diff options
Diffstat (limited to 'install/tools/ipa-fix-CVE-2008-3274')
| -rw-r--r-- | install/tools/ipa-fix-CVE-2008-3274 | 63 |
1 files changed, 36 insertions, 27 deletions
diff --git a/install/tools/ipa-fix-CVE-2008-3274 b/install/tools/ipa-fix-CVE-2008-3274 index 79ff904d..723d4121 100644 --- a/install/tools/ipa-fix-CVE-2008-3274 +++ b/install/tools/ipa-fix-CVE-2008-3274 @@ -25,13 +25,10 @@ try: import ipapython.ipautil import krbV - import ldap - - from ldap import LDAPError - from ldap import ldapobject + from ipalib import errors from ipaclient import ipachangeconf - from ipaserver import ipaldap + from ipaserver.plugins.ldap2 import ldap2 from pyasn1.type import univ, namedtype import pyasn1.codec.ber.encoder @@ -70,22 +67,24 @@ def parse_options(): def check_vuln(realm, suffix): + ldapuri = 'ldap://127.0.0.1' try: - conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/") - conn.simple_bind() - msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix, - ldap.SCOPE_BASE, - "(objectclass=krbRealmContainer)", - ("krbmkey", "cn")) - res = conn.result(msgid) - conn.unbind() - - if len(res) != 2: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect() + try: + (entries, truncated) = conn.find_entries( + filter='(objectclass=krbRealmContainer)', + attrs_list=('krbmkey', 'cn'), scope=ldap2.SCOPE_BASE, + base_dn='cn=%s,cn=kerberos' % realm + ) + except errors.NotFound: err = 'Realm Container not found, unable to proceed' print err raise Exception, err + finally: + conn.disconnect() - if 'krbmkey' in res[1][0][1]: + if 'krbmkey' in entries[0][1]: print 'System vulnerable' return 1 else: @@ -185,9 +184,10 @@ def change_mkey(password = None, quiet = False): password = getpass.getpass("Directory Manager password: ") # get a connection to the DS + ldapuri = 'ldap://%s' % ipapython.config.config.default_server[0] try: - conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0]) - conn.do_simple_bind(bindpw=password) + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect(bind_dn='cn=directory manager', bind_pw=password) except Exception, e: print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")" return 1 @@ -298,8 +298,8 @@ def change_mkey(password = None, quiet = False): asn1key = pyasn1.codec.ber.encoder.encode(krbMKey) dn = "cn="+realm+",cn=kerberos,"+suffix - mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))] - conn.modify_s(dn, mod) + mod = {'krbmkey': str(asn1key)} + conn.update_entry(dn, mod) except Exception, e: print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")" return 1 @@ -459,16 +459,25 @@ def fix_main(password, realm, suffix): krbMKey.setComponentByPosition(1, MasterKey) asn1key = pyasn1.codec.ber.encoder.encode(krbMKey) - dn = "cn=%s,cn=kerberos,%s" % (realm, suffix) + dn = 'cn=%s,cn=kerberos' % realm sub_dict = dict(REALM=realm, SUFFIX=suffix) #protect the master key by adding an appropriate deny rule along with the key - mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)), - (ldap.MOD_REPLACE, 'krbMKey', str(asn1key))] + conn = ldap2( + shared_instance=False, ldap_uri='ldap://127.0.0.1', + base_dn=suffix + ) + conn.connect(bind_dn='cn=directory manager', bind_pw=password) + + (dn, entry_attrs) = conn.get_entry(dn, ['aci']) + + entry_attrs['krbmkey'] = str(asn1key) + entry_attrs.setdefault('aci', []).append( + ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict) + ) + + conn.update_entry(dn, entry_attrs) - conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/") - conn.simple_bind("cn=Directory Manager", password) - conn.modify_s(dn, mod) - conn.unbind() + conn.disconnect() print "\n" print "This server is now correctly configured and the master-key has been changed and secured." |