From abeda55e34ff19d34bf48f7e8c7f1df42b86136f Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 31 Aug 2007 18:40:01 -0400 Subject: Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently --- ipa-server/ipa-install/ipa-server-install | 61 ++++++++++++++++------ .../ipa-pwd-extop/ipa_pwd_extop.c | 2 +- ipa-server/ipaserver/dsinstance.py | 27 +++++++--- ipa-server/ipaserver/krbinstance.py | 29 +++++++++- 4 files changed, 93 insertions(+), 26 deletions(-) diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 91138c01..90296e5d 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -31,6 +31,7 @@ sys.path.append("/usr/share/ipa") import socket import logging +import pwd from optparse import OptionParser import ipaserver.dsinstance import ipaserver.krbinstance @@ -42,10 +43,12 @@ def parse_options(): help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") - parser.add_option("-p", "--ds-password", dest="ds_password", + parser.add_option("-p", "--ds-password", dest="dm_password", help="admin password") parser.add_option("-P", "--master-password", dest="master_password", help="kerberos master password") + parser.add_option("-a", "--admin-password", dest="admin_password", + help="admin user kerberos password") parser.add_option("-d", "--debug", dest="debug", action="store_true", dest="debug", default=False, help="print debugging information") parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") @@ -56,7 +59,8 @@ def parse_options(): if options.unattended and (not options.ds_user or not options.realm_name or - not options.ds_password or + not options.dm_password or + not options.admin_password or not options.master_password): parser.error("error: In unattended mode you need to provide -u, -r, -p and -P options") @@ -95,7 +99,8 @@ def main(): realm_name = "" host_name = "" master_password = "" - ds_password = "" + dm_password = "" + admin_password = "" # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by gethostbyname to set @@ -137,13 +142,25 @@ def main(): print "" if not options.ds_user: - print "To securely run Directory Server we need a user account to be set up." - print "This will allow DS to run as a user and not as root." - print "The user account will have access to some security material so it should not be shared with any other application." - print "A good user account name could be 'ds' or 'dirsrv', if it does not exist it will be created as part of the installation procedure." - print "" - ds_user = raw_input("Which account name do you want to use for the DS instance ? ") - print "" + + try: + pwd.getpwnam('dirsrv') + + print "To securely run Directory Server we need a user account to be set up." + print "This will allow DS to run as a user and not as root." + print "The user account will have access to some security material so it should not be shared with any other application." + print "A user account named 'dirsrv' already exist. You should not share the account with any other service." + print "" + yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)") + print "" + if yesno.lower() == "y": + ds_user = "dirsrv" + else: + ds_user = raw_input("Which account name do you want to use for the DS instance ? ") + print "" + except KeyError: + ds_user = "dirsrv" + if ds_user == "": return "-Aborted-" else: @@ -177,14 +194,15 @@ def main(): else: realm_name = options.realm_name - if not options.ds_password: + if not options.dm_password: print "The Directory Manager user is the equivalent of 'root' for Diretcory Server." + print "This account has full access to the Directory and is used for system management tasks." print "" #TODO: provide the option of generating a random password - ds_password = raw_input("Please provide a password for the Directory Manager: ") + dm_password = raw_input("Please provide a password for the Directory Manager: ") print "" else: - ds_password = options.ds_password + dm_password = options.dm_password if not options.master_password: print "The Kerberos database is usually encrypted using a master password." @@ -199,13 +217,23 @@ def main(): else: master_password = options.master_password + if not options.admin_password: + print "The 'admin' user is the administrative user used to administare an IPA server." + print "This account is the one that will be used for normal administration and is also a regular unix user" + print "" + #TODO: provide the option of generating a random password + admin_password = raw_input("Please provide a kerberos password for the 'admin' user: ") + print "" + else: + admin_password = options.admin_password + # Create a directory server instance ds = ipaserver.dsinstance.DsInstance() - ds.create_instance(ds_user, realm_name, host_name, ds_password) + ds.create_instance(ds_user, realm_name, host_name, dm_password) # Create a kerberos instance krb = ipaserver.krbinstance.KrbInstance() - krb.create_instance(ds_user, realm_name, host_name, ds_password, master_password) + krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password) # Restart ds after the krb instance has changed ds configurations ds.restart() @@ -228,6 +256,9 @@ def main(): # Start Kpasswd run(["/sbin/service", "ipa-kpasswd", "start"]) + # Set the admin user kerberos password + ds.change_admin_password(admin_password) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index f3771204..e920cec7 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -926,7 +926,7 @@ ipapwd_extop( Slapi_PBlock *pb ) goto free_and_return; } - if ( (is_ssl <=1) && (sasl_ssf <= 1) ) { + if ( (is_ssl == 0) && (sasl_ssf <= 1) ) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto free_and_return; diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 2c7e0c7d..841bc31f 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -72,16 +72,18 @@ class DsInstance: def __init__(self): self.serverid = None self.realm_name = None + self.suffix = None self.host_name = None - self.admin_password = None + self.dm_password = None self.sub_dict = None - def create_instance(self, ds_user, realm_name, host_name, admin_password): + def create_instance(self, ds_user, realm_name, host_name, dm_password): self.ds_user = ds_user self.serverid = generate_serverid() self.realm_name = realm_name.upper() + self.suffix = realm_to_suffix(self.realm_name) self.host_name = host_name - self.admin_password = admin_password + self.dm_password = dm_password self.__setup_sub_dict() self.__create_ds_user() @@ -111,10 +113,9 @@ class DsInstance: run(["/sbin/service", "dirsrv", "restart"]) def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) server_root = find_server_root() self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, + PASSWORD=self.dm_password, SUFFIX=self.suffix, REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root) @@ -155,7 +156,7 @@ class DsInstance: def __enable_ssl(self): logging.debug("configuring ssl for ds instance") dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + args = ["/usr/sbin/ipa-server-setupssl", self.dm_password, dirname, self.host_name] run(args) logging.debug("done configuring ssl for ds instance") @@ -165,7 +166,7 @@ class DsInstance: inf_fd = write_tmp_file(txt) logging.debug("adding default ds layout") args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] + "-w", self.dm_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") @@ -184,5 +185,15 @@ class DsInstance: certmap_fd = open(dirname+"certmap.conf", "w+") certmap_fd.write(certmap_conf) certmap_fd.close() - logging.debug("done configuring certmap.conf for ds instance") + + def change_admin_password(self, password): + logging.debug("Changing admin password") + dirname = self.config_dirname() + args = ["/usr/lib/mozldap/ldappasswd", + "-D", "cn=Directory Manager", "-w", self.dm_password, + "-P", dirname+"/cert8.db", "-ZZZ", "-s", password, + "uid=admin,cn=sysaccounts,cn=etc,"+self.suffix] + run(args) + logging.debug("ldappasswd done") + diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 1c77b086..e17ab525 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -109,7 +109,7 @@ class KrbInstance: for x in self.kdc_password: hexpwd += (hex(ord(x))[2:]) pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.write("uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix+"#{HEX}"+hexpwd+"\n") pwd_fd.close() def __setup_sub_dict(self): @@ -147,7 +147,7 @@ class KrbInstance: krb5_fd.close() #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] run(args) #add the password extop module @@ -178,6 +178,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/etc/dirsrv/ds.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/dirsrv", "a") cfg_fd.write("export KRB5_KTNAME=/etc/dirsrv/ds.keytab\n") cfg_fd.close() @@ -199,6 +208,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 + while not file_exists("/var/kerberos/krb5kdc/kpasswd.keytab"): + time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") cfg_fd.close() @@ -215,8 +233,15 @@ class KrbInstance: kread.close() kerr.close() + # give kadmin time to actually write the file before we go on + retry = 0 while not file_exists("/etc/httpd/conf/ipa.keytab"): time.sleep(1) + retry += 1 + if retry > 15: + print "Error timed out waiting for kadmin to finish operations\n" + os.exit() + pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) -- cgit