From 1ac613fc183f03420fa6321e39ad47d15a209e0a Mon Sep 17 00:00:00 2001 From: JR Aquino Date: Tue, 20 Sep 2011 09:13:42 -0700 Subject: 25 Create Tool for Enabling/Disabling Managed Entry Plugins Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool https://fedorahosted.org/freeipa/ticket/1181 --- install/tools/Makefile.am | 2 +- install/tools/ipa-host-net-manage | 220 ---------------------------- install/tools/ipa-managed-entries | 252 ++++++++++++++++++++++++++++++++ install/tools/man/Makefile.am | 2 +- install/tools/man/ipa-host-net-manage.1 | 47 ------ install/tools/man/ipa-managed-entries.1 | 54 +++++++ 6 files changed, 308 insertions(+), 269 deletions(-) delete mode 100755 install/tools/ipa-host-net-manage create mode 100755 install/tools/ipa-managed-entries delete mode 100644 install/tools/man/ipa-host-net-manage.1 create mode 100644 install/tools/man/ipa-managed-entries.1 (limited to 'install/tools') diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 96da7531..7f1504cd 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -18,7 +18,7 @@ sbin_SCRIPTS = \ ipactl \ ipa-compat-manage \ ipa-nis-manage \ - ipa-host-net-manage \ + ipa-managed-entries \ ipa-ldap-updater \ ipa-upgradeconfig \ ipa-compliance \ diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage deleted file mode 100755 index 5da7b922..00000000 --- a/install/tools/ipa-host-net-manage +++ /dev/null @@ -1,220 +0,0 @@ -#!/usr/bin/python -# Authors: Jr Aquino -# Authors: Rob Crittenden -# Authors: Simo Sorce -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -import sys -try: - from optparse import OptionParser - from ipapython import ipautil, config - from ipaserver.install import installutils - from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax - from ipaserver.plugins.ldap2 import ldap2 - from ipalib import api, errors - import logging - import StringIO - import ldif -except ImportError: - print >> sys.stderr, """\ -There was a problem importing one of the required Python modules. The -error was: - - %s -""" % sys.exc_value - sys.exit(1) - -def parse_options(): - usage = "%prog [options] \n" - usage += "%prog [options]\n" - parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) - - parser.add_option("-d", "--debug", action="store_true", dest="debug", - help="Display debugging information about the update(s)") - parser.add_option("-y", dest="password", - help="File containing the Directory Manager password") - - config.add_standard_options(parser) - options, args = parser.parse_args() - - config.init_config(options) - - return options, args - -def get_dirman_password(): - """Prompt the user for the Directory Manager password and verify its - correctness. - """ - password = installutils.read_password("Directory Manager", confirm=False, - validate=False) - - return password - -def main(): - retval = 0 - loglevel = logging.ERROR - files = ['/usr/share/ipa/host_nis_groups.ldif'] - def_dn = 'cn=NGP Definition,cn=Managed Entries,cn=plugins,cn=config' - - options, args = parse_options() - if options.debug: - loglevel = logging.DEBUG - - if len(args) != 1: - sys.exit("You must specify one action, either enable or disable") - elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": - sys.exit("Unrecognized action [" + args[0] + "]") - - logging.basicConfig(level=loglevel, - format='%(levelname)s %(message)s') - - dirman_password = "" - if options.password: - pw = ipautil.template_file(options.password, []) - dirman_password = pw.strip() - else: - dirman_password = get_dirman_password() - - api.bootstrap(context='cli', debug=options.debug) - api.finalize() - - conn = None - try: - try: - conn = ldap2(shared_instance=False, base_dn='') - conn.connect( - bind_dn='cn=directory manager', bind_pw=dirman_password - ) - except errors.ExecutionError, lde: - sys.exit("An error occurred while connecting to the server.\n%s\n" % - str(lde)) - except errors.ACIError, e: - sys.exit("Authentication failed: %s" % e.info) - - if args[0] == "status": - try: - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: - print "Plugin Enabled" - else: - print "Plugin Disabled" - except errors.NotFound: - print "Plugin Disabled" - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - return 0 - - if args[0] == "enable": - try: - enable_attr = {'originfilter': 'objectclass=ipahostgroup'} - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=ipahostgroup']: - print "Plugin already Enabled" - else: - conn.update_entry(dn, enable_attr) - print "Enabling Plugin" - retval = 2 - except errors.NotFound: - print "Enabling Plugin" - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - if retval == 0: - ldap_data = StringIO.StringIO() - ldapfile = open(files[0], 'r').readlines() - for line in ldapfile: - if line == 'changetype: add\n': - pass - else: - line = line.replace( - '$SUFFIX', api.env.basedn).replace('$$', '$') - ldap_data.write(line,) - parsing_data = ldif.LDIFRecordList(ldap_data) - print "Enabling Plugin" - print "This setting will not take effect until you restart \ - Directory Server." - for dn, entry_attr in parsing_data.all_records: - try: - conn.update_entry(dn, entry_attr) - retval = 1 - except errors.LDAPError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - elif args[0] == "disable": - # Make a quick hack for now, directly delete the entries by name, - # In future we should consider an alternative means for enabling/ - # disabling. - try: - disable_attr = {'originfilter': 'objectclass=disabled'} - dn, current_attr = conn.get_entry(def_dn, ['originfilter'], - normalize=False) - if current_attr['originfilter'] == [u'objectclass=disabled']: - print "Plugin already disabled" - else: - conn.update_entry(dn, disable_attr) - print "Disabling Plugin" - except errors.NotFound: - print "Plugin is already disabled" - retval = 2 - except errors.DatabaseError, dbe: - print "An error occurred while talking to the server." - print dbe - retval = 1 - except errors.ExecutionError, lde: - print "An error occurred while talking to the server." - print lde - retval = 1 - - else: - retval = 1 - - finally: - if conn and conn.isconnected(): - conn.disconnect() - - return retval - -try: - if __name__ == "__main__": - sys.exit(main()) -except BadSyntax, e: - print "There is a syntax error in this update file:" - print " %s" % e - sys.exit(1) -except RuntimeError, e: - print "%s" % e - sys.exit(1) -except SystemExit, e: - sys.exit(e) -except KeyboardInterrupt, e: - sys.exit(1) -except config.IPAConfigError, e: - print "An IPA server to update cannot be found. Has one been configured yet?" - print "The error was: %s" % e - sys.exit(1) -except errors.LDAPError, e: - print "An error occurred while performing operations: %s" % e - sys.exit(1) diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries new file mode 100755 index 00000000..9b3f5471 --- /dev/null +++ b/install/tools/ipa-managed-entries @@ -0,0 +1,252 @@ +#!/usr/bin/python +# Authors: Jr Aquino +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import ldap +import re +import sys +try: + from optparse import OptionParser + from ipapython import ipautil, config + from ipaserver.install import installutils + from ipaserver import ipaldap + from ipaserver.plugins.ldap2 import ldap2 + from ipalib import api, errors + from ipalib.dn import * + import logging +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +CACERT = "/etc/ipa/ca.crt" + +def parse_options(): + usage = "%prog [options] \n" + usage += "%prog [options]\n" + parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information about the update(s)") + parser.add_option("-e", "--entry", dest="managed_entry", + default=None, type="string", + help="DN for the Managed Entry Definition") + parser.add_option("-l", "--list", dest="list_managed_entries", + action="store_true", + help="DN for the Managed Entry Definition") + parser.add_option("-p", dest="dirman_password", + help="Directory Manager password") + + config.add_standard_options(parser) + options, args = parser.parse_args() + + config.init_config(options) + + return options, args + +def get_dirman_password(): + """Prompt the user for the Directory Manager password and verify its + correctness. + """ + password = installutils.read_password("Directory Manager", confirm=False, + validate=True) + + return password + +def main(): + retval = 0 + loglevel = logging.ERROR + def_dn = None + options, args = parse_options() + if options.debug: + loglevel = logging.DEBUG + + if options.list_managed_entries: + pass + elif len(args) != 1: + sys.exit("You must specify an action, either status, enable or disable") + elif args[0] != "enable" and args[0] != "disable" and args[0] != "status": + sys.exit("Unrecognized action [" + args[0] + "]") + logging.basicConfig(level=loglevel, + format='%(levelname)s %(message)s') + + host = installutils.get_fqdn() + api.bootstrap(context='cli', debug=options.debug) + api.finalize() + + managed_entry_definitions_dn = DN( + ('cn', 'Definitions'), + ('cn', 'Managed Entries'), + ('cn', 'etc'), + DN(api.env.basedn) + ) + managed_entry_definitions_dn = str(managed_entry_definitions_dn) + + conn = None + try: + filter = '(objectClass=extensibleObject)' + conn = ipaldap.IPAdmin(host, 636, cacert=CACERT) + conn.do_sasl_gssapi_bind() + except ldap.LOCAL_ERROR: + if options.dirman_password: + dirman_password = options.dirman_password + else: + dirman_password = get_dirman_password() + conn.do_simple_bind(bindpw=dirman_password) + except errors.ExecutionError, lde: + sys.exit("An error occurred while connecting to the server.\n%s\n" % + str(lde)) + except errors.ACIError, e: + sys.exit("Authentication failed: %s" % e.info) + + if options.list_managed_entries: + # List available Managed Entry Plugins + managed_entries = None + entries = conn.search_s( + managed_entry_definitions_dn, ldap.SCOPE_SUBTREE, filter + ) + managed_entries = [entry.dn for entry in entries] + if managed_entries: + print "Available Managed Entry Definitions:" + for managed_entry in managed_entries: + rdn = DN(managed_entry) + managed_entry = rdn[0].value + print managed_entry + retval = 0 + sys.exit() + + if not options.managed_entry: + sys.exit("\nYou must specify a managed entry definition") + else: + rdn = DN( + ('cn', options.managed_entry), + DN(managed_entry_definitions_dn) + ) + def_dn = str(rdn) + + disabled = True + try: + entries = conn.search_s(def_dn, + ldap.SCOPE_BASE, + filter, + ['originfilter'], + ) + disable_attr = '(objectclass=disable)' + try: + org_filter = entries[0].originfilter + disabled = re.search(r'%s' % disable_attr, org_filter) + except KeyError: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except ldap.NO_SUCH_OBJECT: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except errors.NotFound: + sys.exit("%s is not a valid Managed Entry" % def_dn) + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + + if args[0] == "status": + if not disabled: + print "Plugin Enabled" + else: + print "Plugin Disabled" + return 0 + + if args[0] == "enable": + try: + if not disabled: + print "Plugin already Enabled" + retval = 2 + else: + # Remove disable_attr from filter + enable_attr = org_filter.replace(disable_attr, '') + #enable_attr = {'originfilter': enable_attr} + conn.modify_s( + def_dn, + [(ldap.MOD_REPLACE, + 'originfilter', + enable_attr)] + ) + print "Enabling Plugin" + retval = 0 + except errors.NotFound: + print "Enabling Plugin" + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + elif args[0] == "disable": + # Set originFilter to objectclass=disabled + # In future we should we should dedicate an attribute for enabling/ + # disabling. + try: + if disabled: + print "Plugin already disabled" + retval = 2 + else: + if org_filter[:2] == '(&' and org_filter[-1] == ')': + disable_attr = org_filter[:2] + disable_attr + org_filter[2:] + else: + disable_attr = '(&%s(%s))' % (disable_attr, org_filter) + conn.modify_s( + def_dn, + [(ldap.MOD_REPLACE, + 'originfilter', + disable_attr)] + ) + print "Disabling Plugin" + except errors.NotFound: + print "Plugin is already disabled" + retval = 2 + except errors.DatabaseError, dbe: + print "An error occurred while talking to the server." + print dbe + retval = 1 + except errors.ExecutionError, lde: + print "An error occurred while talking to the server." + print lde + retval = 1 + + else: + retval = 1 + + return retval + +try: + if __name__ == "__main__": + sys.exit(main()) +except RuntimeError, e: + print "%s" % e + sys.exit(1) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt, e: + sys.exit(1) +except config.IPAConfigError, e: + print "An IPA server to update cannot be found. Has one been configured yet?" + print "The error was: %s" % e + sys.exit(1) +except errors.LDAPError, e: + print "An error occurred while performing operations: %s" % e + sys.exit(1) diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index d5b5976b..91aa23ca 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -18,7 +18,7 @@ man1_MANS = \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ ipa-nis-manage.1 \ - ipa-host-net-manage.1 \ + ipa-managed-entries.1 \ ipa-compliance.1 man8_MANS = \ diff --git a/install/tools/man/ipa-host-net-manage.1 b/install/tools/man/ipa-host-net-manage.1 deleted file mode 100644 index 8b8f0237..00000000 --- a/install/tools/man/ipa-host-net-manage.1 +++ /dev/null @@ -1,47 +0,0 @@ -.\" A man page for ipa-host-net-manage -.\" Copyright (C) 2010 Red Hat, Inc. -.\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation, either version 3 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, but -.\" WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -.\" General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program. If not, see . -.\" -.\" Author: Jr Aquino -.\" -.TH "ipa-host-net-manage" "1" "Dec 2 2010" "FreeIPA" "FreeIPA Manual Pages" -.SH "NAME" -ipa\-host\-net\-manage \- Enables or disables the schema Managed Entry Hostgroup -to- Netgroup plugin -.SH "SYNOPSIS" -ipa\-host\-net\-manage [options] -.SH "DESCRIPTION" -Run the command with the \fBenable\fR option to enable the Managed Entry Hostgroup -to- Netgroup plugin. - -Run the command with the \fBdisable\fR option to disable the Managed Entry Hostgroup -to- Netgroup plugin. - -Run the command with the \fBstatus\fR to determine the current status of the Managed Entry Hostgroup -to- Netgroup plugin. - -In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. - -Directory Server will need to be restarted after the schema compatibility plugin has been enabled. - -.SH "OPTIONS" -.TP -\fB\-d\fR, \fB\-\-debug\fR -Enable debug logging when more verbose output is needed -.TP -\fB\-y\fR \fIfile\fR -File containing the Directory Manager password -.SH "EXIT STATUS" -0 if the command was successful - -1 if an error occurred - -2 if the plugin is already in the required status (enabled or disabled) diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1 new file mode 100644 index 00000000..24d8d56c --- /dev/null +++ b/install/tools/man/ipa-managed-entries.1 @@ -0,0 +1,54 @@ +.\" A man page for ipa-managed-entries +.\" Copyright (C) 2011 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Jr Aquino +.\" +.TH "ipa-managed-entries" "1" "Sept 15 2011" "FreeIPA" "FreeIPA Manual +Pages" +.SH "NAME" +ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins +.SH "SYNOPSIS" +ipa\-managed\-entries [options] +.SH "DESCRIPTION" +Run the command with the \fBenable\fR option to enable the Managed Entry plugin. + +Run the command with the \fBdisable\fR option to disable the Managed Entry plugin. + +Run the command with the \fBstatus\fR to determine the current status of the Managed Entry plugin. + +In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. + +Directory Server will need to be restarted after the Managed Entry plugin has been enabled. + +.SH "OPTIONS" +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-e\fR, \fB\-\-entries\fR +DN for the Managed Entry Definition +.TP +\fB\-l\fR, \fB-\-list\fR +List available Managed Entries +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR +The Directory Manager password to use for authentication +.SH "EXIT STATUS" +0 if the command was successful + +1 if an error occurred + +2 if the plugin is already in the required status (enabled or disabled) -- cgit