diff options
| author | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 13:42:02 -0400 |
|---|---|---|
| committer | Karl MacMillan <kmacmillan@mentalrootkit.com> | 2007-07-27 13:42:02 -0400 |
| commit | 9d5b946fdafa77b7aca360d2d1e8ce48980c559f (patch) | |
| tree | 993e6ffc6ff823af3ffe91e1428a23bb992a2c0f /ipa-install/src | |
| parent | a471ebe7517a04d67b788b3cfd59cb9aa451da0a (diff) | |
| download | freeipa-9d5b946fdafa77b7aca360d2d1e8ce48980c559f.tar.gz freeipa-9d5b946fdafa77b7aca360d2d1e8ce48980c559f.tar.xz freeipa-9d5b946fdafa77b7aca360d2d1e8ce48980c559f.zip | |
Reorganized repo to reflect packaging.
Diffstat (limited to 'ipa-install/src')
| -rw-r--r-- | ipa-install/src/Makefile | 14 | ||||
| -rw-r--r-- | ipa-install/src/ipa-server-install | 117 | ||||
| -rw-r--r-- | ipa-install/src/ipa-server-setupssl | 228 | ||||
| -rw-r--r-- | ipa-install/src/ipa/__init__.py | 1 | ||||
| -rw-r--r-- | ipa-install/src/ipa/dsinstance.py | 169 | ||||
| -rw-r--r-- | ipa-install/src/ipa/krbinstance.py | 177 |
6 files changed, 0 insertions, 706 deletions
diff --git a/ipa-install/src/Makefile b/ipa-install/src/Makefile deleted file mode 100644 index f5a0f780d..000000000 --- a/ipa-install/src/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -PYTHONLIBDIR ?= $(shell python -c "from distutils.sysconfig import *; print get_python_lib(1)") -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/ipa -SBINDIR = $(DESTDIR)/usr/sbin - -all: ; - -install: - -mkdir -p $(PACKAGEDIR) - install -m 644 ipa/*.py $(PACKAGEDIR) - install -m 755 ipa-server-install $(SBINDIR) - install -m 755 ipa-server-setupssl $(SBINDIR) - -clean: - rm -f *~ *.pyc
\ No newline at end of file diff --git a/ipa-install/src/ipa-server-install b/ipa-install/src/ipa-server-install deleted file mode 100644 index 52143eda5..000000000 --- a/ipa-install/src/ipa-server-install +++ /dev/null @@ -1,117 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -# requires the following packages: -# fedora-ds-base -# openldap-clients -# nss-tools - -VERSION = "%prog .1" - -import socket -import logging -from optparse import OptionParser -import ipa.dsinstance -import ipa.krbinstance - -def parse_options(): - parser = OptionParser(version=VERSION) - parser.add_option("-u", "--user", dest="ds_user", - help="ds user") - parser.add_option("-r", "--realm", dest="realm_name", - help="realm name") - parser.add_option("-p", "--password", dest="password", - help="admin password") - parser.add_option("-m", "--master-password", dest="master_password", - help="kerberos master password") - parser.add_option("-d", "--debug", dest="debug", action="store_true", - dest="debug", default=False, help="print debugging information") - parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") - - options, args = parser.parse_args() - - if not options.ds_user or not options.realm_name or not options.password or not options.master_password: - parser.error("error: all options are required") - - return options - -def logging_setup(options): - # Always log everything (i.e., DEBUG) to the log - # file. - logging.basicConfig(level=logging.DEBUG, - format='%(asctime)s %(levelname)s %(message)s', - filename='ipa-install.log', - filemode='w') - - console = logging.StreamHandler() - # If the debug option is set, also log debug messages to the console - if options.debug: - console.setLevel(logging.DEBUG) - else: - # Otherwise, log critical and error messages - console.setLevel(logging.ERROR) - formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') - console.setFormatter(formatter) - logging.getLogger('').addHandler(console) - -def main(): - options = parse_options() - logging_setup(options) - - # check the hostname is correctly configured, it must be as the kldap - # utilities just use the hostname as returned by gethostbyname to set - # up some of the standard entries - - if options.host_name: - host_name = options.host_name - else: - host_name = socket.gethostname() - if len(host_name.split(".")) < 2: - print "Invalid hostname <"+host_name+">" - print "Check the /etc/hosts file and make sure to have a valid FQDN" - return "-Fatal Error-" - - if socket.gethostbyname(host_name) == "127.0.0.1": - print "The hostname resolves to the localhost address (127.0.0.1)" - print "Please change your /etc/hosts file or your DNS so that the" - print "hostname resolves to the ip address of your network interface." - print "The KDC service does not listen on 127.0.0.1" - return "-Fatal Error-" - - print "The Final KDC Host Name will be: " + host_name - - - # Create a directory server instance - ds = ipa.dsinstance.DsInstance() - ds.create_instance(options.ds_user, options.realm_name, host_name, - options.password) - - # Create a kerberos instance - krb = ipa.krbinstance.KrbInstance() - krb.create_instance(options.ds_user, options.realm_name, host_name, - options.password, options.master_password) - - #restart ds after the krb instance have add the sasl map - ds.restart() - - return 0 - -main() diff --git a/ipa-install/src/ipa-server-setupssl b/ipa-install/src/ipa-server-setupssl deleted file mode 100644 index f75327907..000000000 --- a/ipa-install/src/ipa-server-setupssl +++ /dev/null @@ -1,228 +0,0 @@ -#!/bin/sh - -if [ "$1" ] ; then - password=$1 -else - echo "password required" - exit 1 -fi - -if [ "$2" -a -d "$2" ] ; then - secdir="$2" -else - secdir=/etc/fedora-ds/slapd-localhost -fi - -if [ "$3" ] ; then - myhost=$3 -else - myhost=`hostname --fqdn` -fi - - -if [ "$4" ] ; then - ldapport=$4 -else - ldapport=389 -fi - -me=`whoami` -if [ "$me" = "root" ] ; then - isroot=1 -fi - -# see if there are already certs and keys -if [ -f $secdir/cert8.db ] ; then - # look for CA cert - if certutil -L -d $secdir -n "CA certificate" 2> /dev/null ; then - echo "Using existing CA certificate" - else - echo "No CA certificate found - will create new one" - needCA=1 - fi - - # look for server cert - if certutil -L -d $secdir -n "Server-Cert" 2> /dev/null ; then - echo "Using existing directory Server-Cert" - else - echo "No Server Cert found - will create new one" - needServerCert=1 - fi - - # look for admin server cert - if certutil -L -d $secdir -n "server-cert" 2> /dev/null ; then - echo "Using existing admin server-cert" - else - echo "No Admin Server Cert found - will create new one" - needASCert=1 - fi - prefix="new-" - prefixarg="-P $prefix" -else - needCA=1 - needServerCert=1 - needASCert=1 -fi - -if test -z "$needCA" -a -z "$needServerCert" -a -z "$needASCert" ; then - echo "No certs needed - exiting" - exit 0 -fi - -# get our user and group -if test -n "$isroot" ; then - uid=`/bin/ls -ald $secdir | awk '{print $3}'` - gid=`/bin/ls -ald $secdir | awk '{print $4}'` -fi - -# 2. Create a password file for your security token password: -if [ -f $secdir/pwdfile.txt ] ; then - echo "Using existing $secdir/pwdfile.txt" -else - (ps -ef ; w ) | sha1sum | awk '{print $1}' > $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/pwdfile.txt - fi - chmod 400 $secdir/pwdfile.txt -fi - -# 3. Create a "noise" file for your encryption mechanism: -if [ -f $secdir/noise.txt ] ; then - echo "Using existing $secdir/noise.txt file" -else - (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > $secdir/noise.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/noise.txt - fi - chmod 400 $secdir/noise.txt -fi - -# 4. Create the key3.db and cert8.db databases: -certutil -N $prefixarg -d $secdir -f $secdir/pwdfile.txt -if test -n "$isroot" ; then - chown $uid:$gid $secdir/${prefix}key3.db $secdir/${prefix}cert8.db -fi -chmod 600 $secdir/${prefix}key3.db $secdir/${prefix}cert8.db - - -if test -n "$needCA" ; then -# 5. Generate the encryption key: - certutil -G $prefixarg -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# 6. Generate the self-signed certificate: - certutil -S $prefixarg -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -# export the CA cert for use with other apps - certutil -L $prefixarg -d $secdir -n "CA certificate" -a > $secdir/cacert.asc - pk12util -d $secdir $prefixarg -o $secdir/cacert.p12 -n "CA certificate" -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt -fi - -if test -n "$needServerCert" ; then -# 7. Generate the server certificate: - certutil -S $prefixarg -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt -fi - -if test -n "$needASCert" ; then -# Generate the admin server certificate - certutil -S $prefixarg -n "server-cert" -s "cn=$myhost,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d $secdir -z $secdir/noise.txt -f $secdir/pwdfile.txt - -# export the admin server certificate/private key for import into its key/cert db - pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/adminserver.p12 - fi - chmod 400 $secdir/adminserver.p12 -fi - -# create the pin file -if [ ! -f $secdir/pin.txt ] ; then - pinfile=$secdir/pin.txt - echo 'Internal (Software) Token:'`cat $secdir/pwdfile.txt` > $pinfile - if test -n "$isroot" ; then - chown $uid:$gid $pinfile - fi - chmod 400 $pinfile -else - echo Using existing $secdir/pin.txt -fi - -if [ -n "$prefix" ] ; then - # move the old files out of the way - mv $secdir/cert8.db $secdir/orig-cert8.db - mv $secdir/key3.db $secdir/orig-key3.db - # move in the new files - will be used after server restart - mv $secdir/${prefix}cert8.db $secdir/cert8.db - mv $secdir/${prefix}key3.db $secdir/key3.db -fi - -# create the admin server key/cert db -asprefix=admin-serv- -if [ ! -f ${asprefix}cert8.db ] ; then - certutil -N -d $secdir -P $asprefix -f $secdir/pwdfile.txt - if test -n "$isroot" ; then - chown $uid:$gid $secdir/admin-serv-*.db - fi - chmod 600 $secdir/admin-serv-*.db -fi - -if test -n "$needASCert" ; then -# import the admin server key/cert - pk12util -d $secdir -P $asprefix -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt - -# import the CA cert to the admin server cert db - certutil -A -d $secdir -P $asprefix -n "CA certificate" -t "CT,," -a -i $secdir/cacert.asc -fi - -if [ ! -f $secdir/password.conf ] ; then -# create the admin server password file - echo 'internal:'`cat $secdir/pwdfile.txt` > $secdir/password.conf - if test -n "$isroot" ; then - chown $uid:$gid $secdir/password.conf - fi - chmod 400 $secdir/password.conf -fi - -# tell admin server to use the password file -if [ -f ../admin-serv/config/nss.conf ] ; then - sed -e "s@^NSSPassPhraseDialog .*@NSSPassPhraseDialog file:`pwd`/password.conf@" ../admin-serv/config/nss.conf > /tmp/nss.conf && mv /tmp/nss.conf ../admin-serv/config/nss.conf - if test -n "$isroot" ; then - chown $uid:$gid ../admin-serv/config/nss.conf - fi - chmod 400 ../admin-serv/config/nss.conf -fi - -# enable SSL in the directory server - -ldapmodify -x -h localhost -p $ldapport -D "cn=Directory Manager" -w $password <<EOF -dn: cn=encryption,cn=config -changetype: modify -replace: nsSSL3 -nsSSL3: on -- -replace: nsSSLClientAuth -nsSSLClientAuth: allowed -- -add: nsSSL3Ciphers -nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, - +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, - +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, - +tls_rsa_export1024_with_des_cbc_sha - -dn: cn=config -changetype: modify -add: nsslapd-security -nsslapd-security: on -- -replace: nsslapd-ssl-check-hostname -nsslapd-ssl-check-hostname: off - -dn: cn=RSA,cn=encryption,cn=config -changetype: add -objectclass: top -objectclass: nsEncryptionModule -cn: RSA -nsSSLPersonalitySSL: Server-Cert -nsSSLToken: internal (software) -nsSSLActivation: on - -EOF - - diff --git a/ipa-install/src/ipa/__init__.py b/ipa-install/src/ipa/__init__.py deleted file mode 100644 index 8e20eb1b8..000000000 --- a/ipa-install/src/ipa/__init__.py +++ /dev/null @@ -1 +0,0 @@ -__all__ = ["dsinstance", "krbinstance"] diff --git a/ipa-install/src/ipa/dsinstance.py b/ipa-install/src/ipa/dsinstance.py deleted file mode 100644 index b16aa7c51..000000000 --- a/ipa-install/src/ipa/dsinstance.py +++ /dev/null @@ -1,169 +0,0 @@ -#! /usr/bin/python -E -# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import subprocess -import string -import tempfile -import shutil -import logging -import pwd -import os -import stat -from util import * - - -SHARE_DIR = "/usr/share/ipa/" -SERVER_ROOT_64 = "/usr/lib64/fedora-ds-base" -SERVER_ROOT_32 = "/usr/lib/fedora-ds-base" - - -def generate_serverid(): - """Generate a UUID (universally unique identifier) suitable - for use as a unique identifier for a DS instance. - """ - try: - import uuid - id = str(uuid.uuid1()) - except ImportError: - import commands - id = commands.getoutput("/usr/bin/uuidgen") - return id - -def realm_to_suffix(realm_name): - s = realm_name.split(".") - terms = ["dc=" + x.lower() for x in s] - return ",".join(terms) - -def find_server_root(): - try: - mode = os.stat(SERVER_ROOT_64)[ST_MODE] - if stat.IS_DIR(mode): - return SERVER_ROOT_64 - except: - return SERVER_ROOT_32 - - -INF_TEMPLATE = """ -[General] -FullMachineName= $FQHN -SuiteSpotUserID= $USER -ServerRoot= $SERVER_ROOT -[slapd] -ServerPort= 389 -ServerIdentifier= $SERVERID -Suffix= $SUFFIX -RootDN= cn=Directory Manager -RootDNPwd= $PASSWORD -""" - -class DsInstance: - def __init__(self): - self.serverid = None - self.realm_name = None - self.host_name = None - self.admin_password = None - self.sub_dict = None - - def create_instance(self, ds_user, realm_name, host_name, admin_password): - self.ds_user = ds_user - self.serverid = generate_serverid() - self.realm_name = realm_name.upper() - self.host_name = host_name - self.admin_password = admin_password - self.__setup_sub_dict() - - self.__create_ds_user() - self.__create_instance() - self.__add_default_schemas() - self.__enable_ssl() - self.restart() - self.__add_default_layout() - - def config_dirname(self): - if not self.serverid: - raise RuntimeError("serverid not set") - return "/etc/fedora-ds/slapd-" + self.serverid + "/" - - def schema_dirname(self): - return self.config_dirname() + "/schema/" - - def stop(self): - run(["/sbin/service", "fedora-ds", "stop"]) - - def start(self): - run(["/sbin/service", "fedora-ds", "start"]) - - def restart(self): - run(["/sbin/service", "fedora-ds", "restart"]) - - def __setup_sub_dict(self): - suffix = realm_to_suffix(self.realm_name) - server_root = find_server_root() - self.sub_dict = dict(FQHN=self.host_name, SERVERID=self.serverid, - PASSWORD=self.admin_password, SUFFIX=suffix, - REALM=self.realm_name, USER=self.ds_user, - SERVER_ROOT=server_root) - - def __create_ds_user(self): - try: - pwd.getpwnam(self.ds_user) - logging.debug("ds user %s exists" % self.ds_user) - except KeyError: - logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/fedora-ds", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] - run(args) - logging.debug("done adding user") - - def __create_instance(self): - logging.debug("creating ds instance . . . ") - inf_txt = template_str(INF_TEMPLATE, self.sub_dict) - logging.debug(inf_txt) - inf_fd = write_tmp_file(inf_txt) - logging.debug("writing inf template") - args = ["/usr/bin/ds_newinst.pl", inf_fd.name] - logging.debug("calling ds_newinst.pl") - run(args) - logging.debug("completed creating ds instance") - logging.debug("restarting ds instance") - self.restart() - logging.debug("done restarting ds instance") - - def __add_default_schemas(self): - shutil.copyfile(SHARE_DIR + "60kerberos.ldif", - self.schema_dirname() + "60kerberos.ldif") - shutil.copyfile(SHARE_DIR + "60samba.ldif", - self.schema_dirname() + "60samba.ldif") - - def __enable_ssl(self): - logging.debug("configuring ssl for ds instance") - dirname = self.config_dirname() - args = ["/usr/sbin/ipa-server-setupssl", self.admin_password, - dirname, self.host_name] - run(args) - logging.debug("done configuring ssl for ds instance") - - def __add_default_layout(self): - txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict) - inf_fd = write_tmp_file(txt) - logging.debug("adding default ds layout") - args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager", - "-w", self.admin_password, "-f", inf_fd.name] - run(args) - logging.debug("done adding default ds layout") diff --git a/ipa-install/src/ipa/krbinstance.py b/ipa-install/src/ipa/krbinstance.py deleted file mode 100644 index 253c506f2..000000000 --- a/ipa-install/src/ipa/krbinstance.py +++ /dev/null @@ -1,177 +0,0 @@ -#! /usr/bin/python -E -# Authors: Simo Sorce <ssorce@redhat.com> -# -# Copyright (C) 2007 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 or later -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import subprocess -import string -import tempfile -import shutil -import logging -from random import Random -from time import gmtime -import os -import pwd -import socket -from util import * - -def host_to_domain(fqdn): - s = fqdn.split(".") - return ".".join(s[1:]) - -def generate_kdc_password(): - rndpwd = '' - r = Random() - r.seed(gmtime()) - for x in range(12): -# rndpwd += chr(r.randint(32,126)) - rndpwd += chr(r.randint(65,90)) #stricter set for testing - return rndpwd - -def ldap_mod(fd, dn, pwd): - args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name] - run(args) - -class KrbInstance: - def __init__(self): - self.ds_user = None - self.fqdn = None - self.realm = None - self.domain = None - self.host = None - self.admin_password = None - self.master_password = None - self.suffix = None - self.kdc_password = None - self.sub_dict = None - - def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password): - self.ds_user = ds_user - self.fqdn = host_name - self.ip = socket.gethostbyname(host_name) - self.realm = realm_name.upper() - self.host = host_name.split(".")[0] - self.domain = host_to_domain(host_name) - self.admin_password = admin_password - self.master_password = master_password - - self.suffix = realm_to_suffix(self.realm) - self.kdc_password = generate_kdc_password() - self.__configure_kdc_account_password() - - self.__setup_sub_dict() - - self.__configure_ldap() - - self.__create_instance() - - self.__create_ds_keytab() - - self.__create_sample_bind_zone() - - self.start() - - def stop(self): - run(["/sbin/service", "krb5kdc", "stop"]) - - def start(self): - run(["/sbin/service", "krb5kdc", "start"]) - - def restart(self): - run(["/sbin/service", "krb5kdc", "restart"]) - - def __configure_kdc_account_password(self): - hexpwd = '' - for x in self.kdc_password: - hexpwd += (hex(ord(x))[2:]) - pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+") - pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n") - pwd_fd.close() - - def __setup_sub_dict(self): - self.sub_dict = dict(FQDN=self.fqdn, - IP=self.ip, - PASSWORD=self.kdc_password, - SUFFIX=self.suffix, - DOMAIN=self.domain, - HOST=self.host, - REALM=self.realm) - - def __configure_ldap(self): - - #TODO: test that the ldif is ok with any random charcter we may use in the password - kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict) - kerberos_fd = write_tmp_file(kerberos_txt) - ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password) - kerberos_fd.close() - - #Change the default ACL to avoid anonimous access to kerberos keys and othe hashes - aci_txt = template_file(SHARE_DIR + "default-aci.ldif", self.sub_dict) - aci_fd = write_tmp_file(aci_txt) - ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password) - aci_fd.close() - - def __create_instance(self): - kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict) - kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+") - kdc_fd.write(kdc_conf) - kdc_fd.close() - - krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict) - krb5_fd = open("/etc/krb5.conf", "w+") - krb5_fd.write(krb5_conf) - krb5_fd.close() - - #populate the directory with the realm structure - args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] - run(args) - - # TODO: NOT called yet, need to find out how to make sure the plugin is available first - def __add_pwd_extop_module(self): - #add the password extop module - extop_txt = template_file(SHARE_DIR + "ipapwd_extop_plugin.ldif", self.sub_dict) - extop_fd = write_tmp_file(extop_txt) - ldap_mod(extop_fd, "cn=Directory Manager", self.admin_password) - extop_fd.close() - - #add an ACL to let the DS user read the master key - args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm] - run(args) - - def __create_sample_bind_zone(self): - bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict) - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") - os.write(bind_fd, bind_txt) - os.close(bind_fd) - print "Sample zone file for bind has been created in "+bind_name - - def __create_ds_keytab(self): - (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local") - kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n") - kwrite.flush() - kwrite.close() - kread.close() - kerr.close() - - cfg_fd = open("/etc/sysconfig/fedora-ds", "a") - cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n") - cfg_fd.close() - pent = pwd.getpwnam(self.ds_user) - os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid) |