diff options
Diffstat (limited to 'ipa-server/ipaserver')
| -rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 22 | ||||
| -rw-r--r-- | ipa-server/ipaserver/ipaldap.py | 77 | ||||
| -rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 18 |
3 files changed, 97 insertions, 20 deletions
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 775a2f2b..face142a 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -88,8 +88,10 @@ class DsInstance: self.__create_instance() self.__add_default_schemas() self.__enable_ssl() + self.__certmap_conf() self.restart() self.__add_default_layout() + self.__create_test_users() def config_dirname(self): if not self.serverid: @@ -136,7 +138,7 @@ class DsInstance: args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name] logging.debug("calling setup-ds.pl") else: - args = ["/usr/sbin/ds_newinst.pl", inf_fd.name] + args = ["/usr/bin/ds_newinst.pl", inf_fd.name] logging.debug("calling ds_newinst.pl") run(args) logging.debug("completed creating ds instance") @@ -166,3 +168,21 @@ class DsInstance: "-w", self.admin_password, "-f", inf_fd.name] run(args) logging.debug("done adding default ds layout") + + def __create_test_users(self): + logging.debug("create test users ldif") + txt = template_file(SHARE_DIR + "test-users-template.ldif", self.sub_dict) + user_fd = open(SHARE_DIR+"test-users.ldif", "w") + user_fd.write(txt) + user_fd.close() + logging.debug("done creating test users ldif") + + def __certmap_conf(self): + logging.debug("configuring certmap.conf for ds instance") + dirname = self.config_dirname() + certmap_conf = template_file(SHARE_DIR+"certmap.conf.template", self.sub_dict) + certmap_fd = open(dirname+"certmap.conf", "w+") + certmap_fd.write(certmap_conf) + certmap_fd.close() + + logging.debug("done configuring certmap.conf for ds instance") diff --git a/ipa-server/ipaserver/ipaldap.py b/ipa-server/ipaserver/ipaldap.py index f440ae4b..ee0388ca 100644 --- a/ipa-server/ipaserver/ipaldap.py +++ b/ipa-server/ipaserver/ipaldap.py @@ -1,6 +1,6 @@ #! /usr/bin/python -E # Authors: Rich Megginson <richm@redhat.com> -# Rob Crittenden <rcritten2redhat.com +# Rob Crittenden <rcritten@redhat.com # # Copyright (C) 2007 Red Hat # see file 'COPYING' for use and warranty information @@ -33,6 +33,8 @@ import ldap import cStringIO import time import operator +import struct +from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples from ldap.ldapobject import SimpleLDAPObject @@ -197,31 +199,25 @@ class IPAdmin(SimpleLDAPObject): raise def __localinit__(self): - SimpleLDAPObject.__init__(self,'ldap://%s:%d' % (self.host,self.port)) - # see if binddn is a dn or a uid that we need to lookup - if self.binddn and not IPAdmin.is_a_dn(self.binddn): - self.simple_bind("","") # anon - ent = self.getEntry(IPAdmin.CFGSUFFIX, ldap.SCOPE_SUBTREE, - "(uid=%s)" % self.binddn, - ['uid']) - if ent: - self.binddn = ent.dn - else: - print "Error: could not find %s under %s" % (self.binddn, IPAdmin.CFGSUFFIX) - self.simple_bind(self.binddn,self.bindpw) -# self.__initPart2() - - def __init__(self,host,port,binddn,bindpw): + SimpleLDAPObject.__init__(self,'ldaps://%s:%d' % (self.host,self.port)) + + def __init__(self,host,port,cacert,bindcert,bindkey,proxydn=None): """We just set our instance variables and wrap the methods - the real work is done in __localinit__ and __initPart2 - these are separated out this way so that we can call them from places other than instance creation e.g. when using the start command, we just need to reconnect, not create a new instance""" +# ldap.set_option(ldap.OPT_DEBUG_LEVEL,255) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert) + ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert) + ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey) + self.__wrapmethods() self.port = port or 389 self.sslport = 0 self.host = host - self.binddn = binddn - self.bindpw = bindpw + self.bindcert = bindcert + self.bindkey = bindkey + self.proxydn = proxydn # see if is local or not host1 = IPAdmin.getfqdn(host) host2 = IPAdmin.getfqdn() @@ -237,7 +233,22 @@ class IPAdmin(SimpleLDAPObject): def getEntry(self,*args): """This wraps the search function. It is common to just get one entry""" - res = self.search(*args) + # 0x04 = Octet String + # 4|0x80 sets the length of the length at 4 bytes + # the struct() gets us the length in bytes of string s + # s is the proxy dn to send + + if self.proxydn is not None: + proxydn = chr(0x04) + chr(4|0x80) + struct.pack('l', socket.htonl(len(self.proxydn))) + self.proxydn; + + # Create the proxy control + sctrl=[] + sctrl.append(LDAPControl('2.16.840.1.113730.3.4.18',True,proxydn)) + else: + sctrl=None + + res = self.search_ext(args[0], args[1], filterstr=args[2], serverctrls=sctrl) + type, obj = self.result(res) if not obj: raise NoSuchEntryError("no such entry for " + str(args)) @@ -246,10 +257,38 @@ class IPAdmin(SimpleLDAPObject): else: # assume list/tuple return obj[0] + def getList(self,*args): + """This wraps the search function to find all users.""" + + res = self.search(*args) + type, obj = self.result(res) + if not obj: + raise NoSuchEntryError("no such entry for " + str(args)) + + all_users = [] + for s in obj: + all_users.append(s) + + return all_users + def addEntry(self,*args): """This wraps the add function. It assumes that the entry is already populated with all of the desired objectclasses and attributes""" + if self.proxydn is not None: + proxydn = chr(0x04) + chr(4|0x80) + struct.pack('l', socket.htonl(len(self.proxydn))) + self.proxydn; + + # Create the proxy control + sctrl=[] + sctrl.append(LDAPControl('2.16.840.1.113730.3.4.18',True,proxydn)) + else: + sctrl=None + + # Create the proxy control + sctrl=[] + sctrl.append(LDAPControl('2.16.840.1.113730.3.4.18',True,proxydn)) + try: + self.set_option(ldap.OPT_SERVER_CONTROLS, sctrl) self.add_s(*args) except ldap.ALREADY_EXISTS: raise ldap.ALREADY_EXISTS diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 253c506f..f4fe6001 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -28,6 +28,7 @@ from time import gmtime import os import pwd import socket +import time from util import * def host_to_domain(fqdn): @@ -82,6 +83,8 @@ class KrbInstance: self.__create_ds_keytab() + self.__create_http_keytab() + self.__create_sample_bind_zone() self.start() @@ -175,3 +178,18 @@ class KrbInstance: cfg_fd.close() pent = pwd.getpwnam(self.ds_user) os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) + + def __create_http_keytab(self): + (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") + kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n") + kwrite.flush() + kwrite.close() + kread.close() + kerr.close() + + while not file_exists("/etc/httpd/conf/ipa.keytab"): + time.sleep(1) + pent = pwd.getpwnam("apache") + os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) |