New tool to enable/disable DS plugin to act as NIS server

6 files changed, 311 insertions, 3 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 3a2ef87d5..754da8ee2 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -30,8 +30,9 @@ app_DATA =				\
 	dna-posix.ldif			\
 	master-entry.ldif		\
 	memberof-task.ldif		\
+	nis.uldif			\
 	unique-attributes.ldif		\
-	schema_compat.uldif	\
+	schema_compat.uldif		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/nis.uldif b/install/share/nis.uldif
new file mode 100644
index 000000000..78c5fa1ab
--- /dev/null
+++ b/install/share/nis.uldif
@@ -0,0 +1,74 @@
+dn: cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: nsSlapdPlugin
+default:objectclass: extensibleObject
+default:cn: NIS Server
+default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
+default:nsslapd-plugininitfunc: nis_plugin_init
+default:nsslapd-plugintype: object
+default:nsslapd-pluginenabled: on
+default:nsslapd-pluginid: nis-server
+default:nsslapd-pluginversion: 0.10
+default:nsslapd-pluginvendor: redhat.com
+default:nsslapd-plugindescription: NIS Server Plugin
+default:nis-tcp-wrappers-name: nis-server
+
+dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: passwd.byname
+default:nis-base: cn=users, cn=accounts, $SUFFIX
+default:nis-secure: no
+
+dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: passwd.byuid
+default:nis-base: cn=users, cn=accounts, $SUFFIX
+default:nis-secure: no
+
+dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: group.byname
+default:nis-base: cn=groups, cn=accounts, $SUFFIX
+default:nis-secure: no
+
+dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: group.bygid
+default:nis-base: cn=groups, cn=accounts, $SUFFIX
+default:nis-secure: no
+
+dn: nis-domain=$DOMAIN+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: group.upg
+default:nis-base: cn=users, cn=accounts, $SUFFIX
+default:nis-filter: (objectclass=posixAccount)
+default:nis-key-format: %{uid}
+default:nis-value-format: %{uid}:*:%{gidNumber}:%{uid}
+default:nis-secure: no
+default:nis-disallowed-chars: :,
+
+dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: netid.byname
+default:nis-base: cn=users, cn=accounts, $SUFFIX
+default:nis-secure: no
+
+dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
+default:objectclass: top
+default:objectclass: extensibleObject
+default:nis-domain: $DOMAIN
+default:nis-map: netgroup
+default:nis-base: cn=ng, cn=compat, cn=accounts, $SUFFIX
+default:nis-secure: no
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 750ab6417..3af13dc15 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -12,6 +12,7 @@ sbin_SCRIPTS =			\
  	ipa-server-certinstall  \
 	ipactl			\
 	ipa-compat-manage	\
+	ipa-nis-manage		\
 	ipa-fix-CVE-2008-3274	\
 	ipa-ldap-updater	\
 	ipa-upgradeconfig	\
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
new file mode 100755
index 000000000..0325ca0ad
--- /dev/null
+++ b/install/tools/ipa-nis-manage
@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+# Authors: Rob Crittenden <rcritten@redhat.com>
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+try:
+    from optparse import OptionParser
+    from ipaserver import ipaldap
+    from ipapython import entity, ipautil, config
+    from ipaserver.install import installutils
+    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+    from ipalib import errors
+    import ldap
+    import logging
+except ImportError:
+    print >> sys.stderr, """\
+There was a problem importing one of the required Python modules. The
+error was:
+
+    %s
+""" % sys.exc_value
+    sys.exit(1)
+
+nis_config_dn = "cn=NIS Server, cn=plugins, cn=config"
+
+def parse_options():
+    usage = "%prog [options] <enable|disable>\n"
+    usage += "%prog [options]\n"
+    parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
+
+    parser.add_option("-d", "--debug", action="store_true", dest="debug",
+                      help="Display debugging information about the update(s)")
+    parser.add_option("-y", dest="password",
+                      help="File containing the Directory Manager password")
+
+    config.add_standard_options(parser)
+    options, args = parser.parse_args()
+
+    config.init_config(options)
+
+    return options, args
+
+def get_dirman_password():
+    """Prompt the user for the Directory Manager password and verify its
+       correctness.
+    """
+    password = installutils.read_password("Directory Manager", confirm=False, validate=False)
+
+    return password
+
+def get_nis_config(conn):
+    entry = None
+    try:
+        entry = conn.getEntry(nis_config_dn, ldap.SCOPE_BASE, "(objectclass=*)")
+    except errors.NotFound:
+        pass
+    except ldap.LDAPError, e:
+        raise e
+
+    return entry
+
+def main():
+    retval = 0
+    loglevel = logging.NOTSET
+    files=['/usr/share/ipa/nis.uldif']
+
+    options, args = parse_options()
+    if options.debug:
+        loglevel = logging.DEBUG
+
+    if len(args) != 1:
+        print "You must specify one action, either enable or disable"
+        sys.exit(1)
+    elif args[0] != "enable" and args[0] != "disable":
+        print "Unrecognized action [" + args[0] + "]"
+        sys.exit(1)
+
+    logging.basicConfig(level=loglevel,
+                        format='%(levelname)s %(message)s')
+
+    dirman_password = ""
+    if options.password:
+        pw = ipautil.template_file(options.password, [])
+        dirman_password = pw.strip()
+    else:
+        dirman_password = get_dirman_password()
+
+    try:
+        try:
+            conn = ipaldap.IPAdmin(installutils.get_fqdn())
+            conn.do_simple_bind(bindpw=dirman_password)
+        except ldap.LDAPError, e:
+            print "An error occurred while connecting to the server."
+            print "%s" % e[0]['desc']
+            return 1
+
+        if args[0] == "enable":
+            entry = None
+            try:
+                entry = get_nis_config(conn)
+            except ldap.LDAPError, e:
+                print "An error occurred while talking to the server."
+                print "%s" % e[0]['desc']
+                retval = 1
+
+            if entry is None:
+                print "Enabling plugin"
+
+                if entry is None:
+                    # Load the plugin configuration
+                    ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
+                    retval = ld.update(files)
+            else:
+                if entry.getValue('nsslapd-pluginenabled').lower() == "off":
+                    # Already configured, just enable the plugin
+                    print "Enabling plugin"
+                    mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "on")]
+
+                    conn.modify_s(nis_config_dn, mod)
+                else:
+                    print "Plugin already Enabled"
+                    retval = 2
+
+        elif args[0] == "disable":
+            try:
+                mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "off")]
+
+                conn.modify_s(nis_config_dn, mod)
+            except errors.NotFound:
+                print "Plugin is already disabled"
+                retval = 2
+            except ldap.LDAPError, e:
+                print "An error occurred while talking to the server."
+                print "%s" % e[0]['desc']
+                retval = 1
+
+        else:
+            retval = 1
+
+        if retval == 0:
+            print "This setting will not take effect until you restart Directory Server."
+
+    finally:
+        if conn:
+            conn.unbind()
+
+    return retval
+
+try:
+    if __name__ == "__main__":
+        sys.exit(main())
+except BadSyntax, e:
+    print "There is a syntax error in this update file:"
+    print "  %s" % e
+    sys.exit(1)
+except RuntimeError, e:
+    print "%s" % e
+    sys.exit(1)
+except SystemExit, e:
+    sys.exit(e)
+except KeyboardInterrupt, e:
+    sys.exit(1)
+except config.IPAConfigError, e:
+    print "An IPA server to update cannot be found. Has one been configured yet?"
+    print "The error was: %s" % e
+    sys.exit(1)
+except ldap.LDAPError, e:
+    print "An error occurred while performing operations: %s" % e
+    sys.exit(1)
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index b2c3fa360..bcbea81ac 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -10,8 +10,9 @@ man1_MANS = 				\
 	ipa-replica-prepare.1		\
 	ipa-server-certinstall.1	\
 	ipa-server-install.1		\
-	ipa-ldap-updater.1			\
-	ipa-compat-manage.1
+	ipa-ldap-updater.1		\
+	ipa-compat-manage.1		\
+	ipa-nis-manage.1
 
 man8_MANS =				\
 	ipactl.8			\
diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
new file mode 100644
index 000000000..ee8ed159e
--- /dev/null
+++ b/install/tools/man/ipa-nis-manage.1
@@ -0,0 +1,45 @@
+.\" A man page for ipa-nis-manage
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; version 2 only
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-nis-manage" "1" "May 6 2009" "freeipa" ""
+.SH "NAME"
+ipa\-nis\-manage \- Enables or disables the NIS listener plugin
+.SH "SYNOPSIS"
+ipa\-nis\-manage [options] <enable|disable>
+.SH "DESCRIPTION"
+Run the command with the \fBenable\fR option to enable the NIS plugin.
+
+Run the command with the \fBdisable\fR option to disable the compat plugin.
+
+In both cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
+
+Directory Server will need to be restarted after the NIS listener plugin has been enabled.
+
+.SH "OPTIONS"
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Enable debug logging when more verbose output is needed
+.TP
+\fB\-y\fR \fIfile\fR
+File containing the Directory Manager password
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
+
+2 if the plugin is already in the required status (enabled or disabled)