diff options
author | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:33:31 -0400 |
---|---|---|
committer | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 18:33:31 -0400 |
commit | bac241ffc3e6835d691b357af5582a8b7a6aab06 (patch) | |
tree | 24a6efc26eeb6b4a2f10c3f4e67be72d57bed75e /ipa-server/ipa-install | |
parent | f7d005a854a0738b87be181007e3e53ee9985498 (diff) | |
download | freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.tar.gz freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.tar.xz freeipa-bac241ffc3e6835d691b357af5582a8b7a6aab06.zip |
More reorgnization.
Diffstat (limited to 'ipa-server/ipa-install')
-rw-r--r-- | ipa-server/ipa-install/ipa-server-install (renamed from ipa-server/ipa-install/src/ipa-server-install) | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/ipa-server-setupssl (renamed from ipa-server/ipa-install/src/ipa-server-setupssl) | 0 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/Makefile | 14 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa-server-install~ | 117 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/__init__.py | 1 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/dsinstance.py | 169 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py | 177 | ||||
-rw-r--r-- | ipa-server/ipa-install/src/ipa/util.py | 58 |
8 files changed, 0 insertions, 536 deletions
diff --git a/ipa-server/ipa-install/src/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 74de5568..74de5568 100644 --- a/ipa-server/ipa-install/src/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install diff --git a/ipa-server/ipa-install/src/ipa-server-setupssl b/ipa-server/ipa-install/ipa-server-setupssl index f7532790..f7532790 100644 --- a/ipa-server/ipa-install/src/ipa-server-setupssl +++ b/ipa-server/ipa-install/ipa-server-setupssl diff --git a/ipa-server/ipa-install/src/Makefile b/ipa-server/ipa-install/src/Makefile deleted file mode 100644 index b54ceb17..00000000 --- a/ipa-server/ipa-install/src/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -PYTHONLIBDIR ?= /usr/share/ipa/python -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipainstall -SBINDIR = $(DESTDIR)/usr/sbin - -all: ; - -install: - -mkdir -p $(PACKAGEDIR) - install -m 644 ipainstall/*.py $(PACKAGEDIR) - install -m 755 ipa-server-install $(SBINDIR) - install -m 755 ipa-server-setupssl $(SBINDIR) - -clean: - rm -f *~ *.pyc
\ No newline at end of file diff --git a/ipa-server/ipa-install/src/ipa-server-install~ b/ipa-server/ipa-install/src/ipa-server-install~ deleted file mode 100644 index 52143eda..00000000 --- a/ipa-server/ipa-install/src/ipa-server-install~ +++ /dev/null @@ -1,117 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -# requires the following packages: -# fedora-ds-base -# openldap-clients -# nss-tools - -VERSION = "%prog .1" - -import socket -import logging -from optparse import OptionParser -import ipa.dsinstance -import ipa.krbinstance - -def parse_options(): - parser = OptionParser(version=VERSION) - parser.add_option("-u", "--user", dest="ds_user", - help="ds user") - parser.add_option("-r", "--realm", dest="realm_name", - help="realm name") - parser.add_option("-p", "--password", dest="password", - help="admin password") - parser.add_option("-m", "--master-password", dest="master_password", - help="kerberos master password") - parser.add_option("-d", "--debug", dest="debug", action="store_true", - dest="debug", default=False, help="print debugging information") - parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") - - options, args = parser.parse_args() - - if not options.ds_user or not options.realm_name or not options.password or not options.master_password: - parser.error("error: all options are required") - - return options - -def logging_setup(options): - # Always log everything (i.e., DEBUG) to the log - # file. - logging.basicConfig(level=logging.DEBUG, - format='%(asctime)s %(levelname)s %(message)s', - filename='ipa-install.log', - filemode='w') - - console = logging.StreamHandler() - # If the debug option is set, also log debug messages to the console - if options.debug: - console.setLevel(logging.DEBUG) - else: - # Otherwise, log critical and error messages - console.setLevel(logging.ERROR) - formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') - console.setFormatter(formatter) - logging.getLogger('').addHandler(console) - -def main(): - options = parse_options() - logging_setup(options) - - # check the hostname is correctly configured, it must be as the kldap - # utilities just use the hostname as returned by gethostbyname to set - # up some of the standard entries - - if options.host_name: - host_name = options.host_name - else: - host_name = socket.gethostname() - if len(host_name.split(".")) < 2: - print "Invalid hostname <"+host_name+">" - print "Check the /etc/hosts file and make sure to have a valid FQDN" - return "-Fatal Error-" - - if socket.gethostbyname(host_name) == "127.0.0.1": - print "The hostname resolves to the localhost address (127.0.0.1)" - print "Please change your /etc/hosts file or your DNS so that the" - print "hostname resolves to the ip address of your network interface." - print "The KDC service does not listen on 127.0.0.1" - return "-Fatal Error-" - - print "The Final KDC Host Name will be: " + host_name - - - # Create a directory server instance - ds = ipa.dsinstance.DsInstance() - ds.create_instance(options.ds_user, options.realm_name, host_name, - options.password) - - # Create a kerberos instance - krb = ipa.krbinstance.KrbInstance() - krb.create_instance(options.ds_user, options.realm_name, host_name, - options.password, options.master_password) - - #restart ds after the krb instance have add the sasl map - ds.restart() - - return 0 - -main() diff --git a/ipa-server/ipa-install/src/ipa/__init__.py b/ipa-server/ipa-install/src/ipa/__init__.py deleted file mode 100644 index 8e20eb1b..00000000 --- a/ipa-server/ipa-install/src/ipa/__init__.py +++ /dev/null @@ -1 +0,0 @@ -__all__ = ["dsinstance", "krbinstance"] diff --git a/ipa-server/ipa-install/src/ipa/dsinstance.py b/ipa-server/ipa-install/src/ipa/dsinstance.py deleted file mode 100644 index b16aa7c5..00000000 --- a/ipa-server/ipa-install/src/ipa/dsinstance.py +++ /dev/null @@ -1,169 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import subprocess -import string -import tempfile -import shutil -import logging -import pwd -import os -import stat -from util import * - - -SHARE_DIR = "/usr/share/ipa/" -SERVER_ROOT_64 = "/usr/lib64/fedora-ds-base" -SERVER_ROOT_32 = "/usr/lib/fedora-ds-base" - - -def generate_serverid(): - """Generate a UUID (universally unique identifier) suitable - for use as a unique identifier for a DS instance. - """ - try: - import uuid - id = str(uuid.uuid1()) - except ImportError: - import commands - id = commands.getoutput("/usr/bin/uuidgen") - return id - -def realm_to_suffix(realm_name): - s = realm_name.split(".") - terms = ["dc=" + x.lower() for x in s] - return ",".join(terms) - -def find_server_root(): - try: - mode = os.stat(SERVER_ROOT_64)[ST_MODE] - if stat.IS_DIR(mode): - return SERVER_ROOT_64 - except: - return SERVER_ROOT_32 - - -INF_TEMPLATE = """ -[General] -FullMachineName= $FQHN -SuiteSpotUserID= $USER -ServerRoot= $SERVER_ROOT -[slapd] -ServerPort= 389 -ServerIdentifier= $SERVERID -Suffix= $SUFFIX -RootDN= cn=Directory Manager -RootDNPwd= $PASSWORD -""" - -class DsInstance: - def __init__(self): - self.serverid = None - self.realm_name = None - self.host_name = None - self.admin_password = None - self.sub_dict = None - - def create_instance(self, ds_user, realm_name, host_name, admin_password): - self.ds_user = ds_user - self.serverid = generate_serverid() - self.realm_name = realm_name.upper() - self.host_name = host_name - self.admin_password = admin_password - self.__setup_sub_dict() - - self.__create_ds_user() - self.__create_instance() - self.__add_default_schemas() - self.__enable_ssl() - self.restart() - self.__add_default_layout() - - def config_dirname(self): - if not self.serverid: - raise RuntimeError("serverid not set") - return "/etc/fedora-ds/slapd-" + self.serverid + "/" - - def schema_dirname(self): - return self.config_dirname() + "/schema/" - - def stop(self): - run(["/sbin/service", "fedora-ds", "stop"]) - - def start(self): - run(["/sbin/service", "fedora-ds", "start"]) - - def restart(self): - run(["/sbin/service", "fedora-ds", "restart"]) - - def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) - server_root = find_server_root() - self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, - REALM=self.realm_name, USER=self.ds_user, - SERVER_ROOT=server_root) - - def __create_ds_user(self): - try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) - except KeyError: - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] - run(args) - logging.debug("done adding user") - - def __create_instance(self): - logging.debug("creating ds instance . . . ") - inf_txt = template_str(INF_TEMPLATE, self.sub_dict) - logging.debug(inf_txt) - inf_fd = write_tmp_file(inf_txt) - logging.debug("writing inf template") - args = ["/usr/bin/ds_newinst.pl", inf_fd.name] - logging.debug("calling ds_newinst.pl") - run(args) - logging.debug("completed creating ds instance") - logging.debug("restarting ds instance") - self.restart() - logging.debug("done restarting ds instance") - - def __add_default_schemas(self): - shutil.copyfile(SHARE_DIR + "60kerberos.ldif", - self.schema_dirname() + "60kerberos.ldif") - shutil.copyfile(SHARE_DIR + "60samba.ldif", - self.schema_dirname() + "60samba.ldif") - - def __enable_ssl(self): - logging.debug("configuring ssl for ds instance") - dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, - dirname, self.host_name] - run(args) - logging.debug("done configuring ssl for ds instance") - - def __add_default_layout(self): - txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) - inf_fd = write_tmp_file(txt) - logging.debug("adding default ds layout") - args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] - run(args) - logging.debug("done adding default ds layout") diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py b/ipa-server/ipa-install/src/ipa/krbinstance.py deleted file mode 100644 index 253c506f..00000000 --- a/ipa-server/ipa-install/src/ipa/krbinstance.py +++ /dev/null @@ -1,177 +0,0 @@ -#! /usr/bin/python -E -# Authors: Simo Sorce <ssorce@redhat.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import subprocess -import string -import tempfile -import shutil -import logging -from random import Random -from time import gmtime -import os -import pwd -import socket -from util import * - -def host_to_domain(fqdn): - s = fqdn.split(".") - return ".".join(s[1:]) - -def generate_kdc_password(): - rndpwd = '' - r = Random() - r.seed(gmtime()) - for x in range(12): -# rndpwd += chr(r.randint(32,126)) - rndpwd += chr(r.randint(65,90)) #stricter set for testing - return rndpwd - -def ldap_mod(fd, dn, pwd): - args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] - run(args) - -class KrbInstance: - def __init__(self): - self.ds_user = None - self.fqdn = None - self.realm = None - self.domain = None - self.host = None - self.admin_password = None - self.master_password = None - self.suffix = None - self.kdc_password = None - self.sub_dict = None - - def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): - self.ds_user = ds_user - self.fqdn = host_name - self.ip = socket.gethostbyname(host_name) - self.realm = realm_name.upper() - self.host = host_name.split(".")[0] - self.domain = host_to_domain(host_name) - self.admin_password = admin_password - self.master_password = master_password - - self.suffix = realm_to_suffix(self.realm) - self.kdc_password = generate_kdc_password() - self.__configure_kdc_account_password() - - self.__setup_sub_dict() - - self.__configure_ldap() - - self.__create_instance() - - self.__create_ds_keytab() - - self.__create_sample_bind_zone() - - self.start() - - def stop(self): - run(["/sbin/service", "krb5kdc", "stop"]) - - def start(self): - run(["/sbin/service", "krb5kdc", "start"]) - - def restart(self): - run(["/sbin/service", "krb5kdc", "restart"]) - - def __configure_kdc_account_password(self): - hexpwd = '' - for x in self.kdc_password: - hexpwd += (hex(ord(x))[2:]) - pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") - pwd_fd.close() - - def __setup_sub_dict(self): - self.sub_dict = dict(FQDN=self.fqdn, - IP=self.ip, - PASSWORD=self.kdc_password, - SUFFIX=self.suffix, - DOMAIN=self.domain, - HOST=self.host, - REALM=self.realm) - - def __configure_ldap(self): - - #TODO: test that the ldif is ok with any random charcter we may use in the password - kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) - kerberos_fd = write_tmp_file(kerberos_txt) - ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) - kerberos_fd.close() - - #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes - aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) - aci_fd = write_tmp_file(aci_txt) - ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) - aci_fd.close() - - def __create_instance(self): - kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) - kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") - kdc_fd.write(kdc_conf) - kdc_fd.close() - - krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) - krb5_fd = open("/etc/krb5.conf", "w+") - krb5_fd.write(krb5_conf) - krb5_fd.close() - - #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] - run(args) - - # TODO: NOT called yet, need to find out how to make sure the plugin is available first - def __add_pwd_extop_module(self): - #add the password extop module - extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict) - extop_fd = write_tmp_file(extop_txt) - ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) - extop_fd.close() - - #add an ACL to let the DS user read the master key - args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] - run(args) - - def __create_sample_bind_zone(self): - bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") - os.write(bind_fd, bind_txt) - os.close(bind_fd) - print "Sample zone file for bind has been created in "+bind_name - - def __create_ds_keytab(self): - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - cfg_fd = open("/etc/sysconfig/fedora-ds", "a") - cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n") - cfg_fd.close() - pent = pwd.getpwnam(self.ds_user) - os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) diff --git a/ipa-server/ipa-install/src/ipa/util.py b/ipa-server/ipa-install/src/ipa/util.py deleted file mode 100644 index 3dcfb760..00000000 --- a/ipa-server/ipa-install/src/ipa/util.py +++ /dev/null @@ -1,58 +0,0 @@ -#! /usr/bin/python -E -# Authors: Simo Sorce <ssorce@redhat.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -SHARE_DIR = "/usr/share/ipa/" - -import string -import tempfile -import logging -import subprocess - -def realm_to_suffix(realm_name): - s = realm_name.split(".") - terms = ["dc=" + x.lower() for x in s] - return ",".join(terms) - - -def template_str(txt, vars): - return string.Template(txt).substitute(vars) - -def template_file(infilename, vars): - txt = open(infilename).read() - return template_str(txt, vars) - -def write_tmp_file(txt): - fd = tempfile.NamedTemporaryFile() - fd.write(txt) - fd.flush() - - return fd - -def run(args, stdin=None): - p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - if stdin: - stdout,stderr = p.communicate(stdin) - else: - stdout,stderr = p.communicate() - logging.info(stdout) - logging.info(stderr) - - if p.returncode != 0: - raise subprocess.CalledProcessError(p.returncode, args[0]) |