Enrollment for a host in an IPA domain

This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...

1 files changed, 120 insertions, 0 deletions

diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py
new file mode 100644
index 000000000..b63000d89
--- /dev/null
+++ b/ipaserver/plugins/join.py
@@ -0,0 +1,120 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Joining an IPA domain
+"""
+
+from ipalib import api, util
+from ipalib import Command, Str, Int
+from ipalib import errors
+import krbV
+import os, subprocess
+from ipapython import ipautil
+import tempfile
+import sha
+import stat
+import shutil
+
+def get_realm():
+    krbctx = krbV.default_context()
+
+    return unicode(krbctx.default_realm)
+
+def validate_host(ugettext, cn):
+    """
+    Require at least one dot in the hostname (to support localhost.localdomain)
+    """
+    dots = len(cn.split('.'))
+    if dots < 2:
+        return 'Fully-qualified hostname required'
+    return None
+
+class join(Command):
+    """Join an IPA domain"""
+
+    requires_root = True
+
+    takes_args = (
+        Str('cn',
+            validate_host,
+            cli_name='hostname',
+            doc="The hostname to register as",
+            create_default=lambda **kw: unicode(util.get_fqdn()),
+            autofill=True,
+            #normalizer=lamda value: value.lower(),
+        ),
+    )
+    takes_options= (
+        Str('realm',
+            doc="The IPA realm",
+            create_default=lambda **kw: get_realm(),
+            autofill=True,
+        ),
+        Str('nshardwareplatform?',
+            cli_name='platform',
+            doc='Hardware platform of the host (e.g. Lenovo T61)',
+        ),
+        Str('nsosversion?',
+            cli_name='os',
+            doc='Operating System and version of the host (e.g. Fedora 9)',
+        ),
+    )
+
+    def execute(self, hostname, **kw):
+        """
+        Execute the machine join operation.
+
+        Returns the entry as it will be created in LDAP.
+
+        :param hostname: The name of the host joined
+        :param kw: Keyword arguments for the other attributes.
+        """
+        assert 'cn' not in kw
+        ldap = self.api.Backend.ldap2
+
+        host = None
+        try:
+            # First see if the host exists
+            kw = {'fqdn': hostname, 'all': True}
+            (dn, attrs_list) = api.Command['host_show'](**kw)
+
+            # If no principal name is set yet we need to try to add
+            # one.
+            if 'krbprincipalname' not in attrs_list:
+                service = "host/%s@%s" % (hostname, api.env.realm)
+                (d, a) = api.Command['host_mod'](hostname, krbprincipalname=service)
+
+            # It exists, can we write the password attributes?
+            allowed = ldap.can_write(dn, 'krblastpwdchange')
+            if not allowed:
+                raise errors.ACIError(info="Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry '%s'." % dn)
+
+            kw = {'fqdn': hostname, 'all': True}
+            (dn, attrs_list) = api.Command['host_show'](**kw)
+        except errors.NotFound:
+            (dn, attrs_list) = api.Command['host_add'](hostname)
+
+        return (dn, attrs_list)
+
+    def output_for_cli(self, textui, result, args, **options):
+        textui.print_plain("Welcome to the %s realm" % options['realm'])
+        textui.print_plain("Your keytab is in %s" % result.get('keytab'))
+
+api.register(join)