Mass tree reorganization for IPAv2. To view previous history of files use:

% git log --follow -- <file> renamed: ipa-server/autogen.sh -> autogen.sh renamed: ipa-server/ipa-kpasswd/Makefile.am -> daemons/ipa-kpasswd/Makefile.am renamed: ipa-server/ipa-kpasswd/README -> daemons/ipa-kpasswd/README renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.c -> daemons/ipa-kpasswd/ipa_kpasswd.c renamed: ipa-server/ipa-kpasswd/ipa_kpasswd.init -> daemons/ipa-kpasswd/ipa_kpasswd.init renamed: ipa-server/ipa-slapi-plugins/Makefile.am -> daemons/ipa-slapi-plugins/Makefile.am renamed: ipa-server/ipa-slapi-plugins/README -> daemons/ipa-slapi-plugins/README renamed: ipa-server/ipa-slapi-plugins/dna/Makefile.am -> daemons/ipa-slapi-plugins/dna/Makefile.am renamed: ipa-server/ipa-slapi-plugins/dna/dna-conf.ldif -> daemons/ipa-slapi-plugins/dna/dna-conf.ldif renamed: ipa-server/ipa-slapi-plugins/dna/dna.c -> daemons/ipa-slapi-plugins/dna/dna.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/Makefile.am -> daemons/ipa-slapi-plugins/ipa-memberof/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof.h renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c -> daemons/ipa-slapi-plugins/ipa-memberof/ipa-memberof_config.c renamed: ipa-server/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif -> daemons/ipa-slapi-plugins/ipa-memberof/memberof-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am -> daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/README -> daemons/ipa-slapi-plugins/ipa-pwd-extop/README renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c renamed: ipa-server/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif -> daemons/ipa-slapi-plugins/ipa-pwd-extop/pwd-extop-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/Makefile.am -> daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/README -> daemons/ipa-slapi-plugins/ipa-winsync/README renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c renamed: ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h -> daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h renamed: ipa-server/xmlrpc-server/ipa-rewrite.conf -> install/conf/ipa-rewrite.conf renamed: ipa-server/xmlrpc-server/ipa.conf -> install/conf/ipa.conf renamed: ipa-server/xmlrpc-server/ssbrowser.html -> install/html/ssbrowser.html renamed: ipa-server/xmlrpc-server/unauthorized.html -> install/html/unauthorized.html renamed: ipa-server/ipa-install/share/60ipaconfig.ldif -> install/share/60ipaconfig.ldif renamed: ipa-server/ipa-install/share/60kerberos.ldif -> install/share/60kerberos.ldif renamed: ipa-server/ipa-install/share/60radius.ldif -> install/share/60radius.ldif renamed: ipa-server/ipa-install/share/60samba.ldif -> install/share/60samba.ldif renamed: ipa-server/ipa-install/share/Makefile.am -> install/share/Makefile.am renamed: ipa-server/ipa-install/share/bind.named.conf.template -> install/share/bind.named.conf.template renamed: ipa-server/ipa-install/share/bind.zone.db.template -> install/share/bind.zone.db.template renamed: ipa-server/ipa-install/share/bootstrap-template.ldif -> install/share/bootstrap-template.ldif renamed: ipa-server/ipa-install/share/certmap.conf.template -> install/share/certmap.conf.template renamed: ipa-server/ipa-install/share/default-aci.ldif -> install/share/default-aci.ldif renamed: ipa-server/ipa-install/share/default-keytypes.ldif -> install/share/default-keytypes.ldif renamed: ipa-server/ipa-install/share/dna-posix.ldif -> install/share/dna-posix.ldif renamed: ipa-server/ipa-install/share/encrypted_attribute.ldif -> install/share/encrypted_attribute.ldif renamed: ipa-server/ipa-install/share/fedora-ds.init.patch -> install/share/fedora-ds.init.patch renamed: ipa-server/ipa-install/share/indices.ldif -> install/share/indices.ldif renamed: ipa-server/ipa-install/share/kdc.conf.template -> install/share/kdc.conf.template renamed: ipa-server/ipa-install/share/kerberos.ldif -> install/share/kerberos.ldif renamed: ipa-server/ipa-install/share/krb.con.template -> install/share/krb.con.template renamed: ipa-server/ipa-install/share/krb5.conf.template -> install/share/krb5.conf.template renamed: ipa-server/ipa-install/share/krb5.ini.template -> install/share/krb5.ini.template renamed: ipa-server/ipa-install/share/krbrealm.con.template -> install/share/krbrealm.con.template renamed: ipa-server/ipa-install/share/master-entry.ldif -> install/share/master-entry.ldif renamed: ipa-server/ipa-install/share/memberof-task.ldif -> install/share/memberof-task.ldif renamed: ipa-server/ipa-install/share/ntp.conf.server.template -> install/share/ntp.conf.server.template renamed: ipa-server/ipa-install/share/ntpd.sysconfig.template -> install/share/ntpd.sysconfig.template renamed: ipa-server/ipa-install/share/preferences.html.template -> install/share/preferences.html.template renamed: ipa-server/ipa-install/share/referint-conf.ldif -> install/share/referint-conf.ldif renamed: ipa-server/ipa-install/share/schema_compat.uldif -> install/share/schema_compat.uldif renamed: ipa-server/ipa-install/share/unique-attributes.ldif -> install/share/unique-attributes.ldif renamed: ipa-server/ipa-install/Makefile.am -> install/tools/Makefile.am renamed: ipa-server/ipa-install/README -> install/tools/README renamed: ipa-server/ipa-compat-manage -> install/tools/ipa-compat-manage renamed: ipa-server/ipa-fix-CVE-2008-3274 -> install/tools/ipa-fix-CVE-2008-3274 renamed: ipa-server/ipa-ldap-updater -> install/tools/ipa-ldap-updater renamed: ipa-server/ipa-install/ipa-replica-install -> install/tools/ipa-replica-install renamed: ipa-server/ipa-install/ipa-replica-manage -> install/tools/ipa-replica-manage renamed: ipa-server/ipa-install/ipa-replica-prepare -> install/tools/ipa-replica-prepare renamed: ipa-server/ipa-install/ipa-server-certinstall -> install/tools/ipa-server-certinstall renamed: ipa-server/ipa-install/ipa-server-install -> install/tools/ipa-server-install renamed: ipa-server/ipa-upgradeconfig -> install/tools/ipa-upgradeconfig renamed: ipa-server/ipa-install/ipactl -> install/tools/ipactl renamed: ipa-server/man/Makefile.am -> install/tools/man/Makefile.am renamed: ipa-server/man/ipa-compat-manage.1 -> install/tools/man/ipa-compat-manage.1 renamed: ipa-server/man/ipa-ldap-updater.1 -> install/tools/man/ipa-ldap-updater.1 renamed: ipa-server/man/ipa-replica-install.1 -> install/tools/man/ipa-replica-install.1 renamed: ipa-server/man/ipa-replica-manage.1 -> install/tools/man/ipa-replica-manage.1 renamed: ipa-server/man/ipa-replica-prepare.1 -> install/tools/man/ipa-replica-prepare.1 renamed: ipa-server/man/ipa-server-certinstall.1 -> install/tools/man/ipa-server-certinstall.1 renamed: ipa-server/man/ipa-server-install.1 -> install/tools/man/ipa-server-install.1 renamed: ipa-server/man/ipa_kpasswd.8 -> install/tools/man/ipa_kpasswd.8 renamed: ipa-server/man/ipa_webgui.8 -> install/tools/man/ipa_webgui.8 renamed: ipa-server/man/ipactl.8 -> install/tools/man/ipactl.8 renamed: ipa-server/ipa-install/updates/Makefile.am -> install/updates/Makefile.am renamed: ipa-server/ipa-install/updates/RFC2307bis.update -> install/updates/RFC2307bis.update renamed: ipa-server/ipa-install/updates/RFC4876.update -> install/updates/RFC4876.update renamed: ipa-server/ipa-install/updates/indices.update -> install/updates/indices.update renamed: ipa-server/ipa-install/updates/nss_ldap.update -> install/updates/nss_ldap.update renamed: ipa-server/ipa-install/updates/replication.update -> install/updates/replication.update renamed: ipa-server/ipa-install/updates/winsync_index.update -> install/updates/winsync_index.update renamed: ipa-server/ipaserver/Makefile.am -> ipaserver/install/Makefile.am renamed: ipa-server/ipaserver/__init__.py -> ipaserver/install/__init__.py renamed: ipa-server/ipaserver/bindinstance.py -> ipaserver/install/bindinstance.py renamed: ipa-server/ipaserver/certs.py -> ipaserver/install/certs.py renamed: ipa-server/ipaserver/dsinstance.py -> ipaserver/install/dsinstance.py renamed: ipa-server/ipaserver/httpinstance.py -> ipaserver/install/httpinstance.py renamed: ipa-server/ipaserver/installutils.py -> ipaserver/install/installutils.py renamed: ipa-server/ipaserver/ipaldap.py -> ipaserver/install/ipaldap.py renamed: ipa-server/ipaserver/krbinstance.py -> ipaserver/install/krbinstance.py renamed: ipa-server/ipaserver/ldapupdate.py -> ipaserver/install/ldapupdate.py renamed: ipa-server/ipaserver/ntpinstance.py -> ipaserver/install/ntpinstance.py renamed: ipa-server/ipaserver/replication.py -> ipaserver/install/replication.py renamed: ipa-server/ipaserver/service.py -> ipaserver/install/service.py renamed: ipa-server/selinux/Makefile -> selinux/Makefile renamed: ipa-server/selinux/ipa-server-selinux.spec.in -> selinux/ipa-server-selinux.spec.in renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc -> selinux/ipa_kpasswd/ipa_kpasswd.fc renamed: ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te -> selinux/ipa_kpasswd/ipa_kpasswd.te renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.fc -> selinux/ipa_webgui/ipa_webgui.fc renamed: ipa-server/selinux/ipa_webgui/ipa_webgui.te -> selinux/ipa_webgui/ipa_webgui.te renamed: ipa-server/version.m4.in -> version.m4.in
author: Rob Crittenden <rcritten@redhat.com> 2009-01-29 16:26:07 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2009-02-03 15:27:14 -0500
commit: e30cd6ba42c256d2016db45146d616f329455e86 (patch)
tree: d4c5291095c80c92bc4803fe7f20fc2838124ffa /ipaserver/install/httpinstance.py
parent: c4ed025001895bfc65c613cabbbfcb27c19cc29f (diff)
download: freeipa-e30cd6ba42c256d2016db45146d616f329455e86.tar.gz
freeipa-e30cd6ba42c256d2016db45146d616f329455e86.tar.xz
freeipa-e30cd6ba42c256d2016db45146d616f329455e86.zip
1 files changed, 231 insertions, 0 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
new file mode 100644
index 000000000..f5a903b30
--- /dev/null
+++ b/ipaserver/install/httpinstance.py
@@ -0,0 +1,231 @@
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import os
+import os.path
+import subprocess
+import string
+import tempfile
+import logging
+import pwd
+import fileinput
+import sys
+import shutil
+
+import service
+import certs
+import dsinstance
+import installutils
+from ipa import sysrestore
+from ipa import ipautil
+
+HTTPD_DIR = "/etc/httpd"
+SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
+NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
+NSS_DIR  = HTTPD_DIR + "/alias"
+
+selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
+The web interface may not function correctly until this boolean is
+successfully change with the command:
+   /usr/sbin/setsebool -P httpd_can_network_connect true
+Try updating the policycoreutils and selinux-policy packages.
+"""
+
+class WebGuiInstance(service.SimpleServiceInstance):
+    def __init__(self):
+        service.SimpleServiceInstance.__init__(self, "ipa_webgui")
+
+class HTTPInstance(service.Service):
+    def __init__(self, fstore = None):
+        service.Service.__init__(self, "httpd")
+        if fstore:
+            self.fstore = fstore
+        else:
+            self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+
+    def create_instance(self, realm, fqdn, domain_name, autoconfig=True, pkcs12_info=None):
+        self.fqdn = fqdn
+        self.realm = realm
+        self.domain = domain_name
+        self.pkcs12_info = pkcs12_info
+        self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
+
+        self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
+        self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
+        self.step("Adding URL rewriting rules", self.__add_include)
+        self.step("configuring httpd", self.__configure_http)
+        self.step("creating a keytab for httpd", self.__create_http_keytab)
+        self.step("Setting up ssl", self.__setup_ssl)
+        if autoconfig:
+            self.step("Setting up browser autoconfig", self.__setup_autoconfig)
+        self.step("configuring SELinux for httpd", self.__selinux_config)
+        self.step("restarting httpd", self.__start)
+        self.step("configuring httpd to start on boot", self.__enable)
+
+        self.start_creation("Configuring the web interface")
+
+    def __start(self):
+        self.backup_state("running", self.is_running())
+        self.restart()
+
+    def __enable(self):
+        self.backup_state("enabled", self.is_running())
+        self.chkconfig_on()
+
+    def __selinux_config(self):
+        selinux=0
+        try:
+            if (os.path.exists('/usr/sbin/selinuxenabled')):
+                ipautil.run(["/usr/sbin/selinuxenabled"])
+                selinux=1
+        except ipautil.CalledProcessError:
+            # selinuxenabled returns 1 if not enabled
+            pass
+
+        if selinux:
+            try:
+                # returns e.g. "httpd_can_network_connect --> off"
+                (stdout, stderr) = ipautils.run(["/usr/sbin/getsebool",
+                                                 "httpd_can_network_connect"])
+                self.backup_state("httpd_can_network_connect", stdout.split()[2])
+            except:
+                pass
+
+            # Allow apache to connect to the turbogears web gui
+            # This can still fail even if selinux is enabled
+            try:
+                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+            except:
+                self.print_msg(selinux_warning)
+
+    def __create_http_keytab(self):
+        http_principal = "HTTP/" + self.fqdn + "@" + self.realm
+        installutils.kadmin_addprinc(http_principal)
+        installutils.create_keytab("/etc/httpd/conf/ipa.keytab", http_principal)
+
+        pent = pwd.getpwnam("apache")
+        os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
+
+    def __configure_http(self):
+        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
+        self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
+        http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
+        http_fd.write(http_txt)
+        http_fd.close()
+
+        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
+        self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
+        http_fd = open("/etc/httpd/conf.d/ipa-rewrite.conf", "w")
+        http_fd.write(http_txt)
+        http_fd.close()
+
+    def __disable_mod_ssl(self):
+        if os.path.exists(SSL_CONF):
+            self.fstore.backup_file(SSL_CONF)
+            os.unlink(SSL_CONF)
+
+    def __set_mod_nss_port(self):
+        self.fstore.backup_file(NSS_CONF)
+        if installutils.update_file(NSS_CONF, '8443', '443') != 0:
+            print "Updating port in %s failed." % NSS_CONF
+
+    def __set_mod_nss_nickname(self, nickname):
+        installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+
+    def __add_include(self):
+        """This should run after __set_mod_nss_port so is already backed up"""
+        if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
+            print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF
+
+    def __setup_ssl(self):
+        ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
+        ca = certs.CertDB(NSS_DIR)
+        if self.pkcs12_info:
+            ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
+            server_certs = ca.find_server_certs()
+            if len(server_certs) == 0:
+                raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_info[0])
+
+            # We only handle one server cert
+            nickname = server_certs[0][0]
+
+            self.__set_mod_nss_nickname(nickname)
+        else:
+            ca.create_from_cacert(ds_ca.cacert_fname)
+            ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
+            ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
+
+        # Fix the database permissions
+        os.chmod(NSS_DIR + "/cert8.db", 0640)
+        os.chmod(NSS_DIR + "/key3.db", 0640)
+        os.chmod(NSS_DIR + "/secmod.db", 0640)
+
+        pent = pwd.getpwnam("apache")
+        os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+        os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
+        os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+
+    def __setup_autoconfig(self):
+        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
+        prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+        prefs_fd.write(prefs_txt)
+        prefs_fd.close()
+
+        # The signing cert is generated in __setup_ssl
+        ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
+        ca = certs.CertDB(NSS_DIR)
+
+        # Publish the CA certificate
+        shutil.copy(ds_ca.cacert_fname, "/usr/share/ipa/html/ca.crt")
+        os.chmod("/usr/share/ipa/html/ca.crt", 0444)
+
+        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
+        ca.run_signtool(["-k", "Signing-Cert",
+                         "-Z", "/usr/share/ipa/html/configure.jar",
+                         "-e", ".html",
+                         tmpdir])
+        shutil.rmtree(tmpdir)
+
+    def uninstall(self):
+        running = self.restore_state("running")
+        enabled = self.restore_state("enabled")
+
+        if not running is None:
+            self.stop()
+
+        if not enabled is None and not enabled:
+            self.chkconfig_off()
+
+        for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
+            try:
+                self.fstore.restore_file(f)
+            except ValueError, error:
+                logging.debug(error)
+                pass
+
+        sebool_state = self.restore_state("httpd_can_network_connect")
+        if not sebool_state is None:
+            try:
+                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state])
+            except:
+                self.print_msg(selinux_warning)
+
+        if not running is None and running:
+            self.start()
author	Rob Crittenden <rcritten@redhat.com>	2009-01-29 16:26:07 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2009-02-03 15:27:14 -0500
commit	e30cd6ba42c256d2016db45146d616f329455e86 (patch)
tree	d4c5291095c80c92bc4803fe7f20fc2838124ffa /ipaserver/install/httpinstance.py
parent	c4ed025001895bfc65c613cabbbfcb27c19cc29f (diff)
download	freeipa-e30cd6ba42c256d2016db45146d616f329455e86.tar.gz freeipa-e30cd6ba42c256d2016db45146d616f329455e86.tar.xz freeipa-e30cd6ba42c256d2016db45146d616f329455e86.zip