diff options
author | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:29:16 -0400 |
---|---|---|
committer | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:29:16 -0400 |
commit | b8a051299839377958baacdc4ede6ced58fdd05a (patch) | |
tree | 3fd65bce5e7212bb1397abac534dc6366b38af87 /ipa-server/ipa-install | |
parent | 899daaf04828ddc6a2fc38b31484d648e218dabf (diff) | |
download | freeipa-b8a051299839377958baacdc4ede6ced58fdd05a.tar.gz freeipa-b8a051299839377958baacdc4ede6ced58fdd05a.tar.xz freeipa-b8a051299839377958baacdc4ede6ced58fdd05a.zip |
Update for new python library layout.
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/src/Makefile | 6 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa-server-install | 3 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa-server-install~ | 117 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/#krbinstance.py# | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/dsinstance.py~ | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py.orig | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116 | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175 | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py~ | 177 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/util.py | 58 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/util.py~ | 0 |
11 files changed, 358 insertions, 3 deletions
diff --git a/ipa-server/ipa-install/src/Makefile b/ipa-server/ipa-install/src/Makefile index f5a0f780..b54ceb17 100644 --- a/ipa-server/ipa-install/src/Makefile +++ b/ipa-server/ipa-install/src/Makefile @@ -1,12 +1,12 @@ -PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)") -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa +PYTHONLIBDIR ?= /usr/share/ipa/python +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipainstall SBINDIR = $(DESTDIR)/usr/sbin all: ; install: -mkdir -p $(PACKAGEDIR) - install -m 644 ipa/*.py $(PACKAGEDIR) + install -m 644 ipainstall/*.py $(PACKAGEDIR) install -m 755 ipa-server-install $(SBINDIR) install -m 755 ipa-server-setupssl $(SBINDIR) diff --git a/ipa-server/ipa-install/src/ipa-server-install b/ipa-server/ipa-install/src/ipa-server-install index 52143eda..74de5568 100644 --- a/ipa-server/ipa-install/src/ipa-server-install +++ b/ipa-server/ipa-install/src/ipa-server-install @@ -26,6 +26,9 @@ VERSION = "%prog .1" +import sys +sys.path.append("/usr/share/ipa") + import socket import logging from optparse import OptionParser diff --git a/ipa-server/ipa-install/src/ipa-server-install~ b/ipa-server/ipa-install/src/ipa-server-install~ new file mode 100644 index 00000000..52143eda --- /dev/null +++ b/ipa-server/ipa-install/src/ipa-server-install~ @@ -0,0 +1,117 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# requires the following packages: +# fedora-ds-base +# openldap-clients +# nss-tools + +VERSION = "%prog .1" + +import socket +import logging +from optparse import OptionParser +import ipa.dsinstance +import ipa.krbinstance + +def parse_options(): + parser = OptionParser(version=VERSION) + parser.add_option("-u", "--user", dest="ds_user", + help="ds user") + parser.add_option("-r", "--realm", dest="realm_name", + help="realm name") + parser.add_option("-p", "--password", dest="password", + help="admin password") + parser.add_option("-m", "--master-password", dest="master_password", + help="kerberos master password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + dest="debug", default=False, help="print debugging information") + parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") + + options, args = parser.parse_args() + + if not options.ds_user or not options.realm_name or not options.password or not options.master_password: + parser.error("error: all options are required") + + return options + +def logging_setup(options): + # Always log everything (i.e., DEBUG) to the log + # file. + logging.basicConfig(level=logging.DEBUG, + format='%(asctime)s %(levelname)s %(message)s', + filename='ipa-install.log', + filemode='w') + + console = logging.StreamHandler() + # If the debug option is set, also log debug messages to the console + if options.debug: + console.setLevel(logging.DEBUG) + else: + # Otherwise, log critical and error messages + console.setLevel(logging.ERROR) + formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') + console.setFormatter(formatter) + logging.getLogger('').addHandler(console) + +def main(): + options = parse_options() + logging_setup(options) + + # check the hostname is correctly configured, it must be as the kldap + # utilities just use the hostname as returned by gethostbyname to set + # up some of the standard entries + + if options.host_name: + host_name = options.host_name + else: + host_name = socket.gethostname() + if len(host_name.split(".")) < 2: + print "Invalid hostname <"+host_name+">" + print "Check the /etc/hosts file and make sure to have a valid FQDN" + return "-Fatal Error-" + + if socket.gethostbyname(host_name) == "127.0.0.1": + print "The hostname resolves to the localhost address (127.0.0.1)" + print "Please change your /etc/hosts file or your DNS so that the" + print "hostname resolves to the ip address of your network interface." + print "The KDC service does not listen on 127.0.0.1" + return "-Fatal Error-" + + print "The Final KDC Host Name will be: " + host_name + + + # Create a directory server instance + ds = ipa.dsinstance.DsInstance() + ds.create_instance(options.ds_user, options.realm_name, host_name, + options.password) + + # Create a kerberos instance + krb = ipa.krbinstance.KrbInstance() + krb.create_instance(options.ds_user, options.realm_name, host_name, + options.password, options.master_password) + + #restart ds after the krb instance have add the sasl map + ds.restart() + + return 0 + +main() diff --git a/ipa-server/ipa-install/src/ipa/#krbinstance.py# b/ipa-server/ipa-install/src/ipa/#krbinstance.py# new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/#krbinstance.py# diff --git a/ipa-server/ipa-install/src/ipa/dsinstance.py~ b/ipa-server/ipa-install/src/ipa/dsinstance.py~ new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/dsinstance.py~ diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.orig b/ipa-server/ipa-install/src/ipa/krbinstance.py.orig new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.orig diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116 b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116 new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116 diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175 b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175 new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175 diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py~ b/ipa-server/ipa-install/src/ipa/krbinstance.py~ new file mode 100644 index 00000000..253c506f --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/krbinstance.py~ @@ -0,0 +1,177 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +from random import Random +from time import gmtime +import os +import pwd +import socket +from util import * + +def host_to_domain(fqdn): + s = fqdn.split(".") + return ".".join(s[1:]) + +def generate_kdc_password(): + rndpwd = '' + r = Random() + r.seed(gmtime()) + for x in range(12): +# rndpwd += chr(r.randint(32,126)) + rndpwd += chr(r.randint(65,90)) #stricter set for testing + return rndpwd + +def ldap_mod(fd, dn, pwd): + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] + run(args) + +class KrbInstance: + def __init__(self): + self.ds_user = None + self.fqdn = None + self.realm = None + self.domain = None + self.host = None + self.admin_password = None + self.master_password = None + self.suffix = None + self.kdc_password = None + self.sub_dict = None + + def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): + self.ds_user = ds_user + self.fqdn = host_name + self.ip = socket.gethostbyname(host_name) + self.realm = realm_name.upper() + self.host = host_name.split(".")[0] + self.domain = host_to_domain(host_name) + self.admin_password = admin_password + self.master_password = master_password + + self.suffix = realm_to_suffix(self.realm) + self.kdc_password = generate_kdc_password() + self.__configure_kdc_account_password() + + self.__setup_sub_dict() + + self.__configure_ldap() + + self.__create_instance() + + self.__create_ds_keytab() + + self.__create_sample_bind_zone() + + self.start() + + def stop(self): + run(["/sbin/service", "krb5kdc", "stop"]) + + def start(self): + run(["/sbin/service", "krb5kdc", "start"]) + + def restart(self): + run(["/sbin/service", "krb5kdc", "restart"]) + + def __configure_kdc_account_password(self): + hexpwd = '' + for x in self.kdc_password: + hexpwd += (hex(ord(x))[2:]) + pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") + pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.close() + + def __setup_sub_dict(self): + self.sub_dict = dict(FQDN=self.fqdn, + IP=self.ip, + PASSWORD=self.kdc_password, + SUFFIX=self.suffix, + DOMAIN=self.domain, + HOST=self.host, + REALM=self.realm) + + def __configure_ldap(self): + + #TODO: test that the ldif is ok with any random charcter we may use in the password + kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) + kerberos_fd = write_tmp_file(kerberos_txt) + ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + kerberos_fd.close() + + #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes + aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) + aci_fd = write_tmp_file(aci_txt) + ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + aci_fd.close() + + def __create_instance(self): + kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) + kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") + kdc_fd.write(kdc_conf) + kdc_fd.close() + + krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) + krb5_fd = open("/etc/krb5.conf", "w+") + krb5_fd.write(krb5_conf) + krb5_fd.close() + + #populate the directory with the realm structure + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + run(args) + + # TODO: NOT called yet, need to find out how to make sure the plugin is available first + def __add_pwd_extop_module(self): + #add the password extop module + extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict) + extop_fd = write_tmp_file(extop_txt) + ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) + extop_fd.close() + + #add an ACL to let the DS user read the master key + args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] + run(args) + + def __create_sample_bind_zone(self): + bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) + [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") + os.write(bind_fd, bind_txt) + os.close(bind_fd) + print "Sample zone file for bind has been created in "+bind_name + + def __create_ds_keytab(self): + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.close() + kread.close() + kerr.close() + + cfg_fd = open("/etc/sysconfig/fedora-ds", "a") + cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n") + cfg_fd.close() + pent = pwd.getpwnam(self.ds_user) + os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/ipa-install/src/ipa/util.py b/ipa-server/ipa-install/src/ipa/util.py new file mode 100644 index 00000000..3dcfb760 --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/util.py @@ -0,0 +1,58 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +SHARE_DIR = "/usr/share/ipa/" + +import string +import tempfile +import logging +import subprocess + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x.lower() for x in s] + return ",".join(terms) + + +def template_str(txt, vars): + return string.Template(txt).substitute(vars) + +def template_file(infilename, vars): + txt = open(infilename).read() + return template_str(txt, vars) + +def write_tmp_file(txt): + fd = tempfile.NamedTemporaryFile() + fd.write(txt) + fd.flush() + + return fd + +def run(args, stdin=None): + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if stdin: + stdout,stderr = p.communicate(stdin) + else: + stdout,stderr = p.communicate() + logging.info(stdout) + logging.info(stderr) + + if p.returncode != 0: + raise subprocess.CalledProcessError(p.returncode, args[0]) diff --git a/ipa-server/ipa-install/src/ipa/util.py~ b/ipa-server/ipa-install/src/ipa/util.py~ new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/util.py~ |