From 51119d1acc532cfad68b9fe4a1daa945fe7cd3f0 Mon Sep 17 00:00:00 2001
From: Michael DeHaan <mdehaan@redhat.com>
Date: Mon, 14 Apr 2008 16:31:08 -0400
Subject: Better kerberos support.  See the Wiki.

---
 cobbler/cobblerd.py               | 35 +++++++++++++----
 cobbler/modules/authn_kerberos.py | 81 ---------------------------------------
 cobbler/modules/authn_ldap.py     |  7 +++-
 cobbler/modules/authn_passthru.py | 49 +++++++++++++++++++++++
 cobbler/utils.py                  |  2 +-
 5 files changed, 84 insertions(+), 90 deletions(-)
 delete mode 100644 cobbler/modules/authn_kerberos.py
 create mode 100644 cobbler/modules/authn_passthru.py

(limited to 'cobbler')

diff --git a/cobbler/cobblerd.py b/cobbler/cobblerd.py
index 8859e03..065e99e 100644
--- a/cobbler/cobblerd.py
+++ b/cobbler/cobblerd.py
@@ -18,6 +18,7 @@ import SimpleXMLRPCServer
 import glob
 from utils import _
 import xmlrpclib
+import binascii
 
 from server import xmlrpclib2
 import api as cobbler_api
@@ -40,6 +41,8 @@ def core(logger=None):
 
     pid = os.fork()
 
+    regen_ss_file()
+
     if pid == 0:
         # part one: XMLRPC -- which may be just read-only or both read-only and read-write
         do_xmlrpc_tasks(bootapi, settings, xmlrpc_port, xmlrpc_port2, logger)
@@ -47,6 +50,21 @@ def core(logger=None):
         # part two: syslog, or syslog+avahi if avahi is installed
         do_other_tasks(bootapi, settings, syslog_port, logger)
 
+def regen_ss_file():
+    # this is only used for Kerberos auth at the moment.
+    # it identifies XMLRPC requests from Apache that have already
+    # been cleared by Kerberos.
+
+    fd = open("/dev/urandom")
+    data = fd.read(512)
+    fd.close()
+    fd = open("/var/lib/cobbler/web.ss","w+")
+    fd.write(binascii.hexlify(data))
+    fd.close()
+    os.system("chmod 700 /var/lib/cobbler/web.ss")
+    os.system("chown apache /var/lib/cobbler/web.ss")
+    return 1
+
 def do_xmlrpc_tasks(bootapi, settings, xmlrpc_port, xmlrpc_port2, logger):
     if str(settings.xmlrpc_rw_enabled) != "0":
         pid2 = os.fork()
@@ -195,11 +213,14 @@ if __name__ == "__main__":
 
     #main()
 
-    bootapi      = cobbler_api.BootAPI()
-    settings     = bootapi.settings()
-    syslog_port  = settings.syslog_port
-    xmlrpc_port  = settings.xmlrpc_port
-    xmlrpc_port2 = settings.xmlrpc_rw_port
-    logger       = bootapi.logger_remote
-    do_xmlrpc_unix(bootapi, settings, logger)
+    #bootapi      = cobbler_api.BootAPI()
+    #settings     = bootapi.settings()
+    #syslog_port  = settings.syslog_port
+    #xmlrpc_port  = settings.xmlrpc_port
+    #xmlrpc_port2 = settings.xmlrpc_rw_port
+    #logger       = bootapi.logger_remote
+    #do_xmlrpc_unix(bootapi, settings, logger)
+   
+    regen_ss_file()
+
 
diff --git a/cobbler/modules/authn_kerberos.py b/cobbler/modules/authn_kerberos.py
deleted file mode 100644
index 46c01ad..0000000
--- a/cobbler/modules/authn_kerberos.py
+++ /dev/null
@@ -1,81 +0,0 @@
-"""
-Authentication module that uses kerberos.
-
-Copyright 2007, Red Hat, Inc
-Michael DeHaan <mdehaan@redhat.com>
-
-This software may be freely redistributed under the terms of the GNU
-general public license.
-
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-"""
-
-# NOTE: this is not using 'straight up' kerberos in that we
-# relay passwords through cobblerd for authentication, that may
-# be done later.  It does of course check against kerberos,
-# however.
-
-# ALSO NOTE:  we're calling out to a Perl program to make
-# this work.  You must install  Authen::Simple::Kerberos
-# from CPAN and the Kerberos libraries for this to work.
-# See the Cobbler Wiki for more info.
-
-# ALSO ALSO NOTE:  set kerberos_realm in /var/lib/cobbler/settings
-# to something appropriate or this will never work.  CASING
-# MATTERS.  example.com != EXAMPLE.COM.
-
-import distutils.sysconfig
-import ConfigParser
-import sys
-import os
-from utils import _
-import md5
-import traceback
-# since sub_process isn't available on older OS's
-try:
-    import sub_process as subprocess
-except:
-    import subprocess
-
-plib = distutils.sysconfig.get_python_lib()
-mod_path="%s/cobbler" % plib
-sys.path.insert(0, mod_path)
-
-import cexceptions
-import utils
-
-def register():
-    """
-    The mandatory cobbler module registration hook.
-    """
-    return "authn"
-
-def authenticate(api_handle,username,password):
-    """
-    Validate a username/password combo, returning True/False
-    Uses cobbler_auth_helper
-    """
-
-    realm = api_handle.settings().kerberos_realm
-    api_handle.logger.debug("authenticating %s against %s" % (username,realm))
- 
-    rc = subprocess.call([
-        "/usr/bin/cobbler_auth_help",
-        "--method=kerberos",
-        "--username=%s" % username,
-        "--password=%s" % password,
-        "--realm=%s" % realm
-    ])
-    print rc
-    if rc == 42:
-        api_handle.logger.debug("authenticated ok")
-        # authentication ok (FIXME: log)
-        return True
-    else:
-        api_handle.logger.debug("authentication failed")
-        # authentication failed
-        return False
-
-
diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py
index eef4b2a..ff31750 100644
--- a/cobbler/modules/authn_ldap.py
+++ b/cobbler/modules/authn_ldap.py
@@ -17,7 +17,10 @@ import os
 from utils import _
 import md5
 import traceback
-import ldap
+
+# we'll import this just a bit later
+# to keep it from being a requirement
+# import ldap
 
 plib = distutils.sysconfig.get_python_lib()
 mod_path="%s/cobbler" % plib
@@ -38,6 +41,8 @@ def authenticate(api_handle,username,password):
     """
     Validate an ldap bind, returning True/False
     """
+ 
+    import ldap
 
     server    = api_handle.settings().ldap_server
     basedn    = api_handle.settings().ldap_base_dn
diff --git a/cobbler/modules/authn_passthru.py b/cobbler/modules/authn_passthru.py
new file mode 100644
index 0000000..ebbe79a
--- /dev/null
+++ b/cobbler/modules/authn_passthru.py
@@ -0,0 +1,49 @@
+"""
+Authentication module that defers to Apache and trusts
+what Apache trusts.
+
+Copyright 2008, Red Hat, Inc
+Michael DeHaan <mdehaan@redhat.com>
+
+This software may be freely redistributed under the terms of the GNU
+general public license.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+"""
+
+import distutils.sysconfig
+import sys
+import os
+from utils import _
+import traceback
+
+plib = distutils.sysconfig.get_python_lib()
+mod_path="%s/cobbler" % plib
+sys.path.insert(0, mod_path)
+
+import cexceptions
+import utils
+
+def register():
+    """
+    The mandatory cobbler module registration hook.
+    """
+    return "authn"
+
+def authenticate(api_handle,username,password):
+    """
+    Validate a username/password combo, returning True/False
+    Uses cobbler_auth_helper
+    """
+
+    fd = open("/var/lib/cobbler/web.ss")
+    data = fd.read()
+    if password == data:
+       rc = 1
+    else:
+       rc = 0
+    fd.close()
+    return data
+
diff --git a/cobbler/utils.py b/cobbler/utils.py
index 8cc75bb..8a09025 100644
--- a/cobbler/utils.py
+++ b/cobbler/utils.py
@@ -564,7 +564,7 @@ def linkfile(src, dst):
     except (IOError, OSError):
         pass
 
-        return utils.copyfile(src, dst)
+        return copyfile(src, dst)
 
 def copyfile(src,dst):
     try:
-- 
cgit