From d0587cbdd5bc5e07a6e8519deb07adaace643740 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 14 Sep 2009 17:04:08 -0400 Subject: Enrollment for a host in an IPA domain This will create a host service principal and may create a host entry (for admins). A keytab will be generated, by default in /etc/krb5.keytab If no kerberos credentails are available then enrollment over LDAPS is used if a password is provided. This change requires that openldap be used as our C LDAP client. It is much easier to do SSL using openldap than mozldap (no certdb required). Otherwise we'd have to write a slew of extra code to create a temporary cert database, import the CA cert, ... --- ipa-client/ipa-getkeytab.c | 56 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 10 deletions(-) (limited to 'ipa-client/ipa-getkeytab.c') diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index fbeb547a8..1bbb7759e 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -479,6 +479,8 @@ static int ldap_set_keytab(krb5_context krbctx, const char *servername, const char *principal_name, krb5_principal princ, + const char *binddn, + const char *bindpw, struct keys_container *keys) { int version; @@ -513,7 +515,20 @@ static int ldap_set_keytab(krb5_context krbctx, } /* TODO: support referrals ? */ - ld = ldap_init(servername, 389); + if (binddn) { + int ssl = LDAP_OPT_X_TLS_HARD;; + if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ipa/ca.crt") != LDAP_OPT_SUCCESS) { + goto error_out; + } + + ld = ldap_init(servername, 636); + if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) { + goto error_out; + } + } else { + ld = ldap_init(servername, 389); + } + if(ld == NULL) { fprintf(stderr, "Unable to initialize ldap library!\n"); goto error_out; @@ -526,14 +541,22 @@ static int ldap_set_keytab(krb5_context krbctx, goto error_out; } - ret = ldap_sasl_interactive_bind_s(ld, - NULL, "GSSAPI", - NULL, NULL, - LDAP_SASL_QUIET, - ldap_sasl_interact, princ); - if (ret != LDAP_SUCCESS) { - fprintf(stderr, "SASL Bind failed!\n"); - goto error_out; + if (binddn) { + ret = ldap_bind_s(ld, binddn, bindpw, LDAP_AUTH_SIMPLE); + if (ret != LDAP_SUCCESS) { + fprintf(stderr, "Simple bind failed\n"); + goto error_out; + } + } else { + ret = ldap_sasl_interactive_bind_s(ld, + NULL, "GSSAPI", + NULL, NULL, + LDAP_SASL_QUIET, + ldap_sasl_interact, princ); + if (ret != LDAP_SUCCESS) { + fprintf(stderr, "SASL Bind failed!\n"); + goto error_out; + } } /* find base dn */ @@ -686,6 +709,8 @@ int main(int argc, char *argv[]) static const char *principal = NULL; static const char *keytab = NULL; static const char *enctypes_string = NULL; + static const char *binddn = NULL; + static const char *bindpw = NULL; int quiet = 0; int askpass = 0; int permitted_enctypes = 0; @@ -697,6 +722,8 @@ int main(int argc, char *argv[]) { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encryption types list" }, { "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0, "Show the list of permitted encryption types and exit", "Permitted Encryption Types"}, { "password", 'P', POPT_ARG_NONE, &askpass, 0, "Asks for a non-random password to use for the principal" }, + { "binddn", 'D', POPT_ARG_STRING, &binddn, 0, "LDAP DN", "DN to bind as if not using kerberos" }, + { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, "LDAP password", "password to use if not using kerberos" }, { NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL } }; poptContext pc; @@ -751,6 +778,13 @@ int main(int argc, char *argv[]) exit(2); } + if (NULL!=binddn && NULL==bindpw) { + fprintf(stderr, "Bind password required when using a bind DN.\n"); + if (!quiet) + poptPrintUsage(pc, stderr, 0); + exit(10); + } + if (askpass) { password = ask_password(krbctx); if (!password) { @@ -773,6 +807,7 @@ int main(int argc, char *argv[]) exit(4); } + if (NULL == bindpw) { krberr = krb5_cc_default(krbctx, &ccache); if (krberr) { fprintf(stderr, "Kerberos Credential Cache not found\n" @@ -786,6 +821,7 @@ int main(int argc, char *argv[]) "Do you have a valid Credential Cache?\n"); exit(6); } + } krberr = krb5_kt_resolve(krbctx, ktname, &kt); if (krberr) { @@ -800,7 +836,7 @@ int main(int argc, char *argv[]) exit(8); } - kvno = ldap_set_keytab(krbctx, server, principal, uprinc, &keys); + kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys); if (!kvno) { exit(9); } -- cgit