diff options
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 61 | ||||
| -rw-r--r-- | ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 2 | ||||
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 27 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 29 |
4 files changed, 93 insertions, 26 deletions
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 91138c014..90296e5d4 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa") import socket import logging +import pwd from optparse import OptionParser import ipaserver.dsinstance import ipaserver.krbinstance @@ -42,10 +43,12 @@ def parse_options(): help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") - parser.add_option("-p", "--ds-password", dest="ds_password", + parser.add_option("-p", "--ds-password", dest="dm_password", help="admin password") parser.add_option("-P", "--master-password", dest="master_password", help="kerberos master password") + parser.add_option("-a", "--admin-password", dest="admin_password", + help="admin user kerberos password") parser.add_option("-d", "--debug", dest="debug", action="store_true", dest="debug", default=False, help="print debugging information") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") @@ -56,7 +59,8 @@ def parse_options(): if options.unattended and (not options.ds_user or not options.realm_name or - not options.ds_password or + not options.dm_password or + not options.admin_password or not options.master_password): parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") @@ -95,7 +99,8 @@ def main(): realm_name = "" host_name = "" master_password = "" - ds_password = "" + dm_password = "" + admin_password = "" # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by gethostbyname to set @@ -137,13 +142,25 @@ def main(): print "" if not options.ds_user: - print "To securely run Directory Server we need a user account to be set up." - print "This will allow DS to run as a user and not as root." - print "The user account will have access to some security material so it should not be shared with any other application." - print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure." - print "" - ds_user = raw_input("Which account name do you want to use for the DS instance ? ") - print "" + + try: + pwd.getpwnam('dirsrv') + + print "To securely run Directory Server we need a user account to be set up." + print "This will allow DS to run as a user and not as root." + print "The user account will have access to some security material so it should not be shared with any other application." + print "A user account named 'dirsrv' already exist. You should not share the account with any other service." + print "" + yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)") + print "" + if yesno.lower() == "y": + ds_user = "dirsrv" + else: + ds_user = raw_input("Which account name do you want to use for the DS instance ? ") + print "" + except KeyError: + ds_user = "dirsrv" + if ds_user == "": return "-Aborted-" else: @@ -177,14 +194,15 @@ def main(): else: realm_name = options.realm_name - if not options.ds_password: + if not options.dm_password: print "The Directory Manager user is the equivalent of 'root' for Diretcory Server." + print "This account has full access to the Directory and is used for system management tasks." print "" #TODO: provide the option of generating a random password - ds_password = raw_input("Please provide a password for the Directory Manager: ") + dm_password = raw_input("Please provide a password for the Directory Manager: ") print "" else: - ds_password = options.ds_password + dm_password = options.dm_password if not options.master_password: print "The Kerberos database is usually encrypted using a master password." @@ -199,13 +217,23 @@ def main(): else: master_password = options.master_password + if not options.admin_password: + print "The 'admin' user is the administrative user used to administare an IPA server." + print "This account is the one that will be used for normal administration and is also a regular unix user" + print "" + #TODO: provide the option of generating a random password + admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ") + print "" + else: + admin_password = options.admin_password + # Create a directory server instance ds = ipaserver.dsinstance.DsInstance() - ds.create_instance(ds_user, realm_name, host_name, ds_password) + ds.create_instance(ds_user, realm_name, host_name, dm_password) # Create a kerberos instance krb = ipaserver.krbinstance.KrbInstance() - krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password) + krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) # Restart ds after the krb instance has changed ds configurations ds.restart() @@ -228,6 +256,9 @@ def main(): # Start Kpasswd run(["/sbin/service", "ipa-kpasswd", "start"]) + # Set the admin user kerberos password + ds.change_admin_password(admin_password) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index f3771204a..e920cec7b 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb ) goto free_and_return; } - if ( (is_ssl <=1) && (sasl_ssf <= 1) ) { + if ( (is_ssl == 0) && (sasl_ssf <= 1) ) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto free_and_return; diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 2c7e0c7db..841bc31f2 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -72,16 +72,18 @@ class DsInstance: def __init__(self): self.serverid = None self.realm_name = None + self.suffix = None self.host_name = None - self.admin_password = None + self.dm_password = None self.sub_dict = None - def create_instance(self, ds_user, realm_name, host_name, admin_password): + def create_instance(self, ds_user, realm_name, host_name, dm_password): self.ds_user = ds_user self.serverid = generate_serverid() self.realm_name = realm_name.upper() + self.suffix = realm_to_suffix(self.realm_name) self.host_name = host_name - self.admin_password = admin_password + self.dm_password = dm_password self.__setup_sub_dict() self.__create_ds_user() @@ -111,10 +113,9 @@ class DsInstance: run(["/sbin/service", "dirsrv", "restart"]) def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) server_root = find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, + PASSWORD=self.dm_password, SUFFIX=self.suffix, REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root) @@ -155,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") @@ -165,7 +166,7 @@ class DsInstance: inf_fd = write_tmp_file(txt) logging.debug("adding default ds layout") args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] + "-w", self.dm_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") @@ -184,5 +185,15 @@ class DsInstance: certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd.write(certmap_conf) certmap_fd.close() - logging.debug("done configuring certmap.conf for ds instance") + + def change_admin_password(self, password): + logging.debug("Changing admin password") + dirname = self.config_dirname() + args = ["/usr/lib/mozldap/ldappasswd", + "-D", "cn=Directory Manager", "-w", self.dm_password, + "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, + "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + run(args) + logging.debug("ldappasswd done") + diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 1c77b086f..e17ab525b 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -109,7 +109,7 @@ class KrbInstance: for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() def __setup_sub_dict(self): @@ -147,7 +147,7 @@ class KrbInstance: krb5_fd.close() #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] run(args) #add the password extop module @@ -178,6 +178,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/dirsrv/ds.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.close() @@ -199,6 +208,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.close() @@ -215,8 +233,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 while not file_exists("/etc/httpd/conf/ipa.keytab"): time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) |