diff options
Diffstat (limited to 'ipa-server/ipa-install/src')
| -rw-r--r-- | ipa-server/ipa-install/src/Makefile | 14 | ||||
| -rw-r--r-- | ipa-server/ipa-install/src/ipa-server-install | 117 | ||||
| -rw-r--r-- | ipa-server/ipa-install/src/ipa-server-setupssl | 228 | ||||
| -rw-r--r-- | ipa-server/ipa-install/src/ipa/__init__.py | 1 | ||||
| -rw-r--r-- | ipa-server/ipa-install/src/ipa/dsinstance.py | 169 | ||||
| -rw-r--r-- | ipa-server/ipa-install/src/ipa/krbinstance.py | 177 |
6 files changed, 706 insertions, 0 deletions
diff --git a/ipa-server/ipa-install/src/Makefile b/ipa-server/ipa-install/src/Makefile new file mode 100644 index 00000000..f5a0f780 --- /dev/null +++ b/ipa-server/ipa-install/src/Makefile @@ -0,0 +1,14 @@ +PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)") +PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa +SBINDIR = $(DESTDIR)/usr/sbin + +all: ; + +install: + -mkdir -p $(PACKAGEDIR) + install -m 644 ipa/*.py $(PACKAGEDIR) + install -m 755 ipa-server-install $(SBINDIR) + install -m 755 ipa-server-setupssl $(SBINDIR) + +clean: + rm -f *~ *.pyc
\ No newline at end of file diff --git a/ipa-server/ipa-install/src/ipa-server-install b/ipa-server/ipa-install/src/ipa-server-install new file mode 100644 index 00000000..52143eda --- /dev/null +++ b/ipa-server/ipa-install/src/ipa-server-install @@ -0,0 +1,117 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# requires the following packages: +# fedora-ds-base +# openldap-clients +# nss-tools + +VERSION = "%prog .1" + +import socket +import logging +from optparse import OptionParser +import ipa.dsinstance +import ipa.krbinstance + +def parse_options(): + parser = OptionParser(version=VERSION) + parser.add_option("-u", "--user", dest="ds_user", + help="ds user") + parser.add_option("-r", "--realm", dest="realm_name", + help="realm name") + parser.add_option("-p", "--password", dest="password", + help="admin password") + parser.add_option("-m", "--master-password", dest="master_password", + help="kerberos master password") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + dest="debug", default=False, help="print debugging information") + parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") + + options, args = parser.parse_args() + + if not options.ds_user or not options.realm_name or not options.password or not options.master_password: + parser.error("error: all options are required") + + return options + +def logging_setup(options): + # Always log everything (i.e., DEBUG) to the log + # file. + logging.basicConfig(level=logging.DEBUG, + format='%(asctime)s %(levelname)s %(message)s', + filename='ipa-install.log', + filemode='w') + + console = logging.StreamHandler() + # If the debug option is set, also log debug messages to the console + if options.debug: + console.setLevel(logging.DEBUG) + else: + # Otherwise, log critical and error messages + console.setLevel(logging.ERROR) + formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') + console.setFormatter(formatter) + logging.getLogger('').addHandler(console) + +def main(): + options = parse_options() + logging_setup(options) + + # check the hostname is correctly configured, it must be as the kldap + # utilities just use the hostname as returned by gethostbyname to set + # up some of the standard entries + + if options.host_name: + host_name = options.host_name + else: + host_name = socket.gethostname() + if len(host_name.split(".")) < 2: + print "Invalid hostname <"+host_name+">" + print "Check the /etc/hosts file and make sure to have a valid FQDN" + return "-Fatal Error-" + + if socket.gethostbyname(host_name) == "127.0.0.1": + print "The hostname resolves to the localhost address (127.0.0.1)" + print "Please change your /etc/hosts file or your DNS so that the" + print "hostname resolves to the ip address of your network interface." + print "The KDC service does not listen on 127.0.0.1" + return "-Fatal Error-" + + print "The Final KDC Host Name will be: " + host_name + + + # Create a directory server instance + ds = ipa.dsinstance.DsInstance() + ds.create_instance(options.ds_user, options.realm_name, host_name, + options.password) + + # Create a kerberos instance + krb = ipa.krbinstance.KrbInstance() + krb.create_instance(options.ds_user, options.realm_name, host_name, + options.password, options.master_password) + + #restart ds after the krb instance have add the sasl map + ds.restart() + + return 0 + +main() diff --git a/ipa-server/ipa-install/src/ipa-server-setupssl b/ipa-server/ipa-install/src/ipa-server-setupssl new file mode 100644 index 00000000..f7532790 --- /dev/null +++ b/ipa-server/ipa-install/src/ipa-server-setupssl @@ -0,0 +1,228 @@ +#!/bin/sh + +if [ "$1" ] ; then + password=$1 +else + echo "password required" + exit 1 +fi + +if [ "$2" -a -d "$2" ] ; then + secdir="$2" +else + secdir=/etc/fedora-ds/slapd-localhost +fi + +if [ "$3" ] ; then + myhost=$3 +else + myhost=`hostname --fqdn` +fi + + +if [ "$4" ] ; then + ldapport=$4 +else + ldapport=389 +fi + +me=`whoami` +if [ "$me" = "root" ] ; then + isroot=1 +fi + +# see if there are already certs and keys +if [ -f $secdir/cert8.db ] ; then + # look for CA cert + if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then + echo "Using existing CA certificate" + else + echo "No CA certificate found - will create new one" + needCA=1 + fi + + # look for server cert + if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then + echo "Using existing directory Server-Cert" + else + echo "No Server Cert found - will create new one" + needServerCert=1 + fi + + # look for admin server cert + if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then + echo "Using existing admin server-cert" + else + echo "No Admin Server Cert found - will create new one" + needASCert=1 + fi + prefix="new-" + prefixarg="-P $prefix" +else + needCA=1 + needServerCert=1 + needASCert=1 +fi + +if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then + echo "No certs needed - exiting" + exit 0 +fi + +# get our user and group +if test -n "$isroot" ; then + uid=`/bin/ls -ald $secdir | awk '{print $3}'` + gid=`/bin/ls -ald $secdir | awk '{print $4}'` +fi + +# 2. Create a password file for your security token password: +if [ -f $secdir/pwdfile.txt ] ; then + echo "Using existing $secdir/pwdfile.txt" +else + (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/pwdfile.txt + fi + chmod 400 $secdir/pwdfile.txt +fi + +# 3. Create a "noise" file for your encryption mechanism: +if [ -f $secdir/noise.txt ] ; then + echo "Using existing $secdir/noise.txt file" +else + (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/noise.txt + fi + chmod 400 $secdir/noise.txt +fi + +# 4. Create the key3.db and cert8.db databases: +certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt +if test -n "$isroot" ; then + chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db +fi +chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db + + +if test -n "$needCA" ; then +# 5. Generate the encryption key: + certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +# 6. Generate the self-signed certificate: + certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +# export the CA cert for use with other apps + certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc + pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt +fi + +if test -n "$needServerCert" ; then +# 7. Generate the server certificate: + certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt +fi + +if test -n "$needASCert" ; then +# Generate the admin server certificate + certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt + +# export the admin server certificate/private key for import into its key/cert db + pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/adminserver.p12 + fi + chmod 400 $secdir/adminserver.p12 +fi + +# create the pin file +if [ ! -f $secdir/pin.txt ] ; then + pinfile=$secdir/pin.txt + echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile + if test -n "$isroot" ; then + chown $uid:$gid $pinfile + fi + chmod 400 $pinfile +else + echo Using existing $secdir/pin.txt +fi + +if [ -n "$prefix" ] ; then + # move the old files out of the way + mv $secdir/cert8.db $secdir/orig-cert8.db + mv $secdir/key3.db $secdir/orig-key3.db + # move in the new files - will be used after server restart + mv $secdir/${prefix}cert8.db $secdir/cert8.db + mv $secdir/${prefix}key3.db $secdir/key3.db +fi + +# create the admin server key/cert db +asprefix=admin-serv- +if [ ! -f ${asprefix}cert8.db ] ; then + certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt + if test -n "$isroot" ; then + chown $uid:$gid $secdir/admin-serv-*.db + fi + chmod 600 $secdir/admin-serv-*.db +fi + +if test -n "$needASCert" ; then +# import the admin server key/cert + pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt + +# import the CA cert to the admin server cert db + certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc +fi + +if [ ! -f $secdir/password.conf ] ; then +# create the admin server password file + echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf + if test -n "$isroot" ; then + chown $uid:$gid $secdir/password.conf + fi + chmod 400 $secdir/password.conf +fi + +# tell admin server to use the password file +if [ -f ../admin-serv/config/nss.conf ] ; then + sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf + if test -n "$isroot" ; then + chown $uid:$gid ../admin-serv/config/nss.conf + fi + chmod 400 ../admin-serv/config/nss.conf +fi + +# enable SSL in the directory server + +ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF +dn: cn=encryption,cn=config +changetype: modify +replace: nsSSL3 +nsSSL3: on +- +replace: nsSSLClientAuth +nsSSLClientAuth: allowed +- +add: nsSSL3Ciphers +nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, + +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, + +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, + +tls_rsa_export1024_with_des_cbc_sha + +dn: cn=config +changetype: modify +add: nsslapd-security +nsslapd-security: on +- +replace: nsslapd-ssl-check-hostname +nsslapd-ssl-check-hostname: off + +dn: cn=RSA,cn=encryption,cn=config +changetype: add +objectclass: top +objectclass: nsEncryptionModule +cn: RSA +nsSSLPersonalitySSL: Server-Cert +nsSSLToken: internal (software) +nsSSLActivation: on + +EOF + + diff --git a/ipa-server/ipa-install/src/ipa/__init__.py b/ipa-server/ipa-install/src/ipa/__init__.py new file mode 100644 index 00000000..8e20eb1b --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/__init__.py @@ -0,0 +1 @@ +__all__ = ["dsinstance", "krbinstance"] diff --git a/ipa-server/ipa-install/src/ipa/dsinstance.py b/ipa-server/ipa-install/src/ipa/dsinstance.py new file mode 100644 index 00000000..b16aa7c5 --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/dsinstance.py @@ -0,0 +1,169 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +import pwd +import os +import stat +from util import * + + +SHARE_DIR = "/usr/share/ipa/" +SERVER_ROOT_64 = "/usr/lib64/fedora-ds-base" +SERVER_ROOT_32 = "/usr/lib/fedora-ds-base" + + +def generate_serverid(): + """Generate a UUID (universally unique identifier) suitable + for use as a unique identifier for a DS instance. + """ + try: + import uuid + id = str(uuid.uuid1()) + except ImportError: + import commands + id = commands.getoutput("/usr/bin/uuidgen") + return id + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x.lower() for x in s] + return ",".join(terms) + +def find_server_root(): + try: + mode = os.stat(SERVER_ROOT_64)[ST_MODE] + if stat.IS_DIR(mode): + return SERVER_ROOT_64 + except: + return SERVER_ROOT_32 + + +INF_TEMPLATE = """ +[General] +FullMachineName= $FQHN +SuiteSpotUserID= $USER +ServerRoot= $SERVER_ROOT +[slapd] +ServerPort= 389 +ServerIdentifier= $SERVERID +Suffix= $SUFFIX +RootDN= cn=Directory Manager +RootDNPwd= $PASSWORD +""" + +class DsInstance: + def __init__(self): + self.serverid = None + self.realm_name = None + self.host_name = None + self.admin_password = None + self.sub_dict = None + + def create_instance(self, ds_user, realm_name, host_name, admin_password): + self.ds_user = ds_user + self.serverid = generate_serverid() + self.realm_name = realm_name.upper() + self.host_name = host_name + self.admin_password = admin_password + self.__setup_sub_dict() + + self.__create_ds_user() + self.__create_instance() + self.__add_default_schemas() + self.__enable_ssl() + self.restart() + self.__add_default_layout() + + def config_dirname(self): + if not self.serverid: + raise RuntimeError("serverid not set") + return "/etc/fedora-ds/slapd-" + self.serverid + "/" + + def schema_dirname(self): + return self.config_dirname() + "/schema/" + + def stop(self): + run(["/sbin/service", "fedora-ds", "stop"]) + + def start(self): + run(["/sbin/service", "fedora-ds", "start"]) + + def restart(self): + run(["/sbin/service", "fedora-ds", "restart"]) + + def __setup_sub_dict(self): + suffix = realm_to_suffix(self.realm_name) + server_root = find_server_root() + self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, + PASSWORD=self.admin_password, SUFFIX=suffix, + REALM=self.realm_name, USER=self.ds_user, + SERVER_ROOT=server_root) + + def __create_ds_user(self): + try: + pwd.getpwnam(self.ds_user) + logging.debug("ds user %s exists" % self.ds_user) + except KeyError: + logging.debug("adding ds user %s" % self.ds_user) + args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] + run(args) + logging.debug("done adding user") + + def __create_instance(self): + logging.debug("creating ds instance . . . ") + inf_txt = template_str(INF_TEMPLATE, self.sub_dict) + logging.debug(inf_txt) + inf_fd = write_tmp_file(inf_txt) + logging.debug("writing inf template") + args = ["/usr/bin/ds_newinst.pl", inf_fd.name] + logging.debug("calling ds_newinst.pl") + run(args) + logging.debug("completed creating ds instance") + logging.debug("restarting ds instance") + self.restart() + logging.debug("done restarting ds instance") + + def __add_default_schemas(self): + shutil.copyfile(SHARE_DIR + "60kerberos.ldif", + self.schema_dirname() + "60kerberos.ldif") + shutil.copyfile(SHARE_DIR + "60samba.ldif", + self.schema_dirname() + "60samba.ldif") + + def __enable_ssl(self): + logging.debug("configuring ssl for ds instance") + dirname = self.config_dirname() + args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, + dirname, self.host_name] + run(args) + logging.debug("done configuring ssl for ds instance") + + def __add_default_layout(self): + txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) + inf_fd = write_tmp_file(txt) + logging.debug("adding default ds layout") + args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", + "-w", self.admin_password, "-f", inf_fd.name] + run(args) + logging.debug("done adding default ds layout") diff --git a/ipa-server/ipa-install/src/ipa/krbinstance.py b/ipa-server/ipa-install/src/ipa/krbinstance.py new file mode 100644 index 00000000..253c506f --- /dev/null +++ b/ipa-server/ipa-install/src/ipa/krbinstance.py @@ -0,0 +1,177 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +from random import Random +from time import gmtime +import os +import pwd +import socket +from util import * + +def host_to_domain(fqdn): + s = fqdn.split(".") + return ".".join(s[1:]) + +def generate_kdc_password(): + rndpwd = '' + r = Random() + r.seed(gmtime()) + for x in range(12): +# rndpwd += chr(r.randint(32,126)) + rndpwd += chr(r.randint(65,90)) #stricter set for testing + return rndpwd + +def ldap_mod(fd, dn, pwd): + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] + run(args) + +class KrbInstance: + def __init__(self): + self.ds_user = None + self.fqdn = None + self.realm = None + self.domain = None + self.host = None + self.admin_password = None + self.master_password = None + self.suffix = None + self.kdc_password = None + self.sub_dict = None + + def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): + self.ds_user = ds_user + self.fqdn = host_name + self.ip = socket.gethostbyname(host_name) + self.realm = realm_name.upper() + self.host = host_name.split(".")[0] + self.domain = host_to_domain(host_name) + self.admin_password = admin_password + self.master_password = master_password + + self.suffix = realm_to_suffix(self.realm) + self.kdc_password = generate_kdc_password() + self.__configure_kdc_account_password() + + self.__setup_sub_dict() + + self.__configure_ldap() + + self.__create_instance() + + self.__create_ds_keytab() + + self.__create_sample_bind_zone() + + self.start() + + def stop(self): + run(["/sbin/service", "krb5kdc", "stop"]) + + def start(self): + run(["/sbin/service", "krb5kdc", "start"]) + + def restart(self): + run(["/sbin/service", "krb5kdc", "restart"]) + + def __configure_kdc_account_password(self): + hexpwd = '' + for x in self.kdc_password: + hexpwd += (hex(ord(x))[2:]) + pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") + pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.close() + + def __setup_sub_dict(self): + self.sub_dict = dict(FQDN=self.fqdn, + IP=self.ip, + PASSWORD=self.kdc_password, + SUFFIX=self.suffix, + DOMAIN=self.domain, + HOST=self.host, + REALM=self.realm) + + def __configure_ldap(self): + + #TODO: test that the ldif is ok with any random charcter we may use in the password + kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) + kerberos_fd = write_tmp_file(kerberos_txt) + ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + kerberos_fd.close() + + #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes + aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) + aci_fd = write_tmp_file(aci_txt) + ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + aci_fd.close() + + def __create_instance(self): + kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) + kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") + kdc_fd.write(kdc_conf) + kdc_fd.close() + + krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) + krb5_fd = open("/etc/krb5.conf", "w+") + krb5_fd.write(krb5_conf) + krb5_fd.close() + + #populate the directory with the realm structure + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] + run(args) + + # TODO: NOT called yet, need to find out how to make sure the plugin is available first + def __add_pwd_extop_module(self): + #add the password extop module + extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict) + extop_fd = write_tmp_file(extop_txt) + ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) + extop_fd.close() + + #add an ACL to let the DS user read the master key + args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] + run(args) + + def __create_sample_bind_zone(self): + bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) + [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") + os.write(bind_fd, bind_txt) + os.close(bind_fd) + print "Sample zone file for bind has been created in "+bind_name + + def __create_ds_keytab(self): + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.close() + kread.close() + kerr.close() + + cfg_fd = open("/etc/sysconfig/fedora-ds", "a") + cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n") + cfg_fd.close() + pent = pwd.getpwnam(self.ds_user) + os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) |