diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-01-28 15:45:19 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-01-31 16:35:53 -0500 |
| commit | cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0 (patch) | |
| tree | 820bafdf43ca8f6de5066bae8090b8b64327455d /ipaserver | |
| parent | a629f3f4c7ea05973ae755e70d650f964131fae3 (diff) | |
| download | freeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.tar.gz freeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.tar.xz freeipa-cc9abf5d38c0030bb4dad0e204c16c9c9bae27c0.zip | |
Use a common group for all DS instances
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 62 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 43 | ||||
| -rw-r--r-- | ipaserver/install/krbinstance.py | 18 |
3 files changed, 58 insertions, 65 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dfe036dd7..8aa1d4477 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -53,6 +53,9 @@ from ipalib import util DEFAULT_DSPORT=7389 +PKI_USER = "pkiuser" +PKI_DS_USER = "pkisrv" + # These values come from /usr/share/pki/ca/setup/postinstall PKI_INSTANCE_NAME="pki-ca" AGENT_SECURE_PORT=9443 @@ -219,7 +222,6 @@ class CADSInstance(service.Service): self.serverid = None self.host_name = None self.pkcs12_info = None - self.ds_user = None self.ds_port = None self.master_host = None if realm_name: @@ -228,8 +230,8 @@ class CADSInstance(service.Service): else: self.suffix = None - def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT): - self.ds_user = ds_user + def create_instance(self, realm_name, host_name, domain_name, + dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT): self.ds_port = ds_port self.realm_name = realm_name.upper() self.serverid = "PKI-IPA" @@ -250,26 +252,29 @@ class CADSInstance(service.Service): server_root = dsinstance.find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(), - REALM=self.realm_name, USER=self.ds_user, + REALM=self.realm_name, USER=PKI_DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, TIME=int(time.time()), DSPORT=self.ds_port) def __create_ds_user(self): user_exists = True try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) + pwd.getpwnam(PKI_DS_USER) + logging.debug("ds user %s exists" % PKI_DS_USER) except KeyError: user_exists = False - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] + logging.debug("adding ds user %s" % PKI_DS_USER) + args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP, + "-c", "PKI DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", PKI_DS_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.ds_user) self.backup_state("user_exists", user_exists) def __create_instance(self): @@ -328,17 +333,15 @@ class CADSInstance(service.Service): dsinstance.erase_ds_instance_data(serverid) self.service_name="pkids" - ds_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not ds_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", ds_user]) + ipautil.run(["/usr/sbin/userdel", PKI_DS_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) self.service_name = sav_name - class CAInstance(service.Service): """ In the self-signed case the CA exists in the NSS_DB database. @@ -360,7 +363,6 @@ class CAInstance(service.Service): def __init__(self, realm, ra_db): service.Service.__init__(self, "pki-cad") self.realm = realm - self.pki_user = "pkiuser" self.dm_password = None self.admin_password = None self.host_name = None @@ -389,7 +391,7 @@ class CAInstance(service.Service): def __del__(self): shutil.rmtree(self.ca_agent_db, ignore_errors=True) - def configure_instance(self, pki_user, host_name, dm_password, + def configure_instance(self, host_name, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, @@ -404,7 +406,6 @@ class CAInstance(service.Service): chain and actually proceed to create the CA. For step 1 set csr_file. For step 2 set cert_file and cert_chain_file. """ - self.pki_user = pki_user self.host_name = host_name self.dm_password = dm_password self.admin_password = admin_password @@ -484,19 +485,21 @@ class CAInstance(service.Service): def __create_ca_user(self): user_exists = True try: - pwd.getpwnam(self.pki_user) - logging.debug("ca user %s exists" % self.pki_user) + pwd.getpwnam(PKI_USER) + logging.debug("ca user %s exists" % PKI_USER) except KeyError: user_exists = False - logging.debug("adding ca user %s" % self.pki_user) - args = ["/usr/sbin/useradd", "-c", "CA System User", "-d", "/var/lib", "-M", "-r", "-s", "/sbin/nologin", self.pki_user] + logging.debug("adding ca user %s" % PKI_USER) + args = ["/usr/sbin/useradd", "-c", "CA System User", + "-d", "/var/lib", + "-s", "/sbin/nologin", + "-M", "-r", PKI_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.pki_user) self.backup_state("user_exists", user_exists) def __configure_instance(self): @@ -558,7 +561,7 @@ class CAInstance(service.Service): # The install wizard expects the file to be here. cafile = self.pkcs12_info[0] shutil.copy(cafile, "/var/lib/pki-ca/alias/ca.p12") - pent = pwd.getpwnam(self.pki_user) + pent = pwd.getpwnam(PKI_USER) os.chown("/var/lib/pki-ca/alias/ca.p12", pent.pw_uid, pent.pw_gid ) args.append("-clone") args.append("true") @@ -615,7 +618,7 @@ class CAInstance(service.Service): # Turn off Nonces (again) if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0: raise RuntimeError("Disabling nonces failed") - pent = pwd.getpwnam(self.pki_user) + pent = pwd.getpwnam(PKI_USER) os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid ) # pkisilent makes a copy of the CA PKCS#12 file for us but gives @@ -934,8 +937,8 @@ class CAInstance(service.Service): publishdir='/var/lib/pki-ca/publish' os.mkdir(publishdir) os.chmod(publishdir, 0755) - pent = pwd.getpwnam(self.pki_user) - os.chown(publishdir, pent.pw_uid, pent.pw_gid ) + pent = pwd.getpwnam(PKI_USER) + os.chown(publishdir, pent.pw_uid, pent.pw_gid) # Enable file publishing, disable LDAP installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') @@ -994,11 +997,10 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to uninstall CA instance %s" % e) - pki_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not pki_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", pki_user]) + ipautil.run(["/usr/sbin/userdel", PKI_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) @@ -1013,6 +1015,6 @@ class CAInstance(service.Service): if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() - cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password") + cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password") ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") - ca.configure_instance("pkiuser", "catest.example.com", "password", "password") + ca.configure_instance("catest.example.com", "password", "password") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 299505201..0a33697d2 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -21,7 +21,6 @@ import shutil import logging import pwd -import grp import glob import sys import os @@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" CACERT="/etc/ipa/ca.crt" +DS_USER = 'dirsrv' +DS_GROUP = 'dirsrv' + def find_server_root(): if ipautil.dir_exists(SERVER_ROOT_64): return SERVER_ROOT_64 @@ -176,7 +178,6 @@ class DsInstance(service.Service): self.serverid = None self.fqdn = None self.pkcs12_info = None - self.ds_user = None self.dercert = None self.idstart = None self.idmax = None @@ -223,11 +224,10 @@ class DsInstance(service.Service): self.step("configuring directory to start on boot", self.__enable) - def create_instance(self, ds_user, realm_name, fqdn, domain_name, + def create_instance(self, realm_name, fqdn, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, idstart=1100, idmax=999999, subject_base=None, hbac_allow=True): - self.ds_user = ds_user self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) self.suffix = util.realm_to_suffix(self.realm_name) @@ -256,9 +256,8 @@ class DsInstance(service.Service): self.start_creation("Configuring directory server", 60) - def create_replica(self, ds_user, realm_name, master_fqdn, fqdn, + def create_replica(self, realm_name, master_fqdn, fqdn, domain_name, dm_password, pkcs12_info=None): - self.ds_user = ds_user self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) self.suffix = util.realm_to_suffix(self.realm_name) @@ -309,7 +308,7 @@ class DsInstance(service.Service): self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, SUFFIX=self.suffix.lower(), - REALM=self.realm_name, USER=self.ds_user, + REALM=self.realm_name, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, TIME=int(time.time()), IDSTART=self.idstart, IDMAX=self.idmax, HOST=self.fqdn, @@ -319,27 +318,22 @@ class DsInstance(service.Service): def __create_ds_user(self): user_exists = True try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) + pwd.getpwnam(DS_USER) + logging.debug("ds user %s exists" % DS_USER) except KeyError: user_exists = False - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] - try: - # if the group already exists we need to request to add it, - # otherwise useradd will create it for us - grp.getgrnam(self.ds_user) - args.append("-g") - args.append(self.ds_user) - except KeyError: - pass + logging.debug("adding ds user %s" % DS_USER) + args = ["/usr/sbin/useradd", "-g", DS_GROUP, + "-c", "DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", DS_USER] try: ipautil.run(args) logging.debug("done adding user") except ipautil.CalledProcessError, e: logging.critical("failed to add user %s" % e) - self.backup_state("user", self.ds_user) self.backup_state("user_exists", user_exists) def __create_instance(self): @@ -617,12 +611,11 @@ class DsInstance(service.Service): dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) - ds_user = self.restore_state("user") user_exists = self.restore_state("user_exists") - if not ds_user is None and not user_exists is None and not user_exists: + if user_exists == False: try: - ipautil.run(["/usr/sbin/userdel", ds_user]) + ipautil.run(["/usr/sbin/userdel", DS_USER]) except ipautil.CalledProcessError, e: logging.critical("failed to delete user %s" % e) @@ -686,7 +679,7 @@ class DsInstance(service.Service): fd.close() for line in lines: sline = line.strip() - if not sline.startswith(self.ds_user): + if not sline.startswith(DS_USER): continue if sline.find('nofile') == -1: continue @@ -711,7 +704,7 @@ class DsInstance(service.Service): if need_sysconf and need_limits: self.fstore.backup_file("/etc/security/limits.conf") fd = open("/etc/security/limits.conf", "a+") - fd.write('%s\t\t-\tnofile\t\t%s\n' % (self.ds_user, str(num))) + fd.write('%s\t\t-\tnofile\t\t%s\n' % (DS_USER, str(num))) fd.close() fd = open("/etc/sysconfig/dirsrv", "a+") diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 9f706797f..86804ce08 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -35,7 +35,7 @@ from ipalib import errors from ipaserver import ipaldap from ipaserver.install import replication -from ipaserver.install.dsinstance import realm_to_serverid +from ipaserver.install import dsinstance import ldap from ldap import LDAPError @@ -78,7 +78,6 @@ class KpasswdInstance(service.SimpleServiceInstance): class KrbInstance(service.Service): def __init__(self, fstore=None): service.Service.__init__(self, "krb5kdc") - self.ds_user = None self.fqdn = None self.realm = None self.domain = None @@ -124,8 +123,7 @@ class KrbInstance(service.Service): host_entry.setValue('managedby', host_dn) self.admin_conn.addEntry(host_entry) - def __common_setup(self, ds_user, realm_name, host_name, domain_name, admin_password): - self.ds_user = ds_user + def __common_setup(self, realm_name, host_name, domain_name, admin_password): self.fqdn = host_name self.realm = realm_name.upper() self.host = host_name.split(".")[0] @@ -152,13 +150,13 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) - def create_instance(self, ds_user, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None): + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.self_signed_ca = self_signed_ca self.subject_base = subject_base - self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password) + self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("setting KDC account password", self.__configure_kdc_account_password) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) @@ -183,7 +181,7 @@ class KrbInstance(service.Service): self.kpasswd = KpasswdInstance() self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix) - def create_replica(self, ds_user, realm_name, + def create_replica(self, realm_name, master_fqdn, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename, @@ -196,7 +194,7 @@ class KrbInstance(service.Service): self.__copy_kpasswd_keytab(kpasswd_filename) self.master_fqdn = master_fqdn - self.__common_setup(ds_user, realm_name, host_name, domain_name, admin_password) + self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("writing stash file from DS", self.__write_stash_from_ds) @@ -256,7 +254,7 @@ class KrbInstance(service.Service): SUFFIX=self.suffix, DOMAIN=self.domain, HOST=self.host, - SERVER_ID=realm_to_serverid(self.realm), + SERVER_ID=dsinstance.realm_to_serverid(self.realm), REALM=self.realm) def __configure_sasl_mappings(self): @@ -492,7 +490,7 @@ class KrbInstance(service.Service): installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal) update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") - pent = pwd.getpwnam(self.ds_user) + pent = pwd.getpwnam(dsinstance.DS_USER) os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid) def __create_host_keytab(self): |