Make the IPA server host and its services "real" IPA entries

We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.

1 files changed, 60 insertions, 0 deletions

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 758688982..5e2eb63dc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -22,6 +22,10 @@ import os
 import tempfile
 from ipapython import sysrestore
 from ipapython import ipautil
+from ipalib import uuid, errors
+import ldap
+from ipaserver import ipaldap
+import base64
 
 
 def stop(service_name, instance_name=""):
@@ -98,6 +102,7 @@ class Service:
         path = ipautil.SHARE_DIR + ldif
 
         if sub_dict is not None:
+            sub_dict['UUID'] = str(uuid.uuid1())
             txt = ipautil.template_file(path, sub_dict)
             fd = ipautil.write_tmp_file(txt)
             path = fd.name
@@ -120,6 +125,61 @@ class Service:
         if fd is not None:
             fd.close()
 
+    def move_service(self, principal):
+        """
+        Used to move a principal entry created by kadmin.local from
+        cn=kerberos to cn=services
+        """
+        dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (principal, self.realm, self.suffix)
+        try:
+            conn = ipaldap.IPAdmin("127.0.0.1")
+            conn.simple_bind_s("cn=directory manager", self.dm_password)
+        except Exception, e:
+            logging.critical("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e)))
+            raise e
+        try:
+            entry = conn.getEntry(dn, ldap.SCOPE_BASE)
+        except errors.NotFound:
+            # There is no service in the wrong location, nothing to do.
+            # This can happen when installing a replica
+            conn.unbind()
+            return
+        newdn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix)
+        conn.deleteEntry(dn)
+        entry.dn = newdn
+        classes = entry.getValues("objectclass")
+        classes = classes + ["ipaobject", "ipaservice", "pkiuser"]
+        entry.setValues("objectclass", list(set(classes)))
+        entry.setValue("ipauniqueid", str(uuid.uuid1()))
+        conn.addEntry(entry)
+        conn.unbind()
+        return newdn
+
+    def add_cert_to_service(self):
+        """
+        Add a certificate to a service
+
+        This should be passed in DER format but we'll be nice and convert
+        a base64-encoded cert if needed.
+        """
+        try:
+            self.dercert = base64.b64decode(self.dercert)
+        except Exception:
+            pass
+        dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix)
+        try:
+            conn = ipaldap.IPAdmin("127.0.0.1")
+            conn.simple_bind_s("cn=directory manager", self.dm_password)
+        except Exception, e:
+            logging.critical("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e)))
+            raise e
+        mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)]
+        try:
+            conn.modify_s(dn, mod)
+        except Exception, e:
+            logging.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
+        conn.unbind()
+
     def set_output(self, fd):
         self.output_fd = fd