From 13139f2fd638d23739d294cb2f5b3b94569c2316 Mon Sep 17 00:00:00 2001 From: Jr Aquino Date: Fri, 10 Dec 2010 15:21:39 -0800 Subject: managed entry hostgroup netgroup support https://fedorahosted.org/freeipa/ticket/543 --- install/po/Makefile.in | 1 + install/share/Makefile.am | 1 + install/share/host_nis_groups.ldif | 19 +++ install/tools/Makefile.am | 1 + install/tools/ipa-host-net-manage | 219 ++++++++++++++++++++++++++++++++ install/tools/man/Makefile.am | 3 +- install/tools/man/ipa-host-net-manage.1 | 47 +++++++ ipa.1 | 3 +- ipa.spec.in | 9 +- ipaserver/install/dsinstance.py | 6 + 10 files changed, 305 insertions(+), 4 deletions(-) create mode 100644 install/share/host_nis_groups.ldif create mode 100755 install/tools/ipa-host-net-manage create mode 100644 install/tools/man/ipa-host-net-manage.1 diff --git a/install/po/Makefile.in b/install/po/Makefile.in index 11d84a73c..e2273537f 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -45,6 +45,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-upgradeconfig \ install/tools/ipa-replica-prepare \ install/tools/ipa-compat-manage \ + install/tools/ipa-host-net-manage \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ ipa-client/ipa-install/ipa-client-install diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c7e1c5c5a..f9cc980d8 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -43,6 +43,7 @@ app_DATA = \ ldapi.ldif \ wsgi.py \ user_private_groups.ldif \ + host_nis_groups.ldif \ uuid-ipauniqueid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ diff --git a/install/share/host_nis_groups.ldif b/install/share/host_nis_groups.ldif new file mode 100644 index 000000000..cb2aca1a6 --- /dev/null +++ b/install/share/host_nis_groups.ldif @@ -0,0 +1,19 @@ +dn: cn=NGP HGP Template,$SUFFIX +changetype: add +objectclass: mepTemplateEntry +cn: NGP HGP Template +mepRDNAttr: cn +mepStaticAttr: ipaUniqueId: autogenerate +mepStaticAttr: objectclass: ipanisnetgroup +mepMappedAttr: cn: $$cn +mepMappedAttr: memberHost: $$dn +mepMappedAttr: description: ipaNetgroup $$cn + +dn: cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config +changetype: add +objectclass: extensibleObject +cn: HGP Definition +originScope: cn=hostgroups,cn=accounts,$SUFFIX +originFilter: objectclass=ipahostgroup +managedBase: cn=ng,cn=alt,$SUFFIX +managedTemplate: cn=NGP HGP Template,$SUFFIX diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 931989638..70e65ee73 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -14,6 +14,7 @@ sbin_SCRIPTS = \ ipactl \ ipa-compat-manage \ ipa-nis-manage \ + ipa-host-net-manage \ ipa-ldap-updater \ ipa-upgradeconfig \ $(NULL) diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage new file mode 100755 index 000000000..3cb142421 --- /dev/null +++ b/install/tools/ipa-host-net-manage @@ -0,0 +1,219 @@ +#!/usr/bin/env python +# Authors: Jr Aquino +# Authors: Rob Crittenden +# Authors: Simo Sorce +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +try: + from optparse import OptionParser + from ipapython import ipautil, config + from ipaserver.install import installutils + from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax + from ipaserver.plugins.ldap2 import ldap2 + from ipalib import api, errors + import logging + import StringIO + import ldif +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +def parse_options(): + usage = "%prog [options] \n" + usage += "%prog [options]\n" + parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information about the update(s)") + parser.add_option("-y", dest="password", + help="File containing the Directory Manager password") + + config.add_standard_options(parser) + options, args = parser.parse_args() + + config.init_config(options) + + return options, args + +def get_dirman_password(): + """Prompt the user for the Directory Manager password and verify its + correctness. + """ + password = installutils.read_password("Directory Manager", confirm=False, + validate=False) + + return password + +def main(): + retval = 0 + loglevel = logging.ERROR + files = ['/usr/share/ipa/host_nis_groups.ldif'] + def_dn = 'cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config' + + options, args = parse_options() + if options.debug: + loglevel = logging.DEBUG + + if len(args) != 1: + sys.exit("You must specify one action, either enable or disable") + elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": + sys.exit("Unrecognized action [" + args[0] + "]") + + logging.basicConfig(level=loglevel, + format='%(levelname)s %(message)s') + + dirman_password = "" + if options.password: + pw = ipautil.template_file(options.password, []) + dirman_password = pw.strip() + else: + dirman_password = get_dirman_password() + + api.bootstrap(context='cli', debug=options.debug) + api.finalize() + + conn = None + try: + ldapuri = 'ldap://%s' % installutils.get_fqdn() + try: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn.connect( + bind_dn='cn=directory manager', bind_pw=dirman_password + ) + except errors.LDAPError, lde: + sys.exit("An error occurred while connecting to the server.\n%s\n" % + str(lde)) + + if args[0] == "status": + try: + dn, current_attr = conn.get_entry(def_dn, ['originfilter'], + normalize=False) + if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: + print "Plugin Enabled" + else: + print "Plugin Disabled" + except errors.NotFound: + print "Plugin Disabled" + except errors.LDAPError, lde: + print "An error occurred while talking to the server." + print lde + return 0 + + if args[0] == "enable": + try: + enable_attr = {'originfilter': 'objectclass=ipahostgroup'} + dn, current_attr = conn.get_entry(def_dn, ['originfilter'], + normalize=False) + if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: + print "Plugin already Enabled" + else: + conn.update_entry(dn, enable_attr) + print "Enabling Plugin" + retval = 2 + except errors.NotFound: + print "Enabling Plugin" + except errors.LDAPError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + if retval == 0: + ldap_data = StringIO.StringIO() + ldapfile = open(files[0], 'r').readlines() + for line in ldapfile: + if line == 'changetype: add\n': + pass + else: + line = line.replace( + '$SUFFIX', api.env.basedn).replace('$$', '$') + ldap_data.write(line,) + parsing_data = ldif.LDIFRecordList(ldap_data) + print "Enabling Plugin" + print "This setting will not take effect until you restart \ + Directory Server." + for dn, entry_attr in parsing_data.all_records: + try: + conn.update_entry(dn, entry_attr) + retval = 1 + except errors.LDAPError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + elif args[0] == "disable": + # Make a quick hack for now, directly delete the entries by name, + # In future we should consider an alternative means for enabling/ + # disabling. + try: + disable_attr = {'originfilter': 'objectclass=disabled'} + dn, current_attr = conn.get_entry(def_dn, ['originfilter'], + normalize=False) + if current_attr['originfilter'] == [u'objectclass=disabled']: + print "Plugin already disabled" + else: + conn.update_entry(dn, disable_attr) + print "Disabling Plugin" + except errors.NotFound: + print "Plugin is already disabled" + retval = 2 + except errors.DatabaseError, dbe: + print "An error occurred while talking to the server." + print dbe + retval = 1 + except errors.LDAPError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + else: + retval = 1 + + finally: + if conn: + conn.disconnect() + + return retval + +try: + if __name__ == "__main__": + sys.exit(main()) +except BadSyntax, e: + print "There is a syntax error in this update file:" + print " %s" % e + sys.exit(1) +except RuntimeError, e: + print "%s" % e + sys.exit(1) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt, e: + sys.exit(1) +except config.IPAConfigError, e: + print "An IPA server to update cannot be found. Has one been configured yet?" + print "The error was: %s" % e + sys.exit(1) +except errors.LDAPError, e: + print "An error occurred while performing operations: %s" % e + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index bcbea81ac..eae5c6067 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -12,7 +12,8 @@ man1_MANS = \ ipa-server-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ - ipa-nis-manage.1 + ipa-nis-manage.1 \ + ipa-host-net-manage.1 man8_MANS = \ ipactl.8 \ diff --git a/install/tools/man/ipa-host-net-manage.1 b/install/tools/man/ipa-host-net-manage.1 new file mode 100644 index 000000000..1b332e6f2 --- /dev/null +++ b/install/tools/man/ipa-host-net-manage.1 @@ -0,0 +1,47 @@ +.\" A man page for ipa-host-net-manage +.\" Copyright (C) 2010 Red Hat, Inc. +.\" +.\" This is free software; you can redistribute it and/or modify it under +.\" the terms of the GNU Library General Public License as published by +.\" the Free Software Foundation; version 2 only +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU Library General Public +.\" License along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" Author: Jr Aquino +.\" +.TH "ipa-host-net-manage" "1" "Dec 2 2010" "freeipa" "" +.SH "NAME" +ipa\-host\-net\-manage \- Enables or disables the schema Managed Entry Hostgroup -to- Netgroup plugin +.SH "SYNOPSIS" +ipa\-host\-net\-manage [options] +.SH "DESCRIPTION" +Run the command with the \fBenable\fR option to enable the Managed Entry Hostgroup -to- Netgroup plugin. + +Run the command with the \fBdisable\fR option to disable the Managed Entry Hostgroup -to- Netgroup plugin. + +Run the command with the \fBstatus\fR to determine the current status of the Managed Entry Hostgroup -to- Netgroup plugin. + +In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. + +Directory Server will need to be restarted after the schema compatibility plugin has been enabled. + +.SH "OPTIONS" +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-y\fR \fIfile\fR +File containing the Directory Manager password +.SH "EXIT STATUS" +0 if the command was successful + +1 if an error occurred + +2 if the plugin is already in the required status (enabled or disabled) diff --git a/ipa.1 b/ipa.1 index 9994aee29..a1c9ba933 100644 --- a/ipa.1 +++ b/ipa.1 @@ -175,5 +175,6 @@ IPA default configuration file. ipa-client-install(1), ipa-compat-manage(1), ipactl(1), ipa-dns-install(1), ipa-getcert(1), ipa-getkeytab(1), ipa-join(1), ipa_kpasswd(1), ipa-ldap-updater(1), ipa-nis-manage(1), ipa-replica-install(1), ipa-replica-manage(1), ipa-replica-prepare(1), -ipa-rmkeytab(1), ipa-server-certinstall(1), ipa-server-install(1), ipa-upgradeconfig(1) +ipa-rmkeytab(1), ipa-server-certinstall(2), ipa-server-install(1), ipa-upgradeconfig(1), +ipa-host-net-manage(1) diff --git a/ipa.spec.in b/ipa.spec.in index f808e4158..95f6e109d 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -23,7 +23,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.2.7 +BuildRequires: 389-ds-base-devel >= 1.2.7.4 BuildRequires: mozldap-devel BuildRequires: svrcore-devel BuildRequires: nspr-devel @@ -64,7 +64,7 @@ Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires(post): %{name}-server-selinux = %{version}-%{release} -Requires: 389-ds-base >= 1.2.7 +Requires: 389-ds-base >= 1.2.7.4 Requires: openldap-clients Requires: nss Requires: nss-tools @@ -435,6 +435,7 @@ fi %{_mandir}/man8/ipactl.8.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz +%{_mandir}/man1/ipa-host-net-manage.1.gz %{_mandir}/man1/ipa-ldap-updater.1.gz %files server-selinux @@ -470,6 +471,7 @@ fi %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-nis-manage +%{_sbindir}/ipa-host-net-manage %{_sysconfdir}/bash_completion.d %{_mandir}/man1/ipa.1.gz %endif @@ -508,6 +510,9 @@ fi %endif %changelog +* Fri Dec 10 2010 Jr Aquino - 1.99-34 +- Add ipa-host-net-manage script + * Tue Dec 7 2010 Simo Sorce - 1.99-33 - Add ipa init script diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 735c885aa..751be78f6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -209,6 +209,7 @@ class DsInstance(service.Service): self.step("configuring certmap.conf", self.__certmap_conf) self.step("restarting directory server", self.__restart_instance) self.step("configuring user private groups", self.__user_private_groups) + self.step("configuring netgroups from hostgroups", self.__host_nis_groups) def __common_post_setup(self): self.step("initializing group membership", self.init_memberof) @@ -464,6 +465,11 @@ class DsInstance(service.Service): raise errors.NotFound(reason='Missing Managed Entries Plugin') self._ldap_mod("user_private_groups.ldif", self.sub_dict) + def __host_nis_groups(self): + if not has_managed_entries(self.fqdn, self.dm_password): + raise errors.NotFound(reason='Missing Managed Entries Plugin') + self._ldap_mod("host_nis_groups.ldif", self.sub_dict) + def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -- cgit