diff options
Diffstat (limited to 'install/tools')
-rw-r--r-- | install/tools/Makefile.am | 1 | ||||
-rw-r--r-- | install/tools/ipa-compliance | 201 | ||||
-rw-r--r-- | install/tools/man/Makefile.am | 1 | ||||
-rw-r--r-- | install/tools/man/ipa-compliance.1 | 45 |
4 files changed, 0 insertions, 248 deletions
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7c553116c..659ce0a87 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -21,7 +21,6 @@ sbin_SCRIPTS = \ ipa-managed-entries \ ipa-ldap-updater \ ipa-upgradeconfig \ - ipa-compliance \ ipa-backup \ ipa-restore \ $(NULL) diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance deleted file mode 100644 index 9b34350b4..000000000 --- a/install/tools/ipa-compliance +++ /dev/null @@ -1,201 +0,0 @@ -#!/usr/bin/env python -# -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# -# An LDAP client to count entitlements and log to syslog if the number is -# exceeded. - -try: - import sys - import os - import syslog - import tempfile - import krbV - import base64 - import shutil - - from rhsm.certificate import EntitlementCertificate - - from ipaserver.plugins.ldap2 import ldap2 - from ipalib import api, errors, backend - from ipaserver.install import installutils - from ipapython.dn import DN -except ImportError, e: - # If python-rhsm isn't installed exit gracefully and quietly. - if e.args[0] == 'No module named rhsm.certificate': - sys.exit(0) - print >> sys.stderr, """\ -There was a problem importing one of the required Python modules. The -error was: - - %s -""" % sys.exc_value - sys.exit(1) - -# Each IPA server comes with this many entitlements -DEFAULT_ENTITLEMENTS = 25 - -class client(backend.Executioner): - """ - A simple-minded IPA client that can execute remote commands. - """ - - def run(self, method, **kw): - self.create_context() - result = self.execute(method, **kw) - return result - -def parse_options(): - from optparse import OptionParser - - parser = OptionParser() - parser.add_option("--debug", dest="debug", action="store_true", - default=False, help="enable debugging") - - options, args = parser.parse_args() - return options, args - -def check_compliance(tmpdir, debug=False): - cfg = dict( - context='cli', - in_server=False, - debug=debug, - verbose=0, - ) - - api.bootstrap(**cfg) - api.register(client) - api.finalize() - from ipalib.x509 import normalize_certificate, make_pem - - try: - # Create a new credentials cache for this tool. This executes - # using the systems host principal. - ccache_file = 'FILE:%s/ccache' % tmpdir - krbcontext = krbV.default_context() - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext) - principal = krbV.Principal(name=principal, context=krbcontext) - os.environ['KRB5CCNAME'] = ccache_file - ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal) - ccache.init(principal) - ccache.init_creds_keytab(keytab=keytab, principal=principal) - except krbV.Krb5Error, e: - raise StandardError('Error initializing principal %s in %s: %s' % (principal.name, '/etc/krb5.keytab', str(e))) - - # entitle-sync doesn't return any information we want to see, it just - # needs to be done so the LDAP data is correct. - try: - result = api.Backend.client.run('entitle_sync') - except errors.NotRegisteredError: - # Even if not registered they have some default entitlements - pass - - conn = ldap2(shared_instance=False) - - # Bind using GSSAPI - conn.connect(ccache=ccache_file) - - hostcount = 0 - # Get the hosts first - try: - (entries, truncated) = conn.find_entries('(krblastpwdchange=*)', [], - DN(api.env.container_host, api.env.basedn), - conn.SCOPE_ONELEVEL, - size_limit = -1) - except errors.NotFound: - # No hosts - pass - - if not truncated: - hostcount = len(entries) - else: - # This will not happen unless we bump into a server-side limit. - msg = 'The host count result was truncated, they will be underreported' - syslog.syslog(syslog.LOG_ERR, msg) - if sys.stdin.isatty(): - print msg - - available = 0 - try: - (entries, truncated) = conn.find_entries('(objectclass=ipaentitlement)', - ['userCertificate'], - DN(api.env.container_entitlements, api.env.basedn), - conn.SCOPE_ONELEVEL, - size_limit = -1) - - for entry in entries: - (dn, attrs) = entry - if 'usercertificate' in attrs: - rawcert = attrs['usercertificate'][0] - rawcert = normalize_certificate(rawcert) - cert = make_pem(base64.b64encode(rawcert)) - cert = EntitlementCertificate(cert) - order = cert.getOrder() - available += int(order.getQuantityUsed()) - except errors.NotFound: - pass - - conn.disconnect() - - available += DEFAULT_ENTITLEMENTS - - if hostcount > available: - syslog.syslog(syslog.LOG_ERR, 'IPA is out of compliance: %d of %d entitlements used.' % (hostcount, available)) - if sys.stdin.isatty(): - print 'IPA is out of compliance: %d of %d entitlements used.' % (hostcount, available) - else: - if sys.stdin.isatty(): - # If run from the command-line display some info - print 'IPA is in compliance: %d of %d entitlements used.' % (hostcount, available) - -def main(): - installutils.check_server_configuration() - - if not os.path.exists('/etc/ipa/default.conf'): - return 0 - - options, args = parse_options() - - try: - tmpdir = tempfile.mkdtemp(prefix = "tmp-") - try: - check_compliance(tmpdir, options.debug) - finally: - shutil.rmtree(tmpdir) - except KeyboardInterrupt: - return 1 - except (StandardError, errors.PublicError), e: - syslog.syslog(syslog.LOG_ERR, 'IPA compliance checking failed: %s' % str(e)) - if sys.stdin.isatty(): - print 'IPA compliance checking failed: %s' % str(e) - return 1 - - return 0 - -try: - if not os.geteuid()==0: - sys.exit("\nMust be root to check compliance\n") - - main() -except SystemExit, e: - sys.exit(e) -except RuntimeError, e: - sys.exit(e) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index a1bf076bf..b16d2b5c7 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -19,7 +19,6 @@ man1_MANS = \ ipa-compat-manage.1 \ ipa-nis-manage.1 \ ipa-managed-entries.1 \ - ipa-compliance.1 \ ipa-backup.1 \ ipa-restore.1 \ $(NULL) diff --git a/install/tools/man/ipa-compliance.1 b/install/tools/man/ipa-compliance.1 deleted file mode 100644 index 4f8a6191d..000000000 --- a/install/tools/man/ipa-compliance.1 +++ /dev/null @@ -1,45 +0,0 @@ -.\" A man page for ipa-compliance -.\" Copyright (C) 2010 Red Hat, Inc. -.\" -.\" This is free software; you can redistribute it and/or modify it under -.\" the terms of the GNU Library General Public License as published by -.\" the Free Software Foundation; version 2 only -.\" -.\" This program is distributed in the hope that it will be useful, but -.\" WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -.\" General Public License for more details. -.\" -.\" You should have received a copy of the GNU Library General Public -.\" License along with this program; if not, write to the Free Software -.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -.\" -.\" Author: Rob Crittenden <rcritten@redhat.com> -.\" -.TH "ipa-compliance" "1" "Dec 14 2010" "FreeIPA" "FreeIPA Manual Pages" -.SH "NAME" -ipa\-compliance \- Check entitlement compliance -.SH "SYNOPSIS" -ipa\-compliance [\fIOPTION\fR] -.SH "DESCRIPTION" -Verify that the IPA installation is in compliance with the number of client entitlements it has. - -Entitlements are managed using the ipa entitle command. - -An enrolled host is an machine that has a host keytab in the IPA system. - -The entitlements take the form of x509v3 certificates. The certificates are examined and the quantities summed. This is compared to the number of enrolled hosts to determine compliance. - -The command logs to syslog and if run from a tty will log to the terminal as well. - -The IPA server provides 25 entitlements of its own. -.SH "OPTIONS" -.TP -\fB\-\-debug\fR -Enable debugging output in the command -.SH "EXIT STATUS" -0 if the command was successful - -1 if an error occurred -.SH "NOTES" -Entitlements are not checked if the python\-rhsm package is not installed. |