Update for new python library layout.

11 files changed, 358 insertions, 3 deletions

diff --git a/ipa-server/ipa-install/src/Makefile b/ipa-server/ipa-install/src/Makefile
index f5a0f780..b54ceb17 100644
--- a/ipa-server/ipa-install/src/Makefile
+++ b/ipa-server/ipa-install/src/Makefile
@@ -1,12 +1,12 @@
-PYTHONLIBDIR ?= $(shell  python -c "from distutils.sysconfig import *; print get_python_lib(1)")
-PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa
+PYTHONLIBDIR ?= /usr/share/ipa/python
+PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipainstall
 SBINDIR = $(DESTDIR)/usr/sbin
 
 all: ;
 
 install:
 	-mkdir -p $(PACKAGEDIR)
-	install -m 644 ipa/*.py $(PACKAGEDIR)
+	install -m 644 ipainstall/*.py $(PACKAGEDIR)
 	install -m 755 ipa-server-install $(SBINDIR)
 	install -m 755 ipa-server-setupssl $(SBINDIR)
 
diff --git a/ipa-server/ipa-install/src/ipa-server-install b/ipa-server/ipa-install/src/ipa-server-install
index 52143eda..74de5568 100644
--- a/ipa-server/ipa-install/src/ipa-server-install
+++ b/ipa-server/ipa-install/src/ipa-server-install
@@ -26,6 +26,9 @@
 
 VERSION = "%prog .1"
 
+import sys
+sys.path.append("/usr/share/ipa")
+
 import socket
 import logging
 from optparse import OptionParser
diff --git a/ipa-server/ipa-install/src/ipa-server-install~ b/ipa-server/ipa-install/src/ipa-server-install~
new file mode 100644
index 00000000..52143eda
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa-server-install~
@@ -0,0 +1,117 @@
+#! /usr/bin/python -E
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# requires the following packages:
+# fedora-ds-base
+# openldap-clients
+# nss-tools
+
+VERSION = "%prog .1"
+
+import socket
+import logging
+from optparse import OptionParser
+import ipa.dsinstance
+import ipa.krbinstance
+
+def parse_options():
+    parser = OptionParser(version=VERSION)
+    parser.add_option("-u", "--user", dest="ds_user",
+                      help="ds user")
+    parser.add_option("-r", "--realm", dest="realm_name",
+                      help="realm name")
+    parser.add_option("-p", "--password", dest="password",
+                      help="admin password")
+    parser.add_option("-m", "--master-password", dest="master_password",
+                      help="kerberos master password")
+    parser.add_option("-d", "--debug", dest="debug", action="store_true",
+                     dest="debug", default=False, help="print debugging information")
+    parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
+
+    options, args = parser.parse_args()
+
+    if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
+        parser.error("error: all options are required")
+
+    return options
+
+def logging_setup(options):
+    # Always log everything (i.e., DEBUG) to the log
+    # file.
+    logging.basicConfig(level=logging.DEBUG,
+                        format='%(asctime)s %(levelname)s %(message)s',
+                        filename='ipa-install.log',
+                        filemode='w')
+
+    console = logging.StreamHandler()
+    # If the debug option is set, also log debug messages to the console
+    if options.debug:
+        console.setLevel(logging.DEBUG)
+    else:
+        # Otherwise, log critical and error messages
+        console.setLevel(logging.ERROR)
+    formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
+    console.setFormatter(formatter)
+    logging.getLogger('').addHandler(console)
+        
+def main():
+    options = parse_options()
+    logging_setup(options)
+
+    # check the hostname is correctly configured, it must be as the kldap
+    # utilities just use the hostname as returned by gethostbyname to set
+    # up some of the standard entries
+
+    if options.host_name:
+        host_name = options.host_name
+    else:
+        host_name = socket.gethostname()
+    if len(host_name.split(".")) < 2:
+        print "Invalid hostname <"+host_name+">"
+        print "Check the /etc/hosts file and make sure to have a valid FQDN"
+        return "-Fatal Error-"
+
+    if socket.gethostbyname(host_name) == "127.0.0.1":
+        print "The hostname resolves to the localhost address (127.0.0.1)"
+        print "Please change your /etc/hosts file or your DNS so that the"
+        print "hostname resolves to the ip address of your network interface."
+        print "The KDC service does not listen on 127.0.0.1"
+        return "-Fatal Error-"
+
+    print "The Final KDC Host Name will be: " + host_name
+
+
+    # Create a directory server instance
+    ds = ipa.dsinstance.DsInstance()
+    ds.create_instance(options.ds_user, options.realm_name, host_name,
+                       options.password)
+
+    # Create a kerberos instance
+    krb = ipa.krbinstance.KrbInstance()
+    krb.create_instance(options.ds_user, options.realm_name, host_name,
+                        options.password, options.master_password)
+
+    #restart ds after the krb instance have add the sasl map
+    ds.restart()
+
+    return 0
+
+main()
diff --git a/ipa-server/ipa-install/src/ipa/#krbinstance.py# b/ipa-server/ipa-install/src/ipa/#krbinstance.py#
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/#krbinstance.py#
diff --git a/ipa-server/ipa-install/src/ipa/dsinstance.py~ b/ipa-server/ipa-install/src/ipa/dsinstance.py~
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/dsinstance.py~
diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.orig b/ipa-server/ipa-install/src/ipa/krbinstance.py.orig
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.orig
diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116 b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.117633116
diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175 b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/krbinstance.py.tmp.27810175
diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py~ b/ipa-server/ipa-install/src/ipa/krbinstance.py~
new file mode 100644
index 00000000..253c506f
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/krbinstance.py~
@@ -0,0 +1,177 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+from random import Random
+from time import gmtime
+import os
+import pwd
+import socket
+from util import *
+
+def host_to_domain(fqdn):
+    s = fqdn.split(".")
+    return ".".join(s[1:])
+
+def generate_kdc_password():
+    rndpwd = ''
+    r = Random()
+    r.seed(gmtime())
+    for x in range(12):
+#        rndpwd += chr(r.randint(32,126))
+        rndpwd += chr(r.randint(65,90)) #stricter set for testing
+    return rndpwd
+
+def ldap_mod(fd, dn, pwd):
+    args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
+    run(args)
+
+class KrbInstance:
+    def __init__(self):
+        self.ds_user = None
+        self.fqdn = None
+        self.realm = None
+	self.domain = None
+        self.host = None
+        self.admin_password = None
+        self.master_password = None
+        self.suffix = None
+        self.kdc_password = None
+        self.sub_dict = None
+
+    def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
+        self.ds_user = ds_user
+        self.fqdn = host_name
+        self.ip = socket.gethostbyname(host_name)
+        self.realm = realm_name.upper()
+        self.host = host_name.split(".")[0]
+        self.domain = host_to_domain(host_name)
+        self.admin_password = admin_password
+        self.master_password = master_password
+        
+	self.suffix = realm_to_suffix(self.realm)
+        self.kdc_password = generate_kdc_password()
+	self.__configure_kdc_account_password()
+
+        self.__setup_sub_dict()
+
+        self.__configure_ldap()
+
+        self.__create_instance()
+
+        self.__create_ds_keytab()
+
+        self.__create_sample_bind_zone()
+
+        self.start()
+
+    def stop(self):
+        run(["/sbin/service", "krb5kdc", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "krb5kdc", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "krb5kdc", "restart"])
+
+    def __configure_kdc_account_password(self):
+        hexpwd = ''
+	for x in self.kdc_password:
+            hexpwd += (hex(ord(x))[2:])
+        pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
+        pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+        pwd_fd.close()
+
+    def __setup_sub_dict(self):
+        self.sub_dict = dict(FQDN=self.fqdn,
+                             IP=self.ip,
+                             PASSWORD=self.kdc_password,
+                             SUFFIX=self.suffix,
+                             DOMAIN=self.domain,
+                             HOST=self.host,
+                             REALM=self.realm)
+
+    def __configure_ldap(self):
+
+	#TODO: test that the ldif is ok with any random charcter we may use in the password
+        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
+        kerberos_fd = write_tmp_file(kerberos_txt)
+        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+        kerberos_fd.close()
+
+	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
+        aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict)
+        aci_fd = write_tmp_file(aci_txt) 
+        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+        aci_fd.close()
+
+    def __create_instance(self):
+        kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
+        kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
+        kdc_fd.write(kdc_conf)
+        kdc_fd.close()
+
+        krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
+        krb5_fd = open("/etc/krb5.conf", "w+")
+        krb5_fd.write(krb5_conf)
+        krb5_fd.close()
+
+        #populate the directory with the realm structure
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
+        run(args)
+
+    # TODO: NOT called yet, need to find out how to make sure the plugin is available first
+    def __add_pwd_extop_module(self):
+	#add the password extop module
+	extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict)
+	extop_fd = write_tmp_file(extop_txt)
+	ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password)
+	extop_fd.close()
+
+	#add an ACL to let the DS user read the master key
+	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
+	run(args)
+
+    def __create_sample_bind_zone(self):
+        bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
+        os.write(bind_fd, bind_txt)
+        os.close(bind_fd)
+        print "Sample zone file for bind has been created in "+bind_name
+
+    def __create_ds_keytab(self):
+        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+        kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.close()
+        kread.close()
+        kerr.close()
+
+	cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
+        cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
+        cfg_fd.close()
+	pent = pwd.getpwnam(self.ds_user)
+        os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
diff --git a/ipa-server/ipa-install/src/ipa/util.py b/ipa-server/ipa-install/src/ipa/util.py
new file mode 100644
index 00000000..3dcfb760
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/util.py
@@ -0,0 +1,58 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+SHARE_DIR = "/usr/share/ipa/"
+
+import string
+import tempfile
+import logging
+import subprocess
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x.lower() for x in s]
+    return ",".join(terms)
+
+
+def template_str(txt, vars):
+    return string.Template(txt).substitute(vars)
+
+def template_file(infilename, vars):
+    txt = open(infilename).read()
+    return template_str(txt, vars)
+
+def write_tmp_file(txt):
+    fd = tempfile.NamedTemporaryFile()
+    fd.write(txt)
+    fd.flush()
+
+    return fd
+
+def run(args, stdin=None):
+    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if stdin:
+        stdout,stderr = p.communicate(stdin)
+    else:
+        stdout,stderr = p.communicate()
+    logging.info(stdout)
+    logging.info(stderr)
+
+    if p.returncode != 0:
+        raise subprocess.CalledProcessError(p.returncode, args[0])
diff --git a/ipa-server/ipa-install/src/ipa/util.py~ b/ipa-server/ipa-install/src/ipa/util.py~
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/ipa-server/ipa-install/src/ipa/util.py~