diff options
Diffstat (limited to 'ipa-install/src')
| -rw-r--r-- | ipa-install/src/Makefile | 14 | ||||
| -rw-r--r-- | ipa-install/src/ipa-server-install | 60 | ||||
| -rw-r--r-- | ipa-install/src/ipa-server-setupssl | 228 | ||||
| -rw-r--r-- | ipa-install/src/ipa/dsinstance.py | 155 |
4 files changed, 457 insertions, 0 deletions
diff --git a/ipa-install/src/Makefile b/ipa-install/src/Makefile new file mode 100644 index 00000000..f5a0f780 --- /dev/null +++ b/ipa-install/src/Makefile @@ -0,0 +1,14 @@ +PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)") +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa +SBINDIR = $(DESTDIR)/usr/sbin + +all: ; + +install: + -mkdir -p $(PACKAGEDIR) + install -m 644 ipa/*.py $(PACKAGEDIR) + install -m 755 ipa-server-install $(SBINDIR) + install -m 755 ipa-server-setupssl $(SBINDIR) + +clean: + rm -f *~ *.pyc
\ No newline at end of file diff --git a/ipa-install/src/ipa-server-install b/ipa-install/src/ipa-server-install new file mode 100644 index 00000000..e19d0afd --- /dev/null +++ b/ipa-install/src/ipa-server-install @@ -0,0 +1,60 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# requires the following packages: +# fedora-ds-base +# openldap-clients +# nss-tools + +VERSION = "%prog .1" + +import logging +from optparse import OptionParser +import ipa.dsinstance + +def parse_options(): + parser = OptionParser(version=VERSION) + parser.add_option("-r", "--realm", dest="realm_name", + help="realm name") + parser.add_option("-a", "--host-address", dest="host_name", + help="host address (name or IP address)") + parser.add_option("-p", "--password", dest="password", + help="admin password") + + options, args = parser.parse_args() + + if not options.realm_name or not options.host_name or not options.password: + parser.error("error: password, realm, and host name required") + + return options + +def main(): + logging.basicConfig(level=logging.DEBUG, + format='%(asctime)s %(levelname)s %(message)s', + filename='ipa-install.log', + filemode='w') + options = parse_options() + ds = ipa.dsinstance.DsInstance() + ds.create_instance(options.realm_name, options.host_name, options.password) + + return 0 + +main() diff --git a/ipa-install/src/ipa-server-setupssl b/ipa-install/src/ipa-server-setupssl new file mode 100644 index 00000000..f7532790 --- /dev/null +++ b/ipa-install/src/ipa-server-setupssl @@ -0,0 +1,228 @@ +#!/bin/sh + +if [ "$1" ] ; then + password=$1 +else + echo "password required" + exit 1 +fi + +if [ "$2" -a -d "$2" ] ; then + secdir="$2" +else + secdir=/etc/fedora-ds/slapd-localhost +fi + +if [ "$3" ] ; then + myhost=$3 +else + myhost=`hostname --fqdn` +fi + + +if [ "$4" ] ; then + ldapport=$4 +else + ldapport=389 +fi + +me=`whoami` +if [ "$me" = "root" ] ; then + isroot=1 +fi + +# see if there are already certs and keys +if [ -f $secdir/cert8.db ] ; then + # look for CA cert + if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then + echo "Using existing CA certificate" + else + echo "No CA certificate found - will create new one" + needCA=1 + fi + + # look for server cert + if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then + echo "Using existing directory Server-Cert" + else + echo "No Server Cert found - will create new one" + needServerCert=1 + fi + + # look for admin server cert + if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then + echo "Using existing admin server-cert" + else + echo "No Admin Server Cert found - will create new one" + needASCert=1 + fi + prefix="new-" + prefixarg="-P $prefix" +else + needCA=1 + needServerCert=1 + needASCert=1 +fi + +if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then + echo "No certs needed - exiting" + exit 0 +fi + +# get our user and group +if test -n "$isroot" ; then + uid=`/bin/ls -ald $secdir | awk '{print $3}'` + gid=`/bin/ls -ald $secdir | awk '{print $4}'` +fi + +# 2. Create a password file for your security token password: +if [ -f $secdir/pwdfile.txt ] ; then + echo "Using existing $secdir/pwdfile.txt" +else + (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/pwdfile.txt + fi + chmod 400 $secdir/pwdfile.txt +fi + +# 3. Create a "noise" file for your encryption mechanism: +if [ -f $secdir/noise.txt ] ; then + echo "Using existing $secdir/noise.txt file" +else + (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/noise.txt + fi + chmod 400 $secdir/noise.txt +fi + +# 4. Create the key3.db and cert8.db databases: +certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt +if test -n "$isroot" ; then + chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db +fi +chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db + + +if test -n "$needCA" ; then +# 5. Generate the encryption key: + certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +# 6. Generate the self-signed certificate: + certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +# export the CA cert for use with other apps + certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc + pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt +fi + +if test -n "$needServerCert" ; then +# 7. Generate the server certificate: + certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +fi + +if test -n "$needASCert" ; then +# Generate the admin server certificate + certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt + +# export the admin server certificate/private key for import into its key/cert db + pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/adminserver.p12 + fi + chmod 400 $secdir/adminserver.p12 +fi + +# create the pin file +if [ ! -f $secdir/pin.txt ] ; then + pinfile=$secdir/pin.txt + echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile + if test -n "$isroot" ; then + chown $uid:$gid $pinfile + fi + chmod 400 $pinfile +else + echo Using existing $secdir/pin.txt +fi + +if [ -n "$prefix" ] ; then + # move the old files out of the way + mv $secdir/cert8.db $secdir/orig-cert8.db + mv $secdir/key3.db $secdir/orig-key3.db + # move in the new files - will be used after server restart + mv $secdir/${prefix}cert8.db $secdir/cert8.db + mv $secdir/${prefix}key3.db $secdir/key3.db +fi + +# create the admin server key/cert db +asprefix=admin-serv- +if [ ! -f ${asprefix}cert8.db ] ; then + certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/admin-serv-*.db + fi + chmod 600 $secdir/admin-serv-*.db +fi + +if test -n "$needASCert" ; then +# import the admin server key/cert + pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt + +# import the CA cert to the admin server cert db + certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc +fi + +if [ ! -f $secdir/password.conf ] ; then +# create the admin server password file + echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf + if test -n "$isroot" ; then + chown $uid:$gid $secdir/password.conf + fi + chmod 400 $secdir/password.conf +fi + +# tell admin server to use the password file +if [ -f ../admin-serv/config/nss.conf ] ; then + sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf + if test -n "$isroot" ; then + chown $uid:$gid ../admin-serv/config/nss.conf + fi + chmod 400 ../admin-serv/config/nss.conf +fi + +# enable SSL in the directory server + +ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF +dn: cn=encryption,cn=config +changetype: modify +replace: nsSSL3 +nsSSL3: on +- +replace: nsSSLClientAuth +nsSSLClientAuth: allowed +- +add: nsSSL3Ciphers +nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, + +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, + +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, + +tls_rsa_export1024_with_des_cbc_sha + +dn: cn=config +changetype: modify +add: nsslapd-security +nsslapd-security: on +- +replace: nsslapd-ssl-check-hostname +nsslapd-ssl-check-hostname: off + +dn: cn=RSA,cn=encryption,cn=config +changetype: add +objectclass: top +objectclass: nsEncryptionModule +cn: RSA +nsSSLPersonalitySSL: Server-Cert +nsSSLToken: internal (software) +nsSSLActivation: on + +EOF + + diff --git a/ipa-install/src/ipa/dsinstance.py b/ipa-install/src/ipa/dsinstance.py new file mode 100644 index 00000000..43f112e5 --- /dev/null +++ b/ipa-install/src/ipa/dsinstance.py @@ -0,0 +1,155 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging + +SHARE_DIR = "/usr/share/ipa/" + +def generate_serverid(): + """Generate a UUID (universally unique identifier) suitable + for use as a unique identifier for a DS instance. + """ + try: + import uuid + id = str(uuid.uuid1()) + except ImportError: + import commands + id = commands.getoutput("/usr/bin/uuidgen") + return id + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x for x in s] + return ",".join(terms) + +def template_str(txt, vars): + return string.Template(txt).substitute(vars) + +def template_file(infilename, vars): + txt = open(infilename).read() + return template_str(txt, vars) + +def write_tmp_file(txt): + fd = tempfile.NamedTemporaryFile() + fd.write(txt) + fd.flush() + + return fd + +def run(args, stdin=None): + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if stdin: + stdout,stderr = p.communicate(stdin) + else: + stdout,stderr = p.communicate() + logging.info(stdout) + logging.info(stderr) + + if p.returncode != 0: + raise subprocess.CalledProcessError(p.returncode, args[0]) + + +INF_TEMPLATE = """ +[General] +FullMachineName= $FQHN +SuiteSpotUserID= nobody +ServerRoot= /usr/lib/fedora-ds-base +[slapd] +ServerPort= 389 +ServerIdentifier= $SERVERID +Suffix= $SUFFIX +RootDN= cn=Directory Manager +RootDNPwd= $PASSWORD +""" + +class DsInstance: + def __init__(self): + self.serverid = None + self.realm_name = None + self.host_name = None + self.admin_password = None + self.sub_dict = None + + def create_instance(self, realm_name, host_name, admin_password): + self.serverid = generate_serverid() + self.realm_name = realm_name + self.host_name = host_name + self.admin_password = admin_password + self.__setup_sub_dict() + + self.__create_instance() + self.__add_default_schemas() + self.__enable_ssl() + self.restart() + self.__add_default_layout() + + def config_dirname(self): + if not self.serverid: + raise RuntimeError("serverid not set") + return "/etc/fedora-ds/slapd-" + self.serverid + "/" + + def schema_dirname(self): + return self.config_dirname() + "/schema/" + + def stop(self): + run(["/sbin/service", "fedora-ds", "stop"]) + + def start(self): + run(["/sbin/service", "fedora-ds", "start"]) + + def restart(self): + run(["/sbin/service", "fedora-ds", "restart"]) + + def __setup_sub_dict(self): + suffix = realm_to_suffix(self.realm_name) + self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, + PASSWORD=self.admin_password, SUFFIX=suffix, + REALM=self.realm_name) + + def __create_instance(self): + inf_txt = template_str(INF_TEMPLATE, self.sub_dict) + inf_fd = write_tmp_file(inf_txt) + args = ["/usr/bin/ds_newinst.pl", inf_fd.name] + run(args) + + def __add_default_schemas(self): + shutil.copyfile(SHARE_DIR + "60kerberos.ldif", + self.schema_dirname() + "60kerberos.ldif") + + def __enable_ssl(self): + dirname = self.config_dirname() + args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + dirname, self.host_name] + run(args) + + def __add_default_layout(self): + txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) + inf_fd = write_tmp_file(txt) + args = ["/usr/bin/ldapadd", "-xv", "-D", "cn=Directory Manager", + "-w", self.admin_password, "-f", inf_fd.name] + run(args) + + + + |