diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-12-07 23:17:00 -0500 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-12-11 23:06:08 -0700 |
commit | 766b534da0c3a1ed09fe187323eaae0440eb7784 (patch) | |
tree | 8eebfdf577f4d64da9fbaa2fea3d5c955514bca7 /ipaserver/install/service.py | |
parent | 7105a0c0d62583384c6a2d20bc508e35bd227347 (diff) | |
download | freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.tar.gz freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.tar.xz freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.zip |
Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
Diffstat (limited to 'ipaserver/install/service.py')
-rw-r--r-- | ipaserver/install/service.py | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 758688982..5e2eb63dc 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -22,6 +22,10 @@ import os import tempfile from ipapython import sysrestore from ipapython import ipautil +from ipalib import uuid, errors +import ldap +from ipaserver import ipaldap +import base64 def stop(service_name, instance_name=""): @@ -98,6 +102,7 @@ class Service: path = ipautil.SHARE_DIR + ldif if sub_dict is not None: + sub_dict['UUID'] = str(uuid.uuid1()) txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name @@ -120,6 +125,61 @@ class Service: if fd is not None: fd.close() + def move_service(self, principal): + """ + Used to move a principal entry created by kadmin.local from + cn=kerberos to cn=services + """ + dn = "krbprincipalname=%s,cn=%s,cn=kerberos,%s" % (principal, self.realm, self.suffix) + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.dm_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e))) + raise e + try: + entry = conn.getEntry(dn, ldap.SCOPE_BASE) + except errors.NotFound: + # There is no service in the wrong location, nothing to do. + # This can happen when installing a replica + conn.unbind() + return + newdn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix) + conn.deleteEntry(dn) + entry.dn = newdn + classes = entry.getValues("objectclass") + classes = classes + ["ipaobject", "ipaservice", "pkiuser"] + entry.setValues("objectclass", list(set(classes))) + entry.setValue("ipauniqueid", str(uuid.uuid1())) + conn.addEntry(entry) + conn.unbind() + return newdn + + def add_cert_to_service(self): + """ + Add a certificate to a service + + This should be passed in DER format but we'll be nice and convert + a base64-encoded cert if needed. + """ + try: + self.dercert = base64.b64decode(self.dercert) + except Exception: + pass + dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix) + try: + conn = ipaldap.IPAdmin("127.0.0.1") + conn.simple_bind_s("cn=directory manager", self.dm_password) + except Exception, e: + logging.critical("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e))) + raise e + mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)] + try: + conn.modify_s(dn, mod) + except Exception, e: + logging.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e))) + conn.unbind() + def set_output(self, fd): self.output_fd = fd |