Add ipa-custodia service

Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 45 insertions, 0 deletions

diff --git a/ipapython/secrets/common.py b/ipapython/secrets/common.py
new file mode 100644
index 000000000..2b906b649
--- /dev/null
+++ b/ipapython/secrets/common.py
@@ -0,0 +1,45 @@
+# Copyright (C) 2015  IPA Project Contributors, see COPYING for license
+from __future__ import print_function
+import ldap
+import ldap.sasl
+import ldap.filter
+
+
+class iSecLdap(object):
+
+    def __init__(self, uri, auth_type=None):
+        self.uri = uri
+        if auth_type is not None:
+            self.auth_type = auth_type
+        else:
+            if uri.startswith('ldapi'):
+                self.auth_type = 'EXTERNAL'
+            else:
+                self.auth_type = 'GSSAPI'
+        self._basedn = None
+
+    @property
+    def basedn(self):
+        if self._basedn is None:
+            conn = self.connect()
+            r = conn.search_s('', ldap.SCOPE_BASE)
+            self._basedn = r[0][1]['defaultnamingcontext'][0]
+        return self._basedn
+
+    def connect(self):
+        conn = ldap.initialize(self.uri)
+        if self.auth_type == 'EXTERNAL':
+            auth_tokens = ldap.sasl.external(None)
+        elif self.auth_type == 'GSSAPI':
+            auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+        else:
+            raise ValueError(
+                'Invalid authentication type: %s' % self.auth_type)
+        conn.sasl_interactive_bind_s('', auth_tokens)
+        return conn
+
+    def build_filter(self, formatstr, args):
+        escaped_args = dict()
+        for key, value in args.iteritems():
+            escaped_args[key] = ldap.filter.escape_filter_chars(value)
+        return formatstr.format(**escaped_args)