diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-10-13 12:21:48 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-10-14 14:10:32 -0400 |
commit | 7a14767f1a6f11001bc45a3bf1a80de33eac4cd2 (patch) | |
tree | a0ea1acab10eb7ad45b21543c4547119f122bef9 /ipaserver/install | |
parent | 2e17649aae1b5586c39853b8f745631124c85104 (diff) | |
download | freeipa-7a14767f1a6f11001bc45a3bf1a80de33eac4cd2.tar.gz freeipa-7a14767f1a6f11001bc45a3bf1a80de33eac4cd2.tar.xz freeipa-7a14767f1a6f11001bc45a3bf1a80de33eac4cd2.zip |
dsinstance: avoid exposing passwords when invoking ldappaswd
Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/dsinstance.py | 42 |
1 files changed, 29 insertions, 13 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 0c79032d5..49762ede3 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -27,6 +27,7 @@ import sys import os import re import time +import tempfile from ipapython import ipautil @@ -43,6 +44,7 @@ from ipaserver.plugins.ldap2 import ldap2 SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" +CACERT="/usr/share/ipa/html/ca.crt" def find_server_root(): if ipautil.dir_exists(SERVER_ROOT_64): @@ -465,20 +467,34 @@ class DsInstance(service.Service): def change_admin_password(self, password): logging.debug("Changing admin password") dirname = config_dirname(self.serverid) - if ipautil.dir_exists("/usr/lib64/mozldap"): - app = "/usr/lib64/mozldap/ldappasswd" - else: - app = "/usr/lib/mozldap/ldappasswd" - args = [app, - "-D", "cn=Directory Manager", "-w", self.dm_password, - "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, - "uid=admin,cn=users,cn=accounts,"+self.suffix] + dmpwdfile = "" + admpwdfile = "" + try: - ipautil.run(args) - logging.debug("ldappasswd done") - except ipautil.CalledProcessError, e: - print "Unable to set admin password", e - logging.debug("Unable to set admin password %s" % e) + (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa') + os.write(dmpwdfd, self.dm_password) + os.close(dmpwdfd) + + (admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa') + os.write(admpwdfd, password) + os.close(admpwdfd) + + args = ["/usr/bin/ldappasswd", + "-ZZ", "-x", "-D", "cn=Directory Manager", + "-y", dmpwdfile, "-T", admpwdfile, + "uid=admin,cn=users,cn=accounts,"+self.suffix] + try: + ipautil.run(args, env = { 'LDAPTLS_CACERT':CACERT }) + logging.debug("ldappasswd done") + except ipautil.CalledProcessError, e: + print "Unable to set admin password", e + logging.debug("Unable to set admin password %s" % e) + + finally: + if os.path.isfile(dmpwdfile): + os.remove(dmpwdfile) + if os.path.isfile(admpwdfile): + os.remove(admpwdfile) def uninstall(self): if self.is_configured(): |