summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipa-server/ipa-install/ipa-server-install61
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c2
-rw-r--r--ipa-server/ipaserver/dsinstance.py27
-rw-r--r--ipa-server/ipaserver/krbinstance.py29
4 files changed, 93 insertions, 26 deletions
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index 91138c014..90296e5d4 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa")
import socket
import logging
+import pwd
from optparse import OptionParser
import ipaserver.dsinstance
import ipaserver.krbinstance
@@ -42,10 +43,12 @@ def parse_options():
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
- parser.add_option("-p", "--ds-password", dest="ds_password",
+ parser.add_option("-p", "--ds-password", dest="dm_password",
help="admin password")
parser.add_option("-P", "--master-password", dest="master_password",
help="kerberos master password")
+ parser.add_option("-a", "--admin-password", dest="admin_password",
+ help="admin user kerberos password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
dest="debug", default=False, help="print debugging information")
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
@@ -56,7 +59,8 @@ def parse_options():
if options.unattended and (not options.ds_user or
not options.realm_name or
- not options.ds_password or
+ not options.dm_password or
+ not options.admin_password or
not options.master_password):
parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options")
@@ -95,7 +99,8 @@ def main():
realm_name = ""
host_name = ""
master_password = ""
- ds_password = ""
+ dm_password = ""
+ admin_password = ""
# check the hostname is correctly configured, it must be as the kldap
# utilities just use the hostname as returned by gethostbyname to set
@@ -137,13 +142,25 @@ def main():
print ""
if not options.ds_user:
- print "To securely run Directory Server we need a user account to be set up."
- print "This will allow DS to run as a user and not as root."
- print "The user account will have access to some security material so it should not be shared with any other application."
- print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure."
- print ""
- ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
- print ""
+
+ try:
+ pwd.getpwnam('dirsrv')
+
+ print "To securely run Directory Server we need a user account to be set up."
+ print "This will allow DS to run as a user and not as root."
+ print "The user account will have access to some security material so it should not be shared with any other application."
+ print "A user account named 'dirsrv' already exist. You should not share the account with any other service."
+ print ""
+ yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)")
+ print ""
+ if yesno.lower() == "y":
+ ds_user = "dirsrv"
+ else:
+ ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
+ print ""
+ except KeyError:
+ ds_user = "dirsrv"
+
if ds_user == "":
return "-Aborted-"
else:
@@ -177,14 +194,15 @@ def main():
else:
realm_name = options.realm_name
- if not options.ds_password:
+ if not options.dm_password:
print "The Directory Manager user is the equivalent of 'root' for Diretcory Server."
+ print "This account has full access to the Directory and is used for system management tasks."
print ""
#TODO: provide the option of generating a random password
- ds_password = raw_input("Please provide a password for the Directory Manager: ")
+ dm_password = raw_input("Please provide a password for the Directory Manager: ")
print ""
else:
- ds_password = options.ds_password
+ dm_password = options.dm_password
if not options.master_password:
print "The Kerberos database is usually encrypted using a master password."
@@ -199,13 +217,23 @@ def main():
else:
master_password = options.master_password
+ if not options.admin_password:
+ print "The 'admin' user is the administrative user used to administare an IPA server."
+ print "This account is the one that will be used for normal administration and is also a regular unix user"
+ print ""
+ #TODO: provide the option of generating a random password
+ admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ")
+ print ""
+ else:
+ admin_password = options.admin_password
+
# Create a directory server instance
ds = ipaserver.dsinstance.DsInstance()
- ds.create_instance(ds_user, realm_name, host_name, ds_password)
+ ds.create_instance(ds_user, realm_name, host_name, dm_password)
# Create a kerberos instance
krb = ipaserver.krbinstance.KrbInstance()
- krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password)
+ krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)
# Restart ds after the krb instance has changed ds configurations
ds.restart()
@@ -228,6 +256,9 @@ def main():
# Start Kpasswd
run(["/sbin/service", "ipa-kpasswd", "start"])
+ # Set the admin user kerberos password
+ ds.change_admin_password(admin_password)
+
# Create the config file
fd = open("/etc/ipa/ipa.conf", "w")
fd.write("[defaults]\n")
diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f3771204a..e920cec7b 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb )
goto free_and_return;
}
- if ( (is_ssl <=1) && (sasl_ssf <= 1) ) {
+ if ( (is_ssl == 0) && (sasl_ssf <= 1) ) {
errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto free_and_return;
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 2c7e0c7db..841bc31f2 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -72,16 +72,18 @@ class DsInstance:
def __init__(self):
self.serverid = None
self.realm_name = None
+ self.suffix = None
self.host_name = None
- self.admin_password = None
+ self.dm_password = None
self.sub_dict = None
- def create_instance(self, ds_user, realm_name, host_name, admin_password):
+ def create_instance(self, ds_user, realm_name, host_name, dm_password):
self.ds_user = ds_user
self.serverid = generate_serverid()
self.realm_name = realm_name.upper()
+ self.suffix = realm_to_suffix(self.realm_name)
self.host_name = host_name
- self.admin_password = admin_password
+ self.dm_password = dm_password
self.__setup_sub_dict()
self.__create_ds_user()
@@ -111,10 +113,9 @@ class DsInstance:
run(["/sbin/service", "dirsrv", "restart"])
def __setup_sub_dict(self):
- suffix = realm_to_suffix(self.realm_name)
server_root = find_server_root()
self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid,
- PASSWORD=self.admin_password, SUFFIX=suffix,
+ PASSWORD=self.dm_password, SUFFIX=self.suffix,
REALM=self.realm_name, USER=self.ds_user,
SERVER_ROOT=server_root)
@@ -155,7 +156,7 @@ class DsInstance:
def __enable_ssl(self):
logging.debug("configuring ssl for ds instance")
dirname = self.config_dirname()
- args = ["/usr/sbin/ipa-server-setupssl", self.admin_password,
+ args = ["/usr/sbin/ipa-server-setupssl", self.dm_password,
dirname, self.host_name]
run(args)
logging.debug("done configuring ssl for ds instance")
@@ -165,7 +166,7 @@ class DsInstance:
inf_fd = write_tmp_file(txt)
logging.debug("adding default ds layout")
args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
- "-w", self.admin_password, "-f", inf_fd.name]
+ "-w", self.dm_password, "-f", inf_fd.name]
run(args)
logging.debug("done adding default ds layout")
@@ -184,5 +185,15 @@ class DsInstance:
certmap_fd = open(dirname+"certmap.conf", "w+")
certmap_fd.write(certmap_conf)
certmap_fd.close()
-
logging.debug("done configuring certmap.conf for ds instance")
+
+ def change_admin_password(self, password):
+ logging.debug("Changing admin password")
+ dirname = self.config_dirname()
+ args = ["/usr/lib/mozldap/ldappasswd",
+ "-D", "cn=Directory Manager", "-w", self.dm_password,
+ "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
+ "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix]
+ run(args)
+ logging.debug("ldappasswd done")
+
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 1c77b086f..e17ab525b 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -109,7 +109,7 @@ class KrbInstance:
for x in self.kdc_password:
hexpwd += (hex(ord(x))[2:])
pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
- pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+ pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n")
pwd_fd.close()
def __setup_sub_dict(self):
@@ -147,7 +147,7 @@ class KrbInstance:
krb5_fd.close()
#populate the directory with the realm structure
- args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+ args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
run(args)
#add the password extop module
@@ -178,6 +178,15 @@ class KrbInstance:
kread.close()
kerr.close()
+ # give kadmin time to actually write the file before we go on
+ retry = 0
+ while not file_exists("/etc/dirsrv/ds.keytab"):
+ time.sleep(1)
+ retry += 1
+ if retry > 15:
+ print "Error timed out waiting for kadmin to finish operations\n"
+ os.exit()
+
cfg_fd = open("/etc/sysconfig/dirsrv", "a")
cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n")
cfg_fd.close()
@@ -199,6 +208,15 @@ class KrbInstance:
kread.close()
kerr.close()
+ # give kadmin time to actually write the file before we go on
+ retry = 0
+ while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"):
+ time.sleep(1)
+ retry += 1
+ if retry > 15:
+ print "Error timed out waiting for kadmin to finish operations\n"
+ os.exit()
+
cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a")
cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n")
cfg_fd.close()
@@ -215,8 +233,15 @@ class KrbInstance:
kread.close()
kerr.close()
+ # give kadmin time to actually write the file before we go on
+ retry = 0
while not file_exists("/etc/httpd/conf/ipa.keytab"):
time.sleep(1)
+ retry += 1
+ if retry > 15:
+ print "Error timed out waiting for kadmin to finish operations\n"
+ os.exit()
+
pent = pwd.getpwnam("apache")
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)