -31,6 +31,7 @@ import copy
import attrs
from ipa import ipaerror
from urllib import quote,unquote
+from ipa import radius_util
import string
from types import *
@@ -52,11 +53,6 @@ DefaultUserContainer = "cn=users,cn=accounts"
DefaultGroupContainer = "cn=groups,cn=accounts"
DefaultServiceContainer = "cn=services,cn=accounts"
-# FIXME: need to check the ipadebug option in ipa.conf
-#logging.basicConfig(level=logging.DEBUG,
-# format='%(asctime)s %(levelname)s %(message)s',
-# stream=sys.stderr)
-
#
# Apache runs in multi-process mode so each process will have its own
# connection. This could theoretically drive the total number of connections
@@ -557,7 +553,201 @@ class IPAServer:
schema.append(d)
return schema
+# radius support
+
+ # clients
+ def get_radius_client_by_ip_addr(self, ip_addr, container=None, sattrs=None, opts=None):
+ filter = radius_util.radius_client_filter(ip_addr)
+ basedn = radius_util.radius_clients_basedn(container, self.basedn)
+ return self.__get_sub_entry(basedn, filter, sattrs, opts)
+
+ def __radius_client_exists(self, ip_addr, container, opts):
+ filter = radius_util.radius_client_filter(ip_addr)
+ basedn = radius_util.radius_clients_basedn(container, self.basedn)
+
+ try:
+ entry = self.__get_sub_entry(basedn, filter, ['dn','uid'], opts)
+ return True
+ except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+ return False
+
+ def add_radius_client (self, client, container=None, opts=None):
+ if container is None:
+ container = radius_util.clients_container
+
+ ip_addr = client['radiusClientIPAddress']
+
+ if self.__radius_client_exists(ip_addr, container, opts):
+ raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)
+
+ dn = radius_util.radius_client_dn(ip_addr, container, self.basedn)
+ entry = ipaserver.ipaldap.Entry(dn)
+
+ # some required objectclasses
+ entry.setValues('objectClass', 'top', 'radiusClientProfile')
+
+ # fill in our new entry with everything sent by the client
+ for attr in client:
+ entry.setValues(attr, client[attr])
+
+ conn = self.getConnection(opts)
+ try:
+ res = conn.addEntry(entry)
+ finally:
+ self.releaseConnection(conn)
+ return res
+
+ def update_radius_client(self, oldentry, newentry, opts=None):
+ return self.update_entry(oldentry, newentry, opts)
+
+ def delete_radius_client(self, ip_addr, container=None, opts=None):
+ client = self.get_radius_client_by_ip_addr(ip_addr, container, ['dn', 'cn'], opts)
+ if client is None:
+ raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+
+ conn = self.getConnection(opts)
+ try:
+ res = conn.deleteEntry(client['dn'])
+ finally:
+ self.releaseConnection(conn)
+ return res
+
+ def find_radius_clients(self, ip_attrs, container=None, sattrs=None, searchlimit=0, timelimit=-1, opts=None):
+ def gen_filter(objectclass, attr, values):
+ '''Given ('myclass', 'myattr', [v1, v2]) returns
+ (&(objectclass=myclass)(|(myattr=v1)(myattr=v2)))
+ '''
+ # Don't use __safe_filter, prevents wildcarding
+ #attrs = ''.join(['(%s=%s)' % (attr, self.__safe_filter(val)) for val in values])
+ attrs = ''.join(['(%s=%s)' % (attr, val) for val in values])
+ filter = "(&(objectclass=%s)(|%s))" % (objectclass, attrs)
+ return filter
+
+ basedn = radius_util.radius_clients_basedn(container, self.basedn)
+ filter = gen_filter('radiusClientProfile', 'radiusClientIPAddress', ip_attrs)
+ conn = self.getConnection(opts)
+ try:
+ try:
+ results = conn.getListAsync(basedn, self.scope, filter, sattrs, 0, None, None, timelimit, searchlimit)
+ except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+ results = [0]
+ finally:
+ self.releaseConnection(conn)
+
+ counter = results[0]
+ results = results[1:]
+ radius_clients = [counter]
+ for radius_client in results:
+ radius_clients.append(self.convert_entry(radius_client))
+
+ return radius_clients
+
+ # profiles
+ def get_radius_profile_by_uid(self, uid, user_profile=True, sattrs=None, opts=None):
+ if user_profile:
+ container = DefaultUserContainer
+ else:
+ container = radius_util.profiles_container
+
+ uid = self.__safe_filter(uid)
+ filter = radius_util.radius_profile_filter(uid)
+ basedn = radius_util.radius_profiles_basedn(container, self.basedn)
+ return self.__get_sub_entry(basedn, filter, sattrs, opts)
+
+ def __radius_profile_exists(self, uid, user_profile, opts):
+ if user_profile:
+ container = DefaultUserContainer
+ else:
+ container = radius_util.profiles_container
+
+ uid = self.__safe_filter(uid)
+ filter = radius_util.radius_profile_filter(uid)
+ basedn = radius_util.radius_profiles_basedn(container, self.basedn)
+
+ try:
+ entry = self.__get_sub_entry(basedn, filter, ['dn','uid'], opts)
+ return True
+ except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+ return False
+
+ def add_radius_profile (self, profile, user_profile=True, opts=None):
+ uid = profile['uid']
+
+ if self.__radius_profile_exists(uid, user_profile, opts):
+ raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE)
+
+ if user_profile:
+ container = DefaultUserContainer
+ else:
+ container = radius_util.profiles_container
+
+ dn = radius_util.radius_profile_dn(uid, container, self.basedn)
+ entry = ipaserver.ipaldap.Entry(dn)
+
+ # some required objectclasses
+ entry.setValues('objectClass', 'top', 'radiusprofile')
+
+ # fill in our new entry with everything sent by the profile
+ for attr in profile:
+ entry.setValues(attr, profile[attr])
+
+ conn = self.getConnection(opts)
+ try:
+ res = conn.addEntry(entry)
+ finally:
+ self.releaseConnection(conn)
+ return res
+ def update_radius_profile(self, oldentry, newentry, opts=None):
+ return self.update_entry(oldentry, newentry, opts)
+
+ def delete_radius_profile(self, uid, user_profile, opts=None):
+ profile = self.get_radius_profile_by_uid(uid, user_profile, ['dn', 'cn'], opts)
+ if profile is None:
+ raise ipaerror.gen_exception(ipaerror.LDAP_NOT_FOUND)
+
+ conn = self.getConnection(opts)
+ try:
+ res = conn.deleteEntry(profile['dn'])
+ finally:
+ self.releaseConnection(conn)
+ return res
+
+ def find_radius_profiles(self, uids, user_profile=True, sattrs=None, searchlimit=0, timelimit=-1, opts=None):
+ def gen_filter(objectclass, attr, values):
+ '''Given ('myclass', 'myattr', [v1, v2]) returns
+ (&(objectclass=myclass)(|(myattr=v1)(myattr=v2)))
+ '''
+ # Don't use __safe_filter, prevents wildcarding
+ #attrs = ''.join(['(%s=%s)' % (attr, self.__safe_filter(val)) for val in values])
+ attrs = ''.join(['(%s=%s)' % (attr, val) for val in values])
+ filter = "(&(objectclass=%s)(|%s))" % (objectclass, attrs)
+ return filter
+
+ if user_profile:
+ container = DefaultUserContainer
+ else:
+ container = radius_util.profiles_container
+
+ filter = gen_filter('radiusprofile', 'uid', uids)
+ basedn="%s,%s" % (container, self.basedn)
+ conn = self.getConnection(opts)
+ try:
+ try:
+ results = conn.getListAsync(basedn, self.scope, filter, sattrs, 0, None, None, timelimit, searchlimit)
+ except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+ results = [0]
+ finally:
+ self.releaseConnection(conn)
+
+ counter = results[0]
+ results = results[1:]
+ radius_profiles = [counter]
+ for radius_profile in results:
+ radius_profiles.append(self.convert_entry(radius_profile))
+
+ return radius_profiles
+
def set_custom_fields (self, schema, opts=None):
"""Set the list of custom user fields.
@@ -612,6 +802,7 @@ class IPAServer:
"""Returns a list: counter followed by the results.
If the results are truncated, counter will be set to -1."""
+ logging.debug("IPA: find users %s" % criteria)
config = self.get_ipa_config(opts)
if timelimit < 0:
timelimit = float(config.get('ipasearchtimelimit'))
diff --git a/ipa-server/xmlrpc-server/ipaxmlrpc.py b/ipa-server/xmlrpc-server/ipaxmlrpc.py
index 31cfbae69..7752b2586 100644
--- a/ipa-server/xmlrpc-server/ipaxmlrpc.py
+++ b/ipa-server/xmlrpc-server/ipaxmlrpc.py
@@ -32,6 +32,7 @@ import traceback
import pprint
from xmlrpclib import Marshaller,loads,dumps,Fault
from mod_python import apache
+import logging
import ipaserver
import funcs
@@ -148,12 +149,15 @@ class ModXMLRPCRequestHandler(object):
opts['ipadebug'] = pythonopts.get("IPADebug")
if opts['ipadebug'].lower() == "on":
+ logging.basicConfig(level=logging.DEBUG,
+ format='[%(asctime)s] [%(levelname)s] %(message)s',
+ datefmt='%a %b %d %H:%M:%S %Y',
+ stream=sys.stderr)
+
for o in opts:
- sys.stderr.write("IPA: setting option %s: %s\n" % (o, opts[o]))
- sys.stderr.flush()
- for e in req.subprocess_env:
- sys.stderr.write("IPA: environment %s: %s\n" % (e, req.subprocess_env[e]))
- sys.stderr.flush()
+ logging.debug("IPA: setting option %s: %s" % (o, opts[o]))
+# for e in req.subprocess_env:
+# logging.debug("IPA: environment %s: %s" % (e, req.subprocess_env[e]))
# Tack onto the end of the passed-in arguments any options we also
# need
@@ -362,6 +366,16 @@ def handler(req, profiling=False):
h.register_function(f.add_service_principal)
h.register_function(f.find_service_principal)
h.register_function(f.get_keytab)
+ h.register_function(f.get_radius_client_by_ip_addr)
+ h.register_function(f.add_radius_client)
+ h.register_function(f.update_radius_client)
+ h.register_function(f.delete_radius_client)
+ h.register_function(f.find_radius_clients)
+ h.register_function(f.get_radius_profile_by_uid)
+ h.register_function(f.add_radius_profile)
+ h.register_function(f.update_radius_profile)
+ h.register_function(f.delete_radius_profile)
+ h.register_function(f.find_radius_profiles)
h.handle_request(req)
finally:
pass