diff options
author | Christian Heimes <cheimes@redhat.com> | 2015-06-23 17:01:00 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-24 10:43:58 +0200 |
commit | 495da412f155603c02907187c21dd4511281df2c (patch) | |
tree | 8bc25d341bfdfb48673fbc24ba3f538ef87b6d41 /ipaserver/install/httpinstance.py | |
parent | 49d708f00fd13903dbd96193aac2c608e3512398 (diff) | |
download | freeipa-495da412f155603c02907187c21dd4511281df2c.tar.gz freeipa-495da412f155603c02907187c21dd4511281df2c.tar.xz freeipa-495da412f155603c02907187c21dd4511281df2c.zip |
Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 65 |
1 files changed, 64 insertions, 1 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 31eab022d..107c20d7f 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -33,15 +33,16 @@ import installutils from ipapython import sysrestore from ipapython import ipautil from ipapython import dogtag +from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api +from ipalib import errors from ipaplatform.tasks import tasks from ipaplatform.paths import paths from ipaplatform import services - SELINUX_BOOLEAN_SETTINGS = dict( httpd_can_network_connect='on', httpd_manage_ipa='on', @@ -136,6 +137,9 @@ class HTTPInstance(service.Service): self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + if not self.is_kdcproxy_configured(): + self.step("create KDC proxy config", self.create_kdcproxy_conf) + self.step("enable KDC proxy", self.enable_kdcproxy) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -381,6 +385,63 @@ class HTTPInstance(service.Service): ca_db = certs.CertDB(self.realm) ca_db.publish_ca_cert(paths.CA_CRT) + def is_kdcproxy_configured(self): + """Check if KDC proxy has already been configured in the past""" + return os.path.isfile(paths.HTTPD_IPA_KDCPROXY_CONF) + + def enable_kdcproxy(self): + """Add ipaConfigString=kdcProxyEnabled to cn=KDC""" + entry_name = DN(('cn', 'KDC'), ('cn', self.fqdn), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), self.suffix) + attr_name = 'kdcProxyEnabled' + + try: + entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) + except errors.NotFound: + pass + else: + if any(attr_name.lower() == val.lower() + for val in entry.get('ipaConfigString', [])): + root_logger.debug("service KDCPROXY already enabled") + return + + entry.setdefault('ipaConfigString', []).append(attr_name) + try: + self.admin_conn.update_entry(entry) + except errors.EmptyModlist: + root_logger.debug("service KDCPROXY already enabled") + return + except: + root_logger.debug("failed to enable service KDCPROXY") + raise + + root_logger.debug("service KDCPROXY enabled") + return + + entry = self.admin_conn.make_entry( + entry_name, + objectclass=["nsContainer", "ipaConfigObject"], + cn=['KDC'], + ipaconfigstring=[attr_name] + ) + + try: + self.admin_conn.add_entry(entry) + except errors.DuplicateEntry: + root_logger.debug("failed to add service KDCPROXY entry") + raise + + def create_kdcproxy_conf(self): + """Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy""" + target_fname = paths.HTTPD_IPA_KDCPROXY_CONF + sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG) + http_txt = ipautil.template_file( + ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict) + self.fstore.backup_file(target_fname) + with open(target_fname, 'w') as f: + f.write(http_txt) + os.chmod(target_fname, 0644) + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") @@ -420,6 +481,8 @@ class HTTPInstance(service.Service): installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) + installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) + installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) |