daemons/dnssec/ipa-dnskeysyncd


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

#!/usr/bin/python2
#
# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
#

import sys
import ldap
import ldapurl
import logging
import os
import signal
import systemd.journal
import time

from ipalib import api
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython import ipaldap
from ipapython import ipautil
from ipaserver.plugins.ldap2 import ldap2
from ipaplatform.paths import paths

from ipapython.dnssec.keysyncer import KeySyncer

DAEMONNAME = 'ipa-dnskeysyncd'
PRINCIPAL = None  # not initialized yet
WORKDIR = '/tmp' # private temp
KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB

# Shutdown handler
def commenceShutdown(signum, stack):
    # Declare the needed global variables
    global watcher_running, ldap_connection, log
    log.info('Signal %s received: Shutting down!', signum)

    # We are no longer running
    watcher_running = False

    # Tear down the server connection
    if ldap_connection:
        ldap_connection.close_db()
        del ldap_connection

    # Shutdown
    sys.exit(0)


os.umask(007)

# Global state
watcher_running = True
ldap_connection = False

# Signal handlers
signal.signal(signal.SIGTERM, commenceShutdown)
signal.signal(signal.SIGINT, commenceShutdown)

# IPA framework initialization
api.bootstrap()
api.finalize()
standard_logging_setup(verbose=True, debug=api.env.debug)
log = root_logger
#log.addHandler(systemd.journal.JournalHandler())

# Kerberos initialization
PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
log.debug('Kerberos principal: %s', PRINCIPAL)
ipautil.kinit_hostprincipal(KEYTAB_FB, WORKDIR, PRINCIPAL)

# LDAP initialization
basedn = DN(api.env.container_dns, api.env.basedn)
ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri)
ldap_url.dn = str(basedn)
ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE
ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))'
log.debug('LDAP URL: %s', ldap_url.unparse())

# Real work
while watcher_running:
    # Prepare the LDAP server connection (triggers the connection as well)
    ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api)

    # Now we login to the LDAP server
    try:
        log.info('LDAP bind...')
        ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
    except ldap.INVALID_CREDENTIALS, e:
        log.exception('Login to LDAP server failed: %s', e)
        sys.exit(1)
    except ldap.SERVER_DOWN, e:
        log.exception('LDAP server is down, going to retry: %s', e)
        time.sleep(5)
        continue

    # Commence the syncing
    log.info('Commencing sync process')
    ldap_search = ldap_connection.syncrepl_search(
        ldap_url.dn,
        ldap_url.scope,
        mode='refreshAndPersist',
        attrlist=ldap_url.attrs,
        filterstr=ldap_url.filterstr
    )

    try:
        while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
            pass
    except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
        log.exception('syncrepl_poll: LDAP error (%s)', e)
        sys.exit(1)