diff options
| -rw-r--r-- | Makefile | 35 | ||||
| -rwxr-xr-x | ipa-server/freeipa-server.spec | 4 | ||||
| -rw-r--r-- | ipa-server/freeipa-server.spec.in | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-install/ipa-server-install | 8 | ||||
| -rw-r--r-- | ipa-server/ipa-kpasswd/Makefile | 5 | ||||
| -rw-r--r-- | ipa-server/ipa-kpasswd/ipa_kpasswd.c | 13 | ||||
| -rw-r--r-- | ipa-server/ipa-slapi-plugins/ipa-pwd-extop/plugin-conf.ldif | 4 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 15 |
8 files changed, 61 insertions, 27 deletions
@@ -2,6 +2,8 @@ SUBDIRS=ipa-server ipa-admintools ipa-python PRJ_PREFIX=freeipa +RPMBUILD ?= $(PWD)/rpmbuild + # set to 1 to produce a debug build of all subprojects #DEBUG=1 @@ -94,25 +96,32 @@ tarballs: cd dist; tar cfz $(PYTHON_TARBALL) $(PYTHON_TARBALL_PREFIX) rm -fr dist/$(PYTHON_TARBALL_PREFIX) +rpmroot: + mkdir -p $(RPMBUILD)/BUILD + mkdir -p $(RPMBUILD)/RPMS + mkdir -p $(RPMBUILD)/SOURCES + mkdir -p $(RPMBUILD)/SPECS + mkdir -p $(RPMBUILD)/SRPMS + rpm-ipa-server: - cp dist/$(SERV_TARBALL) ~/rpmbuild/SOURCES/. - rpmbuild -ba ipa-server/freeipa-server.spec - cp ~/rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.rpm dist/. - cp ~/rpmbuild/SRPMS/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.src.rpm dist/. + cp dist/$(SERV_TARBALL) $(RPMBUILD)/SOURCES/. + rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server/freeipa-server.spec + cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.rpm dist/. + cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-$(SERV_VERSION)-*.src.rpm dist/. rpm-ipa-admin: - cp dist/$(ADMIN_TARBALL) ~/rpmbuild/SOURCES/. - rpmbuild -ba ipa-admintools/freeipa-admintools.spec - cp ~/rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.rpm dist/. - cp ~/rpmbuild/SRPMS/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.src.rpm dist/. + cp dist/$(ADMIN_TARBALL) $(RPMBUILD)/SOURCES/. + rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-admintools/freeipa-admintools.spec + cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.rpm dist/. + cp rpmbuild/SRPMS/$(PRJ_PREFIX)-admintools-$(ADMIN_VERSION)-*.src.rpm dist/. rpm-ipa-python: - cp dist/$(PYTHON_TARBALL) ~/rpmbuild/SOURCES/. - rpmbuild -ba ipa-python/freeipa-python.spec - cp ~/rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.rpm dist/. - cp ~/rpmbuild/SRPMS/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.src.rpm dist/. + cp dist/$(PYTHON_TARBALL) $(RPMBUILD)/SOURCES/. + rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-python/freeipa-python.spec + cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.rpm dist/. + cp rpmbuild/SRPMS/$(PRJ_PREFIX)-python-$(PYTHON_VERSION)-*.src.rpm dist/. -rpms: rpm-ipa-server rpm-ipa-admin rpm-ipa-python +rpms: rpmroot rpm-ipa-server rpm-ipa-admin rpm-ipa-python dist: version-update archive tarballs archive-cleanup rpms diff --git a/ipa-server/freeipa-server.spec b/ipa-server/freeipa-server.spec index c292177b..05e915da 100755 --- a/ipa-server/freeipa-server.spec +++ b/ipa-server/freeipa-server.spec @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel mhash-devel -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntpd cyrus-sasl-gssapi nss TurboGears +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears %define httpd_conf /etc/httpd/conf.d %define plugin_dir /usr/lib/fedora-ds/plugins @@ -43,7 +43,7 @@ rm -rf %{buildroot} %{_sbindir}/ipa-server-install %{_sbindir}/ipa-server-setupssl %{_sbindir}/ipa_kpasswd - +%attr(755,root,root) %{_initrddir}/ipa-kpasswd %dir %{_usr}/share/ipa %{_usr}/share/ipa/* diff --git a/ipa-server/freeipa-server.spec.in b/ipa-server/freeipa-server.spec.in index 7685a78e..5fc83311 100644 --- a/ipa-server/freeipa-server.spec.in +++ b/ipa-server/freeipa-server.spec.in @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel mhash-devel -Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntpd cyrus-sasl-gssapi nss TurboGears +Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears %define httpd_conf /etc/httpd/conf.d %define plugin_dir /usr/lib/fedora-ds/plugins @@ -43,7 +43,7 @@ rm -rf %{buildroot} %{_sbindir}/ipa-server-install %{_sbindir}/ipa-server-setupssl %{_sbindir}/ipa_kpasswd - +%attr(755,root,root) %{_initrddir}/ipa-kpasswd %dir %{_usr}/share/ipa %{_usr}/share/ipa/* diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index 8ba8425d..316fe254 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -113,7 +113,7 @@ def main(): krb.create_instance(options.ds_user, options.realm_name, host_name, options.password, options.master_password) - # Restart ds after the krb instance have add the sasl map + # Restart ds after the krb instance has changed ds configurations ds.restart() # Restart apache @@ -128,6 +128,12 @@ def main(): # Set the KDC to start on boot run(["/sbin/chkconfig", "krb5kdc", "on"]) + # Set the Kpasswd to start on boot + run(["/sbin/chkconfig", "ipa-kpasswd", "on"]) + + # Start Kpasswd + run(["/sbin/service", "ipa-kpasswd", "start"]) + # Create the config file fd = open("/etc/ipa/ipa.conf", "w") fd.write("[defaults]\n") diff --git a/ipa-server/ipa-kpasswd/Makefile b/ipa-server/ipa-kpasswd/Makefile index 11755a9a..7384ed88 100644 --- a/ipa-server/ipa-kpasswd/Makefile +++ b/ipa-server/ipa-kpasswd/Makefile @@ -1,5 +1,6 @@ PREFIX ?= $(DESTDIR)/usr SBIN = $(PREFIX)/sbin +INITDIR = $(DESTDIR)/etc/rc.d/init.d LDFLAGS +=-lkrb5 -llber -lldap CFLAGS ?= -Wall -Wshadow -O2 @@ -15,8 +16,10 @@ all: $(OBJS) install: -mkdir -p $(SBIN) install -m 755 ipa_kpasswd $(SBIN) + -mkdir -p $(INITDIR) + install -m 755 ipa-kpasswd.init $(INITDIR)/ipa-kpasswd clean: rm -f *.o rm -f ipa_kpasswd - rm -f *~
\ No newline at end of file + rm -f *~ diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index 811ae34d..bc89a1b8 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -21,6 +21,7 @@ #include <ldap.h> #include <sasl/sasl.h> +#define DEFAULT_KEYTAB "FILE:/var/kerberos/krb5kdc/kpasswd.keytab" #define TMP_TEMPLATE "/tmp/kpasswd.XXXXXX" #define KPASSWD_PORT 464 #define KPASSWD_TCP 1 @@ -108,7 +109,7 @@ int remove_blacklist(pid_t pid) int debug = 1; char *srv_pri_name = "kadmin/changepw"; -char *keytab_name = "FILE:/var/kerberos/krb5kdc/kpasswd.keytab"; +char *keytab_name = NULL; static int get_krb5_ticket(char *tmp_file) { @@ -864,6 +865,16 @@ int main(int argc, char *argv[]) int tcp_s, udp_s; int tru = 1; int ret; + char *key; + + key = getenv("KRB5_KTNAME"); + if (!key) { + key = DEFAULT_KEYTAB; + } + keytab_name = strdup(key); + if (!keytab_name) { + fprintf(stderr, "Out of memory!\n"); + } tcp_s = socket(AF_INET, SOCK_STREAM, 0); if (tcp_s == -1) { diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/plugin-conf.ldif b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/plugin-conf.ldif index 738ef7ab..6240c10f 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/plugin-conf.ldif +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/plugin-conf.ldif @@ -3,12 +3,12 @@ objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: ipa_pwd_extop -nsslapd-pluginpath: /usr/lib/fedora-ds/plugins/libipa_pwd_extop.so +nsslapd-pluginpath: libipa_pwd_extop.so nsslapd-plugininitfunc: ipapwd_init nsslapd-plugintype: extendedop nsslapd-pluginenabled: on nsslapd-pluginid: Multi-hash Change Password Extended Operation nsslapd-pluginversion: 1.0 nsslapd-pluginvendor: RedHat -nsslapd-plugindescription: Support saving passwords in multiple fornmats for different consumers like krb5, samba, freeradius, etc. +nsslapd-plugindescription: Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) nsslapd-pluginarg0: /var/kerberos/krb5kdc/.k5.$REALM diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index e31312a7..99687370 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -87,12 +87,12 @@ class KrbInstance: self.__create_http_keytab() - self.__set_kadmin_changepw_preauth() - - self.__export_kadmin_changepw_keytab() + self.__export_kadmin_changepw_keytab() self.__create_sample_bind_zone() + self.__add_pwd_extop_module() + self.start() def stop(self): @@ -185,7 +185,7 @@ class KrbInstance: pent = pwd.getpwnam(self.ds_user) os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) - def __set_kadmin_changepw_preauth(self): + def __export_kadmin_changepw_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("modprinc +requires_preauth kadmin/changepw\n") kwrite.flush() @@ -193,7 +193,6 @@ class KrbInstance: kread.close() kerr.close() - def __export_kadmin_changepw_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("ktadd -k /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw\n") kwrite.flush() @@ -201,6 +200,12 @@ class KrbInstance: kread.close() kerr.close() + cfg_fd = open("/etc/sysconfig/ipa-kpasswd", "a") + cfg_fd.write("export KRB5_KTNAME=/var/kerberos/krb5kdc/kpasswd.keytab\n") + cfg_fd.close() + pent = pwd.getpwnam(self.ds_user) + os.chown("/etc/sysconfig/ipa-kpasswd", pent.pw_uid, pent.pw_gid) + def __create_http_keytab(self): (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") |