From 80c4ed7af26b5b6a581ccc8e0a9e65e53e43cc4c Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 6 Nov 2007 16:26:10 -0500 Subject: remove offensive use of rpm add the radiusprofile to the list of objectclasses used when creating a user --- ipa-server/ipaserver/radiusinstance.py | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) (limited to 'ipa-server/ipaserver/radiusinstance.py') diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 27e7527e..2aee09b3 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -44,9 +44,30 @@ LDAP_ATTR_MAP_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'ldap.attrmap') RADIUSD_CONF_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'radiusd.conf') RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(SHARE_DIR, 'radius.radiusd.conf.template') +RADIUSD = '/usr/sbin/radiusd' + # FIXME there should a utility to get the user base dn from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer +#------------------------------------------------------------------------------- + +def get_radius_version(): + version = None + try: + p = subprocess.Popen([RADIUSD, '-v'], stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + stdout, stderr = p.communicate() + status = p.returncode + + if status == 0: + match = re.search("radiusd: FreeRADIUS Version (.+), for host", stdout) + if match: + version = match.group(1) + except Exception, e: + pass + return version + + #------------------------------------------------------------------------------- class RadiusInstance(service.Service): @@ -63,12 +84,7 @@ class RadiusInstance(service.Service): self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm) self.basedn = realm_to_suffix(self.realm) self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this - self.rpm_nvr = get_rpm_nvr_by_name(PKG_NAME) - if self.rpm_nvr is not None: - self.rpm_name, self.rpm_version, self.rpm_release = split_rpm_nvr(self.rpm_nvr) - else: - self.rpm_name = self.rpm_version = self.rpm_release = None - + self.radius_version = get_radius_version() self.start_creation(4, "Configuring radiusd") try: @@ -93,7 +109,7 @@ class RadiusInstance(service.Service): def __radiusd_conf(self): self.step('configuring radiusd.conf for radius instance') - version = 'IPA_RADIUS_VERSION=%s RADIUS_PACKAGE_VERSION=%s' % (IPA_RADIUS_VERSION, self.rpm_nvr) + version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version) sub_dict = {'CONFIG_FILE_VERSION_INFO' : version, 'LDAP_SERVER' : self.ldap_server, 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH, -- cgit From 84275328a0f5ff1ac0ddad65da18b7636312c0c1 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Sat, 10 Nov 2007 00:09:07 -0500 Subject: radius now does kerberos auth, reads client entries from LDAP --- ipa-server/ipaserver/radiusinstance.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'ipa-server/ipaserver/radiusinstance.py') diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 2aee09b3..90727758 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -79,10 +79,11 @@ class RadiusInstance(service.Service): def create_instance(self, realm_name, host_name, ldap_server): self.realm = realm_name.upper() + self.suffix = realm_to_suffix(self.realm) self.fqdn = host_name self.ldap_server = ldap_server self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm) - self.basedn = realm_to_suffix(self.realm) + self.basedn = self.suffix self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this self.radius_version = get_radius_version() self.start_creation(4, "Configuring radiusd") @@ -115,7 +116,9 @@ class RadiusInstance(service.Service): 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH, 'RADIUS_PRINCIPAL' : self.principal, 'RADIUS_USER_BASE_DN' : self.user_basedn, - 'ACCESS_ATTRIBUTE' : 'dialupAccess' + 'ACCESS_ATTRIBUTE' : '', + 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE', + 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix } try: radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) -- cgit From eab5a89d4a3e8159348b5a709cd4401c9784f058 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 13 Nov 2007 20:05:02 -0500 Subject: ipa-addradiusclient now working --- ipa-server/ipaserver/radiusinstance.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'ipa-server/ipaserver/radiusinstance.py') diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 38091d69..8317da03 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -122,7 +122,8 @@ class RadiusInstance(service.Service): 'RADIUS_USER_BASE_DN' : self.user_basedn, 'ACCESS_ATTRIBUTE' : '', 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE', - 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix + 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix, + 'SUFFIX' : self.suffix, } try: radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) @@ -164,10 +165,11 @@ class RadiusInstance(service.Service): except Exception, e: logging.error("could not chown on %s to %s: %s", IPA_KEYTAB_FILEPATH, RADIUS_USER, e) + #FIXME, should use IPAdmin method def __set_ldap_encrypted_attributes(self): ldif_file = 'encrypted_attribute.ldif' self.step("setting ldap encrypted attributes") - ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret') + ldif_txt = template_file(SHARE_DIR + ldif_file, {'ENCRYPTED_ATTRIBUTE':'radiusClientSecret'}) ldif_fd = write_tmp_file(ldif_txt) try: ldap_mod(ldif_fd, "cn=Directory Manager", self.dm_password) -- cgit From d98686e96758870cb4a56d41fb0aaae54d4067c5 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 21 Nov 2007 13:11:10 -0500 Subject: Add radius profile implementations: get_radius_profile_by_uid add_radius_profile update_radius_profile delete_radius_profile find_radius_profiles Rewrite command line arg handling, now support pair entry, interactive mode with auto completion, reading pairs from a file, better handling of mandatory values, better help, long arg names now match attribute name in pairs Establish mappings for all attributes and names used in clients and profiles Add notion of containers to radius clients and profiles in LDAP Move common code, variables, constants, and strings into the files radius_client.py, radius_util.py, ipautil.py to eliminate redundant elements which could get out of sync if modified and to provide access to other code which might benefit from using these items in the future. Add utility functions: format_list() parse_key_value_pairs() Add utility class: AttributeValueCompleter Unify attribute usage in radius ldap schema --- ipa-server/ipaserver/radiusinstance.py | 67 ++++++++-------------------------- 1 file changed, 16 insertions(+), 51 deletions(-) (limited to 'ipa-server/ipaserver/radiusinstance.py') diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 8317da03..0c94c713 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -26,6 +26,7 @@ import logging import pwd import time from ipa.ipautil import * +from ipa import radius_util import service @@ -33,18 +34,6 @@ import os import re IPA_RADIUS_VERSION = '0.0.0' -PKG_NAME = 'freeradius' -PKG_CONFIG_DIR = '/etc/raddb' - -RADIUS_SERVICE_NAME = 'radius' -RADIUS_USER = 'radiusd' - -IPA_KEYTAB_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'ipa.keytab') -LDAP_ATTR_MAP_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'ldap.attrmap') -RADIUSD_CONF_FILEPATH = os.path.join(PKG_CONFIG_DIR, 'radiusd.conf') -RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(SHARE_DIR, 'radius.radiusd.conf.template') - -RADIUSD = '/usr/sbin/radiusd' # FIXME there should a utility to get the user base dn from ipaserver.funcs import DefaultUserContainer, DefaultGroupContainer @@ -58,7 +47,7 @@ def ldap_mod(fd, dn, pwd): def get_radius_version(): version = None try: - p = subprocess.Popen([RADIUSD, '-v'], stdout=subprocess.PIPE, + p = subprocess.Popen([radius_util.RADIUSD, '-v'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = p.communicate() status = p.returncode @@ -86,7 +75,7 @@ class RadiusInstance(service.Service): self.suffix = realm_to_suffix(self.realm) self.fqdn = host_name self.ldap_server = ldap_server - self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm) + self.principal = "%s/%s@%s" % (radius_util.RADIUS_SERVICE_NAME, self.fqdn, self.realm) self.basedn = self.suffix self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this self.radius_version = get_radius_version() @@ -117,34 +106,34 @@ class RadiusInstance(service.Service): version = 'IPA_RADIUS_VERSION=%s FREE_RADIUS_VERSION=%s' % (IPA_RADIUS_VERSION, self.radius_version) sub_dict = {'CONFIG_FILE_VERSION_INFO' : version, 'LDAP_SERVER' : self.ldap_server, - 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH, + 'RADIUS_KEYTAB' : radius_util.RADIUS_IPA_KEYTAB_FILEPATH, 'RADIUS_PRINCIPAL' : self.principal, 'RADIUS_USER_BASE_DN' : self.user_basedn, 'ACCESS_ATTRIBUTE' : '', 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE', - 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix, + 'CLIENTS_BASEDN' : radius_util.radius_clients_basedn(None, self.suffix), 'SUFFIX' : self.suffix, } try: - radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) - radiusd_fd = open(RADIUSD_CONF_FILEPATH, 'w+') + radiusd_conf = template_file(radius_util.RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) + radiusd_fd = open(radius_util.RADIUSD_CONF_FILEPATH, 'w+') radiusd_fd.write(radiusd_conf) radiusd_fd.close() except Exception, e: - logging.error("could not create %s: %s", RADIUSD_CONF_FILEPATH, e) + logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e) def __create_radius_keytab(self): self.step("create radiusd keytab") try: - if file_exists(IPA_KEYTAB_FILEPATH): - os.remove(IPA_KEYTAB_FILEPATH) + if file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH): + os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH) except os.error: - logging.error("Failed to remove %s", IPA_KEYTAB_FILEPATH) + logging.error("Failed to remove %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH) (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") kwrite.write("addprinc -randkey %s\n" % (self.principal)) kwrite.flush() - kwrite.write("ktadd -k %s %s\n" % (IPA_KEYTAB_FILEPATH, self.principal)) + kwrite.write("ktadd -k %s %s\n" % (radius_util.RADIUS_IPA_KEYTAB_FILEPATH, self.principal)) kwrite.flush() kwrite.close() kread.close() @@ -152,7 +141,7 @@ class RadiusInstance(service.Service): # give kadmin time to actually write the file before we go on retry = 0 - while not file_exists(IPA_KEYTAB_FILEPATH): + while not file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH): time.sleep(1) retry += 1 if retry > 15: @@ -160,10 +149,10 @@ class RadiusInstance(service.Service): os.exit() try: - pent = pwd.getpwnam(RADIUS_USER) - os.chown(IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid) + pent = pwd.getpwnam(radius_util.RADIUS_USER) + os.chown(radius_util.RADIUS_IPA_KEYTAB_FILEPATH, pent.pw_uid, pent.pw_gid) except Exception, e: - logging.error("could not chown on %s to %s: %s", IPA_KEYTAB_FILEPATH, RADIUS_USER, e) + logging.error("could not chown on %s to %s: %s", radius_util.RADIUS_IPA_KEYTAB_FILEPATH, radius_util.RADIUS_USER, e) #FIXME, should use IPAdmin method def __set_ldap_encrypted_attributes(self): @@ -179,27 +168,3 @@ class RadiusInstance(service.Service): #------------------------------------------------------------------------------- -# FIXME: this should be in a common area so it can be shared -def get_ldap_attr_translations(): - comment_re = re.compile('#.*$') - radius_attr_to_ldap_attr = {} - ldap_attr_to_radius_attr = {} - try: - f = open(LDAP_ATTR_MAP_FILEPATH) - for line in f.readlines(): - line = comment_re.sub('', line).strip() - if not line: continue - attr_type, radius_attr, ldap_attr = line.split() - print 'type="%s" radius="%s" ldap="%s"' % (attr_type, radius_attr, ldap_attr) - radius_attr_to_ldap_attr[radius_attr] = {'ldap_attr':ldap_attr, 'attr_type':attr_type} - ldap_attr_to_radius_attr[ldap_attr] = {'radius_attr':radius_attr, 'attr_type':attr_type} - f.close() - except Exception, e: - logging.error('cold not read radius ldap attribute map file (%s): %s', LDAP_ATTR_MAP_FILEPATH, e) - pass # FIXME - - #for k,v in radius_attr_to_ldap_attr.items(): - # print '%s --> %s' % (k,v) - #for k,v in ldap_attr_to_radius_attr.items(): - # print '%s --> %s' % (k,v) - -- cgit From 9a8326c5c1d281def17852e6de9708b827f5f959 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Fri, 23 Nov 2007 10:35:22 -0500 Subject: clean up radius client command line tools --- ipa-server/ipaserver/radiusinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'ipa-server/ipaserver/radiusinstance.py') diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 0c94c713..dd14bf20 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -18,6 +18,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +import sys import subprocess import string import tempfile @@ -123,7 +124,7 @@ class RadiusInstance(service.Service): logging.error("could not create %s: %s", radius_util.RADIUSD_CONF_FILEPATH, e) def __create_radius_keytab(self): - self.step("create radiusd keytab") + self.step("creating a keytab for httpd") try: if file_exists(radius_util.RADIUS_IPA_KEYTAB_FILEPATH): os.remove(radius_util.RADIUS_IPA_KEYTAB_FILEPATH) @@ -146,7 +147,7 @@ class RadiusInstance(service.Service): retry += 1 if retry > 15: print "Error timed out waiting for kadmin to finish operations\n" - os.exit() + sys.exit() try: pent = pwd.getpwnam(radius_util.RADIUS_USER) -- cgit