diff options
| -rw-r--r-- | ipa-admintools/Makefile | 1 | ||||
| -rw-r--r-- | ipa-admintools/ipa-addradiusclient | 248 | ||||
| -rw-r--r-- | ipa-python/ipavalidate.py | 1 | ||||
| -rw-r--r-- | ipa-python/radius_client.py | 7 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/60radius.ldif | 46 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 30 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 3 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/encrypted_attribute.ldif | 6 | ||||
| -rw-r--r-- | ipa-server/ipa-install/share/radius.radiusd.conf.template | 23 | ||||
| -rw-r--r-- | ipa-server/ipaserver/radiusinstance.py | 22 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 25 |
11 files changed, 400 insertions, 12 deletions
diff --git a/ipa-admintools/Makefile b/ipa-admintools/Makefile index 9d63db082..4c8d3f1f4 100644 --- a/ipa-admintools/Makefile +++ b/ipa-admintools/Makefile @@ -21,6 +21,7 @@ install: install -m 755 ipa-deldelegation $(SBINDIR) install -m 755 ipa-listdelegation $(SBINDIR) install -m 755 ipa-moddelegation $(SBINDIR) + install -m 755 ipa-addradiusclient $(SBINDIR) @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/ipa-admintools/ipa-addradiusclient b/ipa-admintools/ipa-addradiusclient new file mode 100644 index 000000000..5772b4d8e --- /dev/null +++ b/ipa-admintools/ipa-addradiusclient @@ -0,0 +1,248 @@ +#! /usr/bin/python -E +# Authors: John Dennis <jdennis@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +from optparse import OptionParser +import ipa +import ipa.radius_client +import ipa.ipaclient as ipaclient +import ipa.ipavalidate as ipavalidate +import ipa.config +import ipa.ipaerror + +import xmlrpclib +import kerberos +import ldap +import getpass +import re + +#------------------------------------------------------------------------------ + +dotted_octet_RE = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$") +dns_RE = re.compile(r"^[a-zA-Z.-]+$") +# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255 +valid_secret_len = (1,31) +valid_name_len = (1,31) +valid_nastype_len = (1,31) +valid_ip_addr_len = (1,255) + +valid_ip_addr_msg = "IP address is required and must be dotted octet with optional mask or a DNS name" +valid_desc_msg = "Description must text string" + +#------------------------------------------------------------------------------ + +def usage(): + print "ipa-addradiusclient" + sys.exit(1) + +def parse_options(): + parser = OptionParser() + parser.add_option("--usage", action="store_true", + help="Program usage") + parser.add_option("-a", "--address", dest="ip_addr", + help="RADIUS client IP address") + parser.add_option("-s", "--secret", dest="secret", + help="RADIUS client secret") + parser.add_option("-n", "--name", dest="name", + help="RADIUS client name") + parser.add_option("-t", "--type", dest="nastype", + help="RADIUS client name") + parser.add_option("-d", "--description", dest="desc", + help="description of the RADIUS client") + + args = ipa.config.init_config(sys.argv) + options, args = parser.parse_args(args) + + return options, args + +#------------------------------------------------------------------------------ + +def get_secret(): + valid = False + while (not valid): + secret = getpass.getpass("Enter Secret: ") + confirm = getpass.getpass("Confirm Secret: ") + if (secret != confirm): + print "Secrets do not match" + continue + valid = True + return secret + +#------------------------------------------------------------------------------ + +def valid_ip_addr(text): + + # is it a dotted octet? If so there should be 4 integers seperated + # by a dot and each integer should be between 0 and 255 + # there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24) + match = dotted_octet_RE.search(text) + if match: + # dotted octet notation + i = 1 + while i <= 4: + octet = int(match.group(i)) + if octet > 255: return False + i += 1 + if match.group(5): + mask = int(match.group(6)) + if mask <= 32: + return True + else: + return False + return True + else: + # DNS name, can contain letters, dot and hypen + if dns_RE.search(text): return False + return True + +def validate_length(value, limits): + length = len(value) + if length < limits[0] or length > limits[1]: + return False + return True + +def valid_length_msg(name, limits): + return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1]) + +def validate_ip_addr(ip_addr): + if not validate_length(ip_addr, valid_ip_addr_len): + print valid_length_msg('ip address', valid_ip_addr_len) + return False + if not valid_ip_addr(ip_addr): + print valid_ip_addr_msg + return False + return True + +def validate_secret(secret): + if not validate_length(secret, valid_secret_len): + print valid_length_msg('secret', valid_secret_len) + return False + return True + +def validate_name(name): + if not validate_length(name, valid_name_len): + print valid_length_msg('name', valid_name_len) + return False + return True + +def validate_nastype(nastype): + if not validate_length(nastype, valid_nastype_len): + print valid_length_msg('NAS Type', valid_nastype_len) + return False + return True + +def validate_desc(desc): + if ipavalidate.plain(desc, notEmpty=True) != 0: + print valid_desc_msg + return False + return True + +#------------------------------------------------------------------------------ + +def main(): + ip_addr = None + secret = None + name = None + nastype = None + desc = None + + client=ipa.radius_client.RadiusClient() + options, args = parse_options() + + # client address is required + if options.ip_addr: + ip_addr = options.ip_addr + if not validate_ip_addr(ip_addr): return 1 + else: + valid = False + while not valid: + ip_addr = raw_input("Client IP: ") + if validate_ip_addr(ip_addr): valid = True + + # client secret is required + if options.secret: + secret = options.secret + if not validate_secret(secret): return 1 + else: + valid = False + while not valid: + secret = get_secret() + if validate_secret(secret): valid = True + + # client name is optional + if options.name: + name = options.name + if not validate_name(name): return 1 + + # client NAS Type is optional + if options.nastype: + nastype = options.nastype + if not validate_nastype(nastype): return 1 + + # client description is optional + if options.desc: + desc = options.desc + if not validate_desc(desc): return 1 + + + #print "ip_addr=%s secret=%s name=%s nastype=%s desc=%s" % (ip_addr, secret, name, nastype, desc) + + if ip_addr is not None: + client.setValue('radiusClientNASIpAddress', ip_addr) + else: + print "client IP Address is required" + return 1 + + if secret is not None: + client.setValue('radiusClientSecret', secret) + else: + print "client secret is required" + return 1 + + if name is not None: + client.setValue('radiusClientShortName', name) + + if nastype is not None: + client.setValue('radiusClientNASType', nastype) + + if desc is not None: + client.setValue('description', desc) + + try: + client = ipaclient.IPAClient() + client.add_radius_client(client) + print "successfully added" + except xmlrpclib.Fault, f: + print f.faultString + return 1 + except kerberos.GSSError, e: + print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0]) + return 1 + except xmlrpclib.ProtocolError, e: + print "Unable to connect to IPA server: %s" % (e.errmsg) + return 1 + except ipa.ipaerror.IPAError, e: + print "%s" % (e.message) + return 1 + + return 0 + +if __name__ == "__main__": + sys.exit(main()) diff --git a/ipa-python/ipavalidate.py b/ipa-python/ipavalidate.py index 918c34a62..3a6699e16 100644 --- a/ipa-python/ipavalidate.py +++ b/ipa-python/ipavalidate.py @@ -96,3 +96,4 @@ def path(text, notEmpty=False): return 1 return 0 + diff --git a/ipa-python/radius_client.py b/ipa-python/radius_client.py new file mode 100644 index 000000000..44deb7464 --- /dev/null +++ b/ipa-python/radius_client.py @@ -0,0 +1,7 @@ +from ipa.entity import Entity + +class RadiusClient(Entity): + + def __init2__(self): + pass + diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif index 1802029ea..ac9e3befb 100644 --- a/ipa-server/ipa-install/share/60radius.ldif +++ b/ipa-server/ipa-install/share/60radius.ldif @@ -4,6 +4,11 @@ # LDAP v3 version by Jochen Friedrich <jochen@scram.de> # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua> # Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA +# +# Note: These OID's do not seem to be registered, the closest I could find +# was 1.3.6.1.4.1.3317 +# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)} +# ############## dn: cn=schema attributeTypes: @@ -521,3 +526,44 @@ objectClasses: MUST cn MAY ( uid $ userPassword $ description ) ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.63 + NAME 'radiusClientNASIpAddress' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.64 + NAME 'radiusClientSecret' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.65 + NAME 'radiusClientNASType' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.66 + NAME 'radiusClientShortName' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +# c->ipaddr = radiusNASIpAddress +# c->secret = radiusSecret +objectClasses: + ( 1.3.6.1.4.1.3317.4.3.2.3 + NAME 'radiusClientProfile' + SUP top STRUCTURAL + DESC 'A Container Objectclass to be used for describing radius clients' + MUST (radiusClientNASIpAddress $ radiusClientSecret) + MAY ( radiusClientNASType $ radiusClientShortName $ nsEncryptionAlgorithm $ description ) + ) diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index ca8bdcb6b..df59bc0ec 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -68,6 +68,36 @@ homeDirectory: /home/admin loginShell: /bin/bash gecos: Administrator +dn: cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: services + +dn: cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: radius + +dn: cn=clients,cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: clients + +dn: cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: profiles + +dn: uid=ipa_default, cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: radiusprofile +uid: ipa_default + dn: cn=admins,cn=groups,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 3eee2ae3e..5d19329e8 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -7,5 +7,6 @@ aci: (targetattr=*)(version 3.0; acl "Admin can manage any entry"; allow (all) u aci: (targetattr="krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) -aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetfilter="(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfUniqueNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr="*")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add,delete,read,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version 3.0;acl "Self service";allow (write) userdn="ldap:///self";) +aci: (target="ldap:///cn=radius,cn=services,cn=etc,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) diff --git a/ipa-server/ipa-install/share/encrypted_attribute.ldif b/ipa-server/ipa-install/share/encrypted_attribute.ldif new file mode 100644 index 000000000..3f5e1b43d --- /dev/null +++ b/ipa-server/ipa-install/share/encrypted_attribute.ldif @@ -0,0 +1,6 @@ +dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config +changetype: add +objectClass: top +objectClass: nsAttributeEncryption +cn: $ENCRYPTED_ATTRIBUTE +nsEncryptionAlgorithm: AES diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template index d03105485..3bc4927dd 100644 --- a/ipa-server/ipa-install/share/radius.radiusd.conf.template +++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template @@ -57,9 +57,6 @@ thread pool { max_requests_per_server = 0 } modules { - pap { - auto_header = yes - } chap { authtype = CHAP } @@ -85,13 +82,19 @@ $$INCLUDE $${confdir}/eap.conf filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no - access_attr = "$ACCESS_ATTRIBUTE" + profile_attribute = "radiusProfileDn" + default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX + # FIXME: we'll want to toggle the access_attr feature on/off, + # but it needs a control, so disable it for now. + #access_attr = "$ACCESS_ATTRIBUTE" + #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT" dictionary_mapping = $${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 + clients_basedn = "$CLIENTS_BASEDN" } realm IPASS { format = prefix @@ -229,6 +232,10 @@ $$INCLUDE $${confdir}/eap.conf override = no maximum-timeout = 0 } + krb5 { + keytab = "$RADIUS_KEYTAB" + service_principal = "$RADIUS_PRINCIPAL" + } } instantiate { exec @@ -242,20 +249,18 @@ authorize { eap #files ldap - pap } authenticate { - Auth-Type PAP { - pap - } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } - unix eap + Auth-Type Kerberos { + krb5 + } } preacct { preprocess diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 2aee09b33..38091d696 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -51,6 +51,10 @@ from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer #------------------------------------------------------------------------------- +def ldap_mod(fd, dn, pwd): + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] + run(args) + def get_radius_version(): version = None try: @@ -79,10 +83,11 @@ class RadiusInstance(service.Service): def create_instance(self, realm_name, host_name, ldap_server): self.realm = realm_name.upper() + self.suffix = realm_to_suffix(self.realm) self.fqdn = host_name self.ldap_server = ldap_server self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm) - self.basedn = realm_to_suffix(self.realm) + self.basedn = self.suffix self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this self.radius_version = get_radius_version() self.start_creation(4, "Configuring radiusd") @@ -115,7 +120,9 @@ class RadiusInstance(service.Service): 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH, 'RADIUS_PRINCIPAL' : self.principal, 'RADIUS_USER_BASE_DN' : self.user_basedn, - 'ACCESS_ATTRIBUTE' : 'dialupAccess' + 'ACCESS_ATTRIBUTE' : '', + 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE', + 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix } try: radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) @@ -157,6 +164,17 @@ class RadiusInstance(service.Service): except Exception, e: logging.error("could not chown on %s to %s: %s", IPA_KEYTAB_FILEPATH, RADIUS_USER, e) + def __set_ldap_encrypted_attributes(self): + ldif_file = 'encrypted_attribute.ldif' + self.step("setting ldap encrypted attributes") + ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret') + ldif_fd = write_tmp_file(ldif_txt) + try: + ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password) + except subprocess.CalledProcessError, e: + logging.critical("Failed to load %s: %s" % (ldif_file, str(e))) + ldif_fd.close() + #------------------------------------------------------------------------------- # FIXME: this should be in a common area so it can be shared diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 6fdaaca51..8169b4463 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -456,6 +456,31 @@ class IPAServer: self.releaseConnection(conn) return res + def add_radius_client (self, client, opts=None): + client_container = 'cn=clients,cn=radius,cn=services,cn=etc' # FIXME, should not be hardcoded + if self.__is_client_unique(client['radiusClientNASIpAddress'], opts) == 0: + raise ipaerror.gen_exception(ipaerror.LDAP_DUPLICATE) + + dn="radiusClientNASIpAddress=%s,%s,%s" % (ldap.dn.escape_dn_chars(client['radiusClientNASIpAddress']), + client_container,self.basedn) + entry = ipaserver.ipaldap.Entry(dn) + + # FIXME: This should be dynamic and can include just about anything + + # some required objectclasses + entry.setValues('objectClass', 'top', 'radiusClientProfile') + + # fill in our new entry with everything sent by the client + for u in client: + entry.setValues(u, client[u]) + + conn = self.getConnection(opts) + try: + res = conn.addEntry(entry) + finally: + self.releaseConnection(conn) + return res + def get_add_schema (self): """Get the list of fields to be used when adding users in the GUI.""" |