diff options
author | Pavel Zuna <pzuna@redhat.com> | 2010-03-24 15:51:31 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-04-19 11:27:10 -0400 |
commit | 3620135ec97c156b84a310cd423d5df52732b3f8 (patch) | |
tree | 665eb48ad333da90acf0313e0005877954e4b9f7 /install/tools | |
parent | cc336cf9c17283684df7b850e010d669122126a5 (diff) | |
download | freeipa-3620135ec97c156b84a310cd423d5df52732b3f8.tar.gz freeipa-3620135ec97c156b84a310cd423d5df52732b3f8.tar.xz freeipa-3620135ec97c156b84a310cd423d5df52732b3f8.zip |
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-compat-manage | 38 | ||||
-rwxr-xr-x | install/tools/ipa-dns-install | 18 | ||||
-rw-r--r-- | install/tools/ipa-fix-CVE-2008-3274 | 63 | ||||
-rwxr-xr-x | install/tools/ipa-ldap-updater | 2 | ||||
-rwxr-xr-x | install/tools/ipa-nis-manage | 44 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 22 | ||||
-rwxr-xr-x | install/tools/ipa-replica-manage | 8 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 33 | ||||
-rwxr-xr-x | install/tools/ipa-server-certinstall | 18 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 24 |
10 files changed, 135 insertions, 135 deletions
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 09a06caa..b22ce77f 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -22,12 +22,11 @@ import sys try: from optparse import OptionParser - from ipaserver import ipaldap from ipapython import entity, ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR + from ipaserver.plugins.ldap2 import ldap2 from ipalib import errors - import ldap import logging import re import krbV @@ -95,26 +94,29 @@ def main(): else: dirman_password = get_dirman_password() + conn = None try: + ldapuri = 'ldap://%s' % installutils.get_fqdn() try: - conn = ipaldap.IPAdmin(installutils.get_fqdn()) - conn.do_simple_bind(bindpw=dirman_password) - except ldap.LDAPError, e: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn.connect( + bind_dn='cn=directory manager', bind_pw=dirman_password + ) + except errors.LDAPError, e: print "An error occurred while connecting to the server." - print "%s" % e[0]['desc'] + print e return 1 if args[0] == "enable": try: - conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config", - ldap.SCOPE_BASE, "(objectclass=*)") + conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config') print "Plugin already Enabled" retval = 2 except errors.NotFound: print "Enabling plugin" - except ldap.LDAPError, e: + except errors.LDAPError, e: print "An error occurred while talking to the server." - print "%s" % e[0]['desc'] + print e retval = 1 if retval == 0: @@ -127,17 +129,15 @@ def main(): # Make a quick hack foir now, directly delete the entries by name, # In future we should add delete capabilites to LDAPUpdate try: - conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config", - ldap.SCOPE_BASE, "(objectclass=*)") - conn.deleteEntry("cn=groups,cn=Schema Compatibility,cn=plugins,cn=config") - conn.deleteEntry("cn=users,cn=Schema Compatibility,cn=plugins,cn=config") - conn.deleteEntry("cn=Schema Compatibility,cn=plugins,cn=config") + conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config') + conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config') + conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config') except errors.NotFound: print "Plugin is already disabled" retval = 2 - except ldap.LDAPError, e: + except errors.LDAPError, e: print "An error occurred while talking to the server." - print "%s" % e[0]['desc'] + print e retval = 1 else: @@ -145,7 +145,7 @@ def main(): finally: if conn: - conn.unbind() + conn.disconnect() return retval @@ -167,6 +167,6 @@ except config.IPAConfigError, e: print "An IPA server to update cannot be found. Has one been configured yet?" print "The error was: %s" % e sys.exit(1) -except ldap.LDAPError, e: +except errors.LDAPError, e: print "An error occurred while performing operations: %s" % e sys.exit(1) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 0656794c..3413312a 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -22,13 +22,12 @@ from optparse import OptionParser import traceback -from ipaserver import ipaldap +from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import bindinstance, ntpinstance from ipaserver.install.installutils import * from ipapython import version from ipapython import ipautil, sysrestore -from ipalib import api, util -import ldap +from ipalib import api, errors, util def parse_options(): parser = OptionParser(version=version.VERSION) @@ -134,14 +133,15 @@ def main(): dm_password = options.dm_password # Try out the password + ldapuri = 'ldap://%s' % api.env.host try: - conn = ipaldap.IPAdmin(api.env.host) - conn.do_simple_bind(bindpw=dm_password) - conn.unbind() - except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e: - sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) - except ldap.INVALID_CREDENTIALS, e : + conn = ldap2(shared_instance=False, ldap_uri=ldapuri) + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + conn.disconnect() + except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host) + except errors.LDAPError: + sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled() diff --git a/install/tools/ipa-fix-CVE-2008-3274 b/install/tools/ipa-fix-CVE-2008-3274 index 79ff904d..723d4121 100644 --- a/install/tools/ipa-fix-CVE-2008-3274 +++ b/install/tools/ipa-fix-CVE-2008-3274 @@ -25,13 +25,10 @@ try: import ipapython.ipautil import krbV - import ldap - - from ldap import LDAPError - from ldap import ldapobject + from ipalib import errors from ipaclient import ipachangeconf - from ipaserver import ipaldap + from ipaserver.plugins.ldap2 import ldap2 from pyasn1.type import univ, namedtype import pyasn1.codec.ber.encoder @@ -70,22 +67,24 @@ def parse_options(): def check_vuln(realm, suffix): + ldapuri = 'ldap://127.0.0.1' try: - conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/") - conn.simple_bind() - msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix, - ldap.SCOPE_BASE, - "(objectclass=krbRealmContainer)", - ("krbmkey", "cn")) - res = conn.result(msgid) - conn.unbind() - - if len(res) != 2: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect() + try: + (entries, truncated) = conn.find_entries( + filter='(objectclass=krbRealmContainer)', + attrs_list=('krbmkey', 'cn'), scope=ldap2.SCOPE_BASE, + base_dn='cn=%s,cn=kerberos' % realm + ) + except errors.NotFound: err = 'Realm Container not found, unable to proceed' print err raise Exception, err + finally: + conn.disconnect() - if 'krbmkey' in res[1][0][1]: + if 'krbmkey' in entries[0][1]: print 'System vulnerable' return 1 else: @@ -185,9 +184,10 @@ def change_mkey(password = None, quiet = False): password = getpass.getpass("Directory Manager password: ") # get a connection to the DS + ldapuri = 'ldap://%s' % ipapython.config.config.default_server[0] try: - conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0]) - conn.do_simple_bind(bindpw=password) + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect(bind_dn='cn=directory manager', bind_pw=password) except Exception, e: print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")" return 1 @@ -298,8 +298,8 @@ def change_mkey(password = None, quiet = False): asn1key = pyasn1.codec.ber.encoder.encode(krbMKey) dn = "cn="+realm+",cn=kerberos,"+suffix - mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))] - conn.modify_s(dn, mod) + mod = {'krbmkey': str(asn1key)} + conn.update_entry(dn, mod) except Exception, e: print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")" return 1 @@ -459,16 +459,25 @@ def fix_main(password, realm, suffix): krbMKey.setComponentByPosition(1, MasterKey) asn1key = pyasn1.codec.ber.encoder.encode(krbMKey) - dn = "cn=%s,cn=kerberos,%s" % (realm, suffix) + dn = 'cn=%s,cn=kerberos' % realm sub_dict = dict(REALM=realm, SUFFIX=suffix) #protect the master key by adding an appropriate deny rule along with the key - mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)), - (ldap.MOD_REPLACE, 'krbMKey', str(asn1key))] + conn = ldap2( + shared_instance=False, ldap_uri='ldap://127.0.0.1', + base_dn=suffix + ) + conn.connect(bind_dn='cn=directory manager', bind_pw=password) + + (dn, entry_attrs) = conn.get_entry(dn, ['aci']) + + entry_attrs['krbmkey'] = str(asn1key) + entry_attrs.setdefault('aci', []).append( + ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict) + ) + + conn.update_entry(dn, entry_attrs) - conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/") - conn.simple_bind("cn=Directory Manager", password) - conn.modify_s(dn, mod) - conn.unbind() + conn.disconnect() print "\n" print "This server is now correctly configured and the master-key has been changed and secured." diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater index 97d464cd..746cd421 100755 --- a/install/tools/ipa-ldap-updater +++ b/install/tools/ipa-ldap-updater @@ -26,11 +26,9 @@ import sys try: from optparse import OptionParser - from ipaserver import ipaldap from ipapython import entity, ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR - import ldap import logging import re import krbV diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 18a14639..22cfd432 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -22,12 +22,11 @@ import sys try: from optparse import OptionParser - from ipaserver import ipaldap from ipapython import entity, ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR + from ipaserver.plugins.ldap2 import ldap2 from ipalib import errors - import ldap import logging except ImportError: print >> sys.stderr, """\ @@ -68,12 +67,9 @@ def get_dirman_password(): def get_nis_config(conn): entry = None try: - entry = conn.getEntry(nis_config_dn, ldap.SCOPE_BASE, "(objectclass=*)") + (dn, entry) = conn.get_entry(nis_config_dn) except errors.NotFound: pass - except ldap.LDAPError, e: - raise e - return entry def main(): @@ -103,22 +99,26 @@ def main(): else: dirman_password = get_dirman_password() + conn = None try: + ldapuri = 'ldap://%s' % installutils.get_fqdn() try: - conn = ipaldap.IPAdmin(installutils.get_fqdn()) - conn.do_simple_bind(bindpw=dirman_password) - except ldap.LDAPError, e: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn.connect( + bind_dn='cn=directory manager', bind_pw=dirman_password + ) + except errors.LDAPError, e: print "An error occurred while connecting to the server." - print "%s" % e[0]['desc'] + print e return 1 if args[0] == "enable": entry = None try: entry = get_nis_config(conn) - except ldap.LDAPError, e: + except errors.LDAPError, e: print "An error occurred while talking to the server." - print "%s" % e[0]['desc'] + print e retval = 1 # Enable either the portmap or rpcbind service @@ -142,27 +142,25 @@ def main(): ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) retval = ld.update(files) else: - if entry.getValue('nsslapd-pluginenabled').lower() == "off": + if entry.get('nsslapd-pluginenabled', '').lower() == 'off': # Already configured, just enable the plugin print "Enabling plugin" - mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "on")] - - conn.modify_s(nis_config_dn, mod) + mod = {'nsslapd-pluginenabled': 'on'} + conn.update_entry(nis_config_dn, mod) else: print "Plugin already Enabled" retval = 2 elif args[0] == "disable": try: - mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "off")] - - conn.modify_s(nis_config_dn, mod) + mod = {'nsslapd-pluginenabled': 'off'} + conn.update_entry(nis_config_dn, mod) except errors.NotFound: print "Plugin is already disabled" retval = 2 - except ldap.LDAPError, e: + except errors.LDAPError, e: print "An error occurred while talking to the server." - print "%s" % e[0]['desc'] + print e retval = 1 else: @@ -176,7 +174,7 @@ def main(): finally: if conn: - conn.unbind() + conn.disconnect() return retval @@ -198,6 +196,6 @@ except config.IPAConfigError, e: print "An IPA server to update cannot be found. Has one been configured yet?" print "The error was: %s" % e sys.exit(1) -except ldap.LDAPError, e: +except errors.LDAPError, e: print "An error occurred while performing operations: %s" % e sys.exit(1) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 4b348f64..da03809d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -23,15 +23,14 @@ import socket import tempfile, os, pwd, traceback, logging, shutil from ConfigParser import SafeConfigParser -import ldap from ipapython import ipautil from ipaserver.install import dsinstance, replication, installutils, krbinstance, service from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs -from ipaserver import ipaldap +from ipaserver.plugins.ldap2 import ldap2 from ipapython import version -from ipalib import api, util +from ipalib import api, errors, util CACERT="/usr/share/ipa/html/ca.crt" @@ -300,16 +299,17 @@ def main(): config.dir = dir # Try out the password + ldapuri = 'ldap://%s' % config.master_host_name try: - conn = ipaldap.IPAdmin(config.master_host_name) - conn.do_simple_bind(bindpw=config.dirman_password) - conn.unbind() - except ldap.CONNECT_ERROR, e: - sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) - except ldap.SERVER_DOWN, e: - sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) - except ldap.INVALID_CREDENTIALS, e : + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn.connect( + bind_dn='cn=directory manager', bind_pw=config.dirman_password + ) + conn.disconnect() + except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) + except errors.LDAPError: + sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index b85c491e..91550bef 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -24,10 +24,9 @@ import traceback, logging from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils -from ipaserver import ipaldap +from ipaserver.plugins.ldap2 import ldap2 from ipapython import version -from ipalib import util -from ipalib import errors +from ipalib import errors, util def parse_options(): from optparse import OptionParser @@ -73,7 +72,8 @@ def get_realm_name(): return c.default_realm def get_suffix(): - suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name())) + l = ldap2(shared_instance=False, base_dn='') + suffix = l.normalize_dn(util.realm_to_suffix(get_realm_name())) return suffix def get_host_name(): diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 11649173..87a3ae4c 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -29,11 +29,9 @@ from optparse import OptionParser from ipapython import ipautil from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr -from ipaserver import ipaldap +from ipaserver.plugins.ldap2 import ldap2 from ipapython import version -from ipalib import api -from ipalib import util -import ldap +from ipalib import api, errors, util def parse_options(): usage = "%prog [options] FQDN (e.g. replica.example.com)" @@ -75,14 +73,16 @@ def parse_options(): return options, args def get_subject_base(host_name, dm_password, suffix): + ldapuri = 'ldap://%s:389' % host_name try: - conn = ipaldap.IPAdmin(host_name) - conn.do_simple_bind(bindpw=dm_password) - except Exception, e: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + except errors.ExecutionError, e: logging.critical("Could not connect to the Directory Server on %s" % host_name) raise e - entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE) - return entry.getValue('ipacertificatesubjectbase') + (dn, entry_attrs) = conn.get_ipa_config() + conn.disconnect() + return entry_attrs.get('ipacertificatesubjectbase', [None])[0] def check_ipa_configuration(realm_name): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) @@ -236,16 +236,15 @@ def main(): sys.exit(0) # Try out the password + ldapuri = 'ldap://%s:389' % api.env.host try: - conn = ipaldap.IPAdmin(api.env.host) - conn.do_simple_bind(bindpw=dirman_password) - conn.unbind() - except ldap.CONNECT_ERROR, e: - sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) - except ldap.SERVER_DOWN, e: - sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) - except ldap.INVALID_CREDENTIALS, e : + conn = ldap2(shared_instance=False, ldap_uri=ldapuri) + conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password) + conn.disconnect() + except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host) + except errors.LDAPError: + sys.exit("\nUnable to connect to LDAP server %s" % api.env.host) print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host) diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d02dbbba..d853f718 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -25,13 +25,13 @@ import tempfile import traceback -import krbV, ldap, getpass +import krbV, getpass from ipapython.ipautil import user_input -from ipaserver import ipaldap from ipaserver.install import certs, dsinstance, httpinstance, installutils from ipalib import api +from ipaserver.plugins.ldap2 import ldap2 def get_realm_name(): c = krbV.default_context() @@ -64,14 +64,12 @@ def parse_options(): return options, args[0] def set_ds_cert_name(cert_name, dm_password): - conn = ipaldap.IPAdmin("127.0.0.1") - conn.simple_bind_s("cn=directory manager", dm_password) - - mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)] - - conn.modify_s("cn=RSA,cn=encryption,cn=config", mod) - - conn.unbind() + ldapuri = 'ldap://127.0.0.1' + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + mod = {'nssslpersonalityssl': cert_name} + conn.update_entry('cn=RSA,cn=encryption,cn=config', mod) + conn.disconnect() def choose_server_cert(server_certs): print "Please select the certificate to use:" diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 314adf16..f0c3add0 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -35,7 +35,6 @@ import signal import shutil import glob import traceback -import ldap from optparse import OptionParser from ConfigParser import RawConfigParser import random @@ -51,11 +50,11 @@ from ipaserver.install import cainstance from ipaserver.install import service from ipapython import version from ipaserver.install.installutils import * -from ipaserver import ipaldap +from ipaserver.plugins.ldap2 import ldap2 from ipapython import sysrestore from ipapython.ipautil import * -from ipalib import api, util +from ipalib import api, errors, util import ipawebui @@ -411,19 +410,18 @@ def render_assets(): ui.render_assets() def set_subject_in_config(host_name, dm_password, suffix, subject_base): + ldapuri = 'ldap://%s' % host_name try: - conn = ipaldap.IPAdmin(host_name) - conn.do_simple_bind(bindpw=dm_password) - except Exception, e: + conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + except errors.ExecutionError, e: logging.critical("Could not connect to the Directory Server on %s" % host_name) raise e - entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE) - if entry.getValue('ipaCertificateSubjectBase') is None: - newentry = entry.toDict() - newentry['ipaCertificateSubjectBase'] = subject_base - conn.updateEntry(entry.dn, entry.toDict(), newentry) - - conn.unbind() + (dn, entry_attrs) = conn.get_ipa_config() + if 'ipacertificatesubjectbase' not in entry_attrs: + mod = {'ipacertificatesubjectbase': subject_base} + conn.update_entry(dn, mod) + conn.disconnect() def main(): global ds |