summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-01-28 15:45:19 -0500
committerSimo Sorce <ssorce@redhat.com>2011-01-31 16:35:53 -0500
commitcc9abf5d38c0030bb4dad0e204c16c9c9bae27c0 (patch)
tree820bafdf43ca8f6de5066bae8090b8b64327455d /ipaserver
parenta629f3f4c7ea05973ae755e70d650f964131fae3 (diff)
downloadfreeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.zip
freeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.tar.gz
freeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.tar.xz
Use a common group for all DS instances
Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py62
-rw-r--r--ipaserver/install/dsinstance.py43
-rw-r--r--ipaserver/install/krbinstance.py18
3 files changed, 58 insertions, 65 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dfe036d..8aa1d44 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -53,6 +53,9 @@ from ipalib import util
DEFAULT_DSPORT=7389
+PKI_USER = "pkiuser"
+PKI_DS_USER = "pkisrv"
+
# These values come from /usr/share/pki/ca/setup/postinstall
PKI_INSTANCE_NAME="pki-ca"
AGENT_SECURE_PORT=9443
@@ -219,7 +222,6 @@ class CADSInstance(service.Service):
self.serverid = None
self.host_name = None
self.pkcs12_info = None
- self.ds_user = None
self.ds_port = None
self.master_host = None
if realm_name:
@@ -228,8 +230,8 @@ class CADSInstance(service.Service):
else:
self.suffix = None
- def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
- self.ds_user = ds_user
+ def create_instance(self, realm_name, host_name, domain_name,
+ dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT):
self.ds_port = ds_port
self.realm_name = realm_name.upper()
self.serverid = "PKI-IPA"
@@ -250,26 +252,29 @@ class CADSInstance(service.Service):
server_root = dsinstance.find_server_root()
self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(),
- REALM=self.realm_name, USER=self.ds_user,
+ REALM=self.realm_name, USER=PKI_DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
TIME=int(time.time()), DSPORT=self.ds_port)
def __create_ds_user(self):
user_exists = True
try:
- pwd.getpwnam(self.ds_user)
- logging.debug("ds user %s exists" % self.ds_user)
+ pwd.getpwnam(PKI_DS_USER)
+ logging.debug("ds user %s exists" % PKI_DS_USER)
except KeyError:
user_exists = False
- logging.debug("adding ds user %s" % self.ds_user)
- args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
+ logging.debug("adding ds user %s" % PKI_DS_USER)
+ args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
+ "-c", "PKI DS System User",
+ "-d", "/var/lib/dirsrv",
+ "-s", "/sbin/nologin",
+ "-M", "-r", PKI_DS_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
- self.backup_state("user", self.ds_user)
self.backup_state("user_exists", user_exists)
def __create_instance(self):
@@ -328,17 +333,15 @@ class CADSInstance(service.Service):
dsinstance.erase_ds_instance_data(serverid)
self.service_name="pkids"
- ds_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
- if not ds_user is None and not user_exists is None and not user_exists:
+ if user_exists == False:
try:
- ipautil.run(["/usr/sbin/userdel", ds_user])
+ ipautil.run(["/usr/sbin/userdel", PKI_DS_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
self.service_name = sav_name
-
class CAInstance(service.Service):
"""
In the self-signed case the CA exists in the NSS_DB database.
@@ -360,7 +363,6 @@ class CAInstance(service.Service):
def __init__(self, realm, ra_db):
service.Service.__init__(self, "pki-cad")
self.realm = realm
- self.pki_user = "pkiuser"
self.dm_password = None
self.admin_password = None
self.host_name = None
@@ -389,7 +391,7 @@ class CAInstance(service.Service):
def __del__(self):
shutil.rmtree(self.ca_agent_db, ignore_errors=True)
- def configure_instance(self, pki_user, host_name, dm_password,
+ def configure_instance(self, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
@@ -404,7 +406,6 @@ class CAInstance(service.Service):
chain and actually proceed to create the CA. For step 1 set
csr_file. For step 2 set cert_file and cert_chain_file.
"""
- self.pki_user = pki_user
self.host_name = host_name
self.dm_password = dm_password
self.admin_password = admin_password
@@ -484,19 +485,21 @@ class CAInstance(service.Service):
def __create_ca_user(self):
user_exists = True
try:
- pwd.getpwnam(self.pki_user)
- logging.debug("ca user %s exists" % self.pki_user)
+ pwd.getpwnam(PKI_USER)
+ logging.debug("ca user %s exists" % PKI_USER)
except KeyError:
user_exists = False
- logging.debug("adding ca user %s" % self.pki_user)
- args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", "-M", "-r", "-s", "/sbin/nologin", self.pki_user]
+ logging.debug("adding ca user %s" % PKI_USER)
+ args = ["/usr/sbin/useradd", "-c", "CA System User",
+ "-d", "/var/lib",
+ "-s", "/sbin/nologin",
+ "-M", "-r", PKI_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
- self.backup_state("user", self.pki_user)
self.backup_state("user_exists", user_exists)
def __configure_instance(self):
@@ -558,7 +561,7 @@ class CAInstance(service.Service):
# The install wizard expects the file to be here.
cafile = self.pkcs12_info[0]
shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12")
- pent = pwd.getpwnam(self.pki_user)
+ pent = pwd.getpwnam(PKI_USER)
os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid )
args.append("-clone")
args.append("true")
@@ -615,7 +618,7 @@ class CAInstance(service.Service):
# Turn off Nonces (again)
if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
raise RuntimeError("Disabling nonces failed")
- pent = pwd.getpwnam(self.pki_user)
+ pent = pwd.getpwnam(PKI_USER)
os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
@@ -934,8 +937,8 @@ class CAInstance(service.Service):
publishdir='/var/lib/pki-ca/publish'
os.mkdir(publishdir)
os.chmod(publishdir, 0755)
- pent = pwd.getpwnam(self.pki_user)
- os.chown(publishdir, pent.pw_uid, pent.pw_gid )
+ pent = pwd.getpwnam(PKI_USER)
+ os.chown(publishdir, pent.pw_uid, pent.pw_gid)
# Enable file publishing, disable LDAP
installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
@@ -994,11 +997,10 @@ class CAInstance(service.Service):
except ipautil.CalledProcessError, e:
logging.critical("failed to uninstall CA instance %s" % e)
- pki_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
- if not pki_user is None and not user_exists is None and not user_exists:
+ if user_exists == False:
try:
- ipautil.run(["/usr/sbin/userdel", pki_user])
+ ipautil.run(["/usr/sbin/userdel", PKI_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
@@ -1013,6 +1015,6 @@ class CAInstance(service.Service):
if __name__ == "__main__":
installutils.standard_logging_setup("install.log", False)
cs = CADSInstance()
- cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
+ cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password")
ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
- ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
+ ca.configure_instance("catest.example.com", "password", "password")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2995052..0a33697 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -21,7 +21,6 @@
import shutil
import logging
import pwd
-import grp
import glob
import sys
import os
@@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
CACERT="/etc/ipa/ca.crt"
+DS_USER = 'dirsrv'
+DS_GROUP = 'dirsrv'
+
def find_server_root():
if ipautil.dir_exists(SERVER_ROOT_64):
return SERVER_ROOT_64
@@ -176,7 +178,6 @@ class DsInstance(service.Service):
self.serverid = None
self.fqdn = None
self.pkcs12_info = None
- self.ds_user = None
self.dercert = None
self.idstart = None
self.idmax = None
@@ -223,11 +224,10 @@ class DsInstance(service.Service):
self.step("configuring directory to start on boot", self.__enable)
- def create_instance(self, ds_user, realm_name, fqdn, domain_name,
+ def create_instance(self, realm_name, fqdn, domain_name,
dm_password, pkcs12_info=None, self_signed_ca=False,
idstart=1100, idmax=999999, subject_base=None,
hbac_allow=True):
- self.ds_user = ds_user
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = util.realm_to_suffix(self.realm_name)
@@ -256,9 +256,8 @@ class DsInstance(service.Service):
self.start_creation("Configuring directory server", 60)
- def create_replica(self, ds_user, realm_name, master_fqdn, fqdn,
+ def create_replica(self, realm_name, master_fqdn, fqdn,
domain_name, dm_password, pkcs12_info=None):
- self.ds_user = ds_user
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = util.realm_to_suffix(self.realm_name)
@@ -309,7 +308,7 @@ class DsInstance(service.Service):
self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
SUFFIX=self.suffix.lower(),
- REALM=self.realm_name, USER=self.ds_user,
+ REALM=self.realm_name, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
TIME=int(time.time()), IDSTART=self.idstart,
IDMAX=self.idmax, HOST=self.fqdn,
@@ -319,27 +318,22 @@ class DsInstance(service.Service):
def __create_ds_user(self):
user_exists = True
try:
- pwd.getpwnam(self.ds_user)
- logging.debug("ds user %s exists" % self.ds_user)
+ pwd.getpwnam(DS_USER)
+ logging.debug("ds user %s exists" % DS_USER)
except KeyError:
user_exists = False
- logging.debug("adding ds user %s" % self.ds_user)
- args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user]
- try:
- # if the group already exists we need to request to add it,
- # otherwise useradd will create it for us
- grp.getgrnam(self.ds_user)
- args.append("-g")
- args.append(self.ds_user)
- except KeyError:
- pass
+ logging.debug("adding ds user %s" % DS_USER)
+ args = ["/usr/sbin/useradd", "-g", DS_GROUP,
+ "-c", "DS System User",
+ "-d", "/var/lib/dirsrv",
+ "-s", "/sbin/nologin",
+ "-M", "-r", DS_USER]
try:
ipautil.run(args)
logging.debug("done adding user")
except ipautil.CalledProcessError, e:
logging.critical("failed to add user %s" % e)
- self.backup_state("user", self.ds_user)
self.backup_state("user_exists", user_exists)
def __create_instance(self):
@@ -617,12 +611,11 @@ class DsInstance(service.Service):
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
- ds_user = self.restore_state("user")
user_exists = self.restore_state("user_exists")
- if not ds_user is None and not user_exists is None and not user_exists:
+ if user_exists == False:
try:
- ipautil.run(["/usr/sbin/userdel", ds_user])
+ ipautil.run(["/usr/sbin/userdel", DS_USER])
except ipautil.CalledProcessError, e:
logging.critical("failed to delete user %s" % e)
@@ -686,7 +679,7 @@ class DsInstance(service.Service):
fd.close()
for line in lines:
sline = line.strip()
- if not sline.startswith(self.ds_user):
+ if not sline.startswith(DS_USER):
continue
if sline.find('nofile') == -1:
continue
@@ -711,7 +704,7 @@ class DsInstance(service.Service):
if need_sysconf and need_limits:
self.fstore.backup_file("/etc/security/limits.conf")
fd = open("/etc/security/limits.conf", "a+")
- fd.write('%s\t\t-\tnofile\t\t%s\n' % (self.ds_user, str(num)))
+ fd.write('%s\t\t-\tnofile\t\t%s\n' % (DS_USER, str(num)))
fd.close()
fd = open("/etc/sysconfig/dirsrv", "a+")
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 9f70679..86804ce 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -35,7 +35,7 @@ from ipalib import errors
from ipaserver import ipaldap
from ipaserver.install import replication
-from ipaserver.install.dsinstance import realm_to_serverid
+from ipaserver.install import dsinstance
import ldap
from ldap import LDAPError
@@ -78,7 +78,6 @@ class KpasswdInstance(service.SimpleServiceInstance):
class KrbInstance(service.Service):
def __init__(self, fstore=None):
service.Service.__init__(self, "krb5kdc")
- self.ds_user = None
self.fqdn = None
self.realm = None
self.domain = None
@@ -124,8 +123,7 @@ class KrbInstance(service.Service):
host_entry.setValue('managedby', host_dn)
self.admin_conn.addEntry(host_entry)
- def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password):
- self.ds_user = ds_user
+ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
self.fqdn = host_name
self.realm = realm_name.upper()
self.host = host_name.split(".")[0]
@@ -152,13 +150,13 @@ class KrbInstance(service.Service):
self.step("starting the KDC", self.__start_instance)
self.step("configuring KDC to start on boot", self.__enable)
- def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
+ def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
self.master_password = master_password
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
- self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
+ self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("setting KDC account password", self.__configure_kdc_account_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
@@ -183,7 +181,7 @@ class KrbInstance(service.Service):
self.kpasswd = KpasswdInstance()
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
- def create_replica(self, ds_user, realm_name,
+ def create_replica(self, realm_name,
master_fqdn, host_name,
domain_name, admin_password,
ldap_passwd_filename, kpasswd_filename,
@@ -196,7 +194,7 @@ class KrbInstance(service.Service):
self.__copy_kpasswd_keytab(kpasswd_filename)
self.master_fqdn = master_fqdn
- self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password)
+ self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("writing stash file from DS", self.__write_stash_from_ds)
@@ -256,7 +254,7 @@ class KrbInstance(service.Service):
SUFFIX=self.suffix,
DOMAIN=self.domain,
HOST=self.host,
- SERVER_ID=realm_to_serverid(self.realm),
+ SERVER_ID=dsinstance.realm_to_serverid(self.realm),
REALM=self.realm)
def __configure_sasl_mappings(self):
@@ -492,7 +490,7 @@ class KrbInstance(service.Service):
installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
- pent = pwd.getpwnam(self.ds_user)
+ pent = pwd.getpwnam(dsinstance.DS_USER)
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):