From 065827d6e135686c81194280cba442ca696cba9d Mon Sep 17 00:00:00 2001 From: Mark McLoughlin Date: Thu, 13 Dec 2007 09:31:28 +0000 Subject: Refactor dsinstance ldap modify code Just a patch to refactor lots of similar code in dsinstance and krbinstance using a simple helper method. Note, there are some differences: - Some code used to call ldapmodify without -h 127.0.0.1 - Some of the code used to just print an error rather than using logging.critical() - Some code used to log some extra debug Signed-off-by: Mark McLoughlin --- ipa-radius-server/plugins/radiusinstance.py | 31 +++++---- ipa-server/ipaserver/dsinstance.py | 97 +++++++---------------------- ipa-server/ipaserver/krbinstance.py | 50 ++++++--------- 3 files changed, 61 insertions(+), 117 deletions(-) diff --git a/ipa-radius-server/plugins/radiusinstance.py b/ipa-radius-server/plugins/radiusinstance.py index a330621d1..2d68adf7e 100644 --- a/ipa-radius-server/plugins/radiusinstance.py +++ b/ipa-radius-server/plugins/radiusinstance.py @@ -44,10 +44,6 @@ from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer #------------------------------------------------------------------------------- -def ldap_mod(fd, dn, pwd): - args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] - ipautil.run(args) - def get_radius_version(): version = None try: @@ -157,17 +153,26 @@ class RadiusInstance(service.Service): except Exception, e: logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e) - #FIXME, should use IPAdmin method - def __set_ldap_encrypted_attributes(self): - ldif_file = 'encrypted_attribute.ldif' - self.step("setting ldap encrypted attributes") - ldif_txt = ipautil.template_file(ipautil.SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'}) - ldif_fd = ipautil.write_tmp_file(ldif_txt) + def __ldap_mod(self, step, ldif): + self.step(step) + + txt = iputil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict) + fd = ipautil.write_tmp_file(txt) + + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", + "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name] + try: - ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password) + ipautil.run(args) except ipautil.CalledProcessError, e: - logging.critical("Failed to load %s: %s" % (ldif_file, str(e))) - ldif_fd.close() + logging.critical("Failed to load %s: %s" % (ldif, str(e))) + + fd.close() + + #FIXME, should use IPAdmin method + def __set_ldap_encrypted_attributes(self): + self.__ldap_mod("setting ldap encrypted attributes", + "encrypted_attribute.ldif", {"ENCRYPTED_ATTRIBUTE" : "radiusClientSecret"}) #------------------------------------------------------------------------------- diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 818710fb6..8a4a00314 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -35,10 +35,6 @@ import ipaldap, ldap SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" -def ldap_mod(fd, dn, pwd): - args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] - ipautil.run(args) - def realm_to_suffix(realm_name): s = realm_name.split(".") terms = ["dc=" + x.lower() for x in s] @@ -229,65 +225,39 @@ class DsInstance(service.Service): shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif", schema_dirname(self.realm_name) + "60ipaconfig.ldif") - def __add_memberof_module(self): - self.step("enabling memboerof plugin") - memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-conf.ldif", self.sub_dict) - memberof_fd = ipautil.write_tmp_file(memberof_txt) + def __ldap_mod(self, step, ldif): + self.step(step) + + txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict) + fd = ipautil.write_tmp_file(txt) + + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", + "-D", "cn=Directory Manager", "-w", self.dm_password, "-f", fd.name] + try: - ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password) + ipautil.run(args) except ipautil.CalledProcessError, e: - logging.critical("Failed to load memberof-conf.ldif: %s" % str(e)) - memberof_fd.close() + logging.critical("Failed to load %s: %s" % (ldif, str(e))) + + fd.close() + + def __add_memberof_module(self): + self.__ldap_mod("enabling memberof plugin", "memberof-conf.ldif") def __init_memberof(self): - self.step("initializing group membership") - memberof_txt = ipautil.template_file(ipautil.SHARE_DIR + "memberof-task.ldif", self.sub_dict) - memberof_fd = ipautil.write_tmp_file(memberof_txt) - try: - ldap_mod(memberof_fd, "cn=Directory Manager", self.dm_password) - except ipautil.CalledProcessError, e: - logging.critical("Failed to load memberof-conf.ldif: %s" % str(e)) - memberof_fd.close() + self.__ldap_mod("initializing group membership", "memberof-task.ldif") def __add_referint_module(self): - self.step("enabling referential integrity plugin") - referint_txt = ipautil.template_file(ipautil.SHARE_DIR + "referint-conf.ldif", self.sub_dict) - referint_fd = ipautil.write_tmp_file(referint_txt) - try: - ldap_mod(referint_fd, "cn=Directory Manager", self.dm_password) - except ipautil.CalledProcessError, e: - print "Failed to load referint-conf.ldif", e - referint_fd.close() + self.__ldap_mod("enabling referential integrity plugin", "referint-conf.ldif") def __add_dna_module(self): - self.step("enabling distributed numeric assignment plugin") - dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-conf.ldif", self.sub_dict) - dna_fd = ipautil.write_tmp_file(dna_txt) - try: - ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password) - except ipautil.CalledProcessError, e: - print "Failed to load dna-conf.ldif", e - dna_fd.close() + self.__ldap_mod("enabling distributed numeric assignment plugin", "dna-conf.ldif") def __config_uidgid_gen_first_master(self): - self.step("configuring Posix uid/gid generation as first master") - dna_txt = ipautil.template_file(ipautil.SHARE_DIR + "dna-posix.ldif", self.sub_dict) - dna_fd = ipautil.write_tmp_file(dna_txt) - try: - ldap_mod(dna_fd, "cn=Directory Manager", self.dm_password) - except ipautil.CalledProcessError, e: - print "Failed to configure Posix uid/gid generation with dna-posix.ldif", e - dna_fd.close() + self.__ldap_mod("configuring Posix uid/gid generation as first master", "dna-posix.ldif") def __add_master_entry_first_master(self): - self.step("adding master entry as first master") - master_txt = ipautil.template_file(ipautil.SHARE_DIR + "master-entry.ldif", self.sub_dict) - master_fd = ipautil.write_tmp_file(master_txt) - try: - ldap_mod(master_fd, "cn=Directory Manager", self.dm_password) - except ipautil.CalledProcessError, e: - print "Failed to add master-entry.ldif", e - master_fd.close() + self.__ldap_mod("adding master entry as first master", "master-entry.ldif") def __enable_ssl(self): self.step("configuring ssl for ds instance") @@ -324,31 +294,10 @@ class DsInstance(service.Service): conn.unbind() def __add_default_layout(self): - self.step("adding default layout") - txt = ipautil.template_file(ipautil.SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) - inf_fd = ipautil.write_tmp_file(txt) - logging.debug("adding default dfrom ipa.ipautil import *s layout") - args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.dm_password, "-f", inf_fd.name] - try: - ipautil.run(args) - logging.debug("done adding default ds layout") - except ipautil.CalledProcessError, e: - print "Failed to add default ds layout", e - logging.critical("Failed to add default ds layout %s" % e) + self.__ldap_mod("adding default layout", "bootstrap-template.ldif") def __create_indeces(self): - self.step("creating indeces") - txt = ipautil.template_file(ipautil.SHARE_DIR + "indeces.ldif", self.sub_dict) - inf_fd = ipautil.write_tmp_file(txt) - logging.debug("adding/updating indeces") - args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.dm_password, "-f", inf_fd.name] - try: - ipautil.run(args) - logging.debug("done adding/updating indeces") - except ipautil.CalledProcessError, e: - logging.critical("Failed to add/update indeces %s" % str(e)) + self.__ldap_mod("creating indeces", "indeces.ldif") def __certmap_conf(self): self.step("configuring certmap.conf") diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 5705a1ef3..67d3019e0 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -52,10 +52,6 @@ def host_to_domain(fqdn): s = fqdn.split(".") return ".".join(s[1:]) -def ldap_mod(fd, dn, pwd): - args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] - ipautil.run(args) - def update_key_val_in_file(filename, key, val): if os.path.exists(filename): pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val)) @@ -139,7 +135,7 @@ class KrbInstance(service.Service): self.__common_setup(ds_user, realm_name, host_name, admin_password) - self.start_creation(11, "Configuring Kerberos KDC") + self.start_creation(12, "Configuring Kerberos KDC") self.__configure_kdc_account_password() self.__configure_sasl_mappings() @@ -195,6 +191,22 @@ class KrbInstance(service.Service): HOST=self.host, REALM=self.realm) + def __ldap_mod(self, step, ldif): + self.step(step) + + txt = ipautil.template_file(ipautil.SHARE_DIR + ldif, self.sub_dict) + fd = ipautil.write_tmp_file(txt) + + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", + "-D", "cn=Directory Manager", "-w", self.admin_password, "-f", fd.name] + + try: + ipautil.run(args) + except ipautil.CalledProcessError, e: + logging.critical("Failed to load %s: %s" % (ldif, str(e))) + + fd.close() + def __configure_sasl_mappings(self): self.step("adding sasl mappings to the directory") # we need to remove any existing SASL mappings in the directory as otherwise they @@ -246,25 +258,10 @@ class KrbInstance(service.Service): raise e def __add_krb_entries(self): - self.step("adding kerberos entries to the DS") - - #TODO: test that the ldif is ok with any random charcter we may use in the password - kerberos_txt = ipautil.template_file(ipautil.SHARE_DIR + "kerberos.ldif", self.sub_dict) - kerberos_fd = ipautil.write_tmp_file(kerberos_txt) - try: - ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) - except ipautil.CalledProcessError, e: - logging.critical("Failed to load kerberos.ldif: %s" % str(e)) - kerberos_fd.close() + self.__ldap_mod("adding kerberos entries to the DS", "kerberos.ldif") #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes - aci_txt = ipautil.template_file(ipautil.SHARE_DIR + "default-aci.ldif", self.sub_dict) - aci_fd = ipautil.write_tmp_file(aci_txt) - try: - ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) - except ipautil.CalledProcessError, e: - logging.critical("Failed to load default-aci.ldif: %s" % str(e)) - aci_fd.close() + self.__ldap_mod("adding defalt ACIs", "default-aci.ldif") def __create_instance(self, replica=False): self.step("configuring KDC") @@ -325,14 +322,7 @@ class KrbInstance(service.Service): #add the password extop module def __add_pwd_extop_module(self): - self.step("adding the password extenstion to the directory") - extop_txt = ipautil.template_file(ipautil.SHARE_DIR + "pwd-extop-conf.ldif", self.sub_dict) - extop_fd = ipautil.write_tmp_file(extop_txt) - try: - ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) - except ipautil.CalledProcessError, e: - logging.critical("Failed to load pwd-extop-conf.ldif: %s" % str(e)) - extop_fd.close() + self.__ldap_mod("adding the password extenstion to the directory", "pwd-extop-conf.ldif") #get the Master Key from the stash file try: -- cgit