From 820479471ef75c3b5da59c2046f56022059b8b06 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 28 Jun 2007 19:09:54 -0400 Subject: Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested! --- ipa-install/src/ipa-server-install | 8 ++ ipa-install/src/ipa/__init__.py | 1 + ipa-install/src/ipa/dsinstance.py | 6 +- ipa-install/src/ipa/krbinstance.py | 153 +++++++++++++++++++++++++++++++++++++ 4 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 ipa-install/src/ipa/__init__.py create mode 100644 ipa-install/src/ipa/krbinstance.py (limited to 'ipa-install/src') diff --git a/ipa-install/src/ipa-server-install b/ipa-install/src/ipa-server-install index e19d0afd..ad49d44d 100644 --- a/ipa-install/src/ipa-server-install +++ b/ipa-install/src/ipa-server-install @@ -29,6 +29,7 @@ VERSION = "%prog .1" import logging from optparse import OptionParser import ipa.dsinstance +import ipa.krbinstance def parse_options(): parser = OptionParser(version=VERSION) @@ -38,6 +39,8 @@ def parse_options(): help="host address (name or IP address)") parser.add_option("-p", "--password", dest="password", help="admin password") + parser.add_option("-m", "--master-password", dest="master_password", + help="kerberos master password") options, args = parser.parse_args() @@ -55,6 +58,11 @@ def main(): ds = ipa.dsinstance.DsInstance() ds.create_instance(options.realm_name, options.host_name, options.password) + krb = ipa.krbinstance.KrbInstance() + krb.create_instance(options.realm_name, options.host_name, options.password, options.master_password) + #restart ds after the krb instance have add the sasl map + ds.restart() + return 0 main() diff --git a/ipa-install/src/ipa/__init__.py b/ipa-install/src/ipa/__init__.py new file mode 100644 index 00000000..8e20eb1b --- /dev/null +++ b/ipa-install/src/ipa/__init__.py @@ -0,0 +1 @@ +__all__ = ["dsinstance", "krbinstance"] diff --git a/ipa-install/src/ipa/dsinstance.py b/ipa-install/src/ipa/dsinstance.py index 43f112e5..1569ec33 100644 --- a/ipa-install/src/ipa/dsinstance.py +++ b/ipa-install/src/ipa/dsinstance.py @@ -6,7 +6,7 @@ # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only +# published by the Free Software Foundation; version 2 or later # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -136,6 +136,8 @@ class DsInstance: def __add_default_schemas(self): shutil.copyfile(SHARE_DIR + "60kerberos.ldif", self.schema_dirname() + "60kerberos.ldif") + shutil.copyfile(SHARE_DIR + "60samba.ldif", + self.schema_dirname() + "60samba.ldif") def __enable_ssl(self): dirname = self.config_dirname() @@ -146,7 +148,7 @@ class DsInstance: def __add_default_layout(self): txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) inf_fd = write_tmp_file(txt) - args = ["/usr/bin/ldapadd", "-xv", "-D", "cn=Directory Manager", + args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", "-w", self.admin_password, "-f", inf_fd.name] run(args) diff --git a/ipa-install/src/ipa/krbinstance.py b/ipa-install/src/ipa/krbinstance.py new file mode 100644 index 00000000..59eb2cef --- /dev/null +++ b/ipa-install/src/ipa/krbinstance.py @@ -0,0 +1,153 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 or later +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import subprocess +import string +import tempfile +import shutil +import logging +from random import Random +from time import gmtime + +SHARE_DIR = "/usr/share/ipa/" + +def realm_to_suffix(realm_name): + s = realm_name.split(".") + terms = ["dc=" + x for x in s] + return ",".join(terms) + +def generate_kdc_password(): + rndpwd = '' + r = Random() + r.seed(gmtime()) + for x in range(12): + rndpwd += chr(r.randint(32,126)) + return rndpwd + +def template_str(txt, vars): + return string.Template(txt).substitute(vars) + +def template_file(infilename, vars): + txt = open(infilename).read() + return template_str(txt, vars) + +def write_tmp_file(txt): + fd = tempfile.NamedTemporaryFile() + fd.write(txt) + fd.flush() + + return fd + +def ldap_mod(fd, dn, pwd): + args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] + run(args) + +def run(args, stdin=None): + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if stdin: + stdout,stderr = p.communicate(stdin) + else: + stdout,stderr = p.communicate() + logging.info(stdout) + logging.info(stderr) + + if p.returncode != 0: + raise subprocess.CalledProcessError(p.returncode, args[0]) + +class KrbInstance: + def __init__(self): + self.realm_name = None + self.host_name = None + self.admin_password = None + self.master_password = None + self.suffix = None + self.kdc_password = None + self.sub_dict = None + + def create_instance(self, realm_name, host_name, admin_password, master_password): + self.realm_name = realm_name + self.host_name = host_name + self.admin_password = admin_password + self.master_password = master_password + + self.suffix = realm_to_suffix(self.realm_name) + self.kdc_password = generate_kdc_password() + + self.__setup_sub_dict() + + self.__configure_ldap() + self.__create_instance() + self.start() + + def stop(self): + run(["/sbin/service", "krb5kdc", "stop"]) + + def start(self): + run(["/sbin/service", "krb5kdc", "start"]) + + def restart(self): + run(["/sbin/service", "krb5kdc", "restart"]) + + def __configure_kdc_account_password(self): + hexpwd = '' + for x in self.kdc_password: + hexpwd += (hex(ord(x))[2:]) + pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") + pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") + pwd_fd.close() + + def __setup_sub_dict(self): + self.sub_dict = dict(FQHN=self.host_name, + PASSWORD=self.kdc_password, + SUFFIX=self.suffix, + REALM=self.realm_name) + + def __configure_ldap(self): + + #TODO: test that the ldif is ok with any random charcter we may use in the password + kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) + kerberos_fd = write_tmp_file(kerberos_txt) + ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) + name = kerberos_fd.name + kerberos_fd.close() + os.unlink(name) + + #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes + aci_txt = template_file(SHARE_DIR + "default_aci.ldif", self.sub_dict) + aci_fd = write_tmp_file(aci_txt) + ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) + name = aci_fd.name + aci_fd.close() + os.unlink(name) + + def __create_instance(self): + kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) + kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") + kdc_fd.write(kdc_conf) + kdc_fd.close() + + krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) + krb5_fd = open("/etc/krb5.conf", "w+") + krb5_fd.write(krb5_conf) + krb5_fd.close() + + #populate the directory with the realm structure + args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"] + run(args) -- cgit