Remove Custodia server keys from LDAP

The server-del plugin now removes the Custodia keys for encryption and key signing from LDAP. https://fedorahosted.org/freeipa/ticket/6015 Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Christian Heimes <cheimes@redhat.com> 2016-08-08 16:06:08 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-08-24 14:26:57 +0200
commit: c346a2d1d19dea645d5afbc9578e7d6049d36275 (patch)
tree: cddc8b1e533eb6d5d4dec3d483322497de260f50 /ipaserver/plugins/server.py
parent: 775c37bb812604496594524d8c6c7d936b4d3b15 (diff)
download: freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.tar.gz
freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.tar.xz
freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b245dcf72..d62c0232c 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -609,6 +609,32 @@ class server_del(LDAPDelete):
                     message=_("Failed to remove server %(master)s from server "
                               "list: %(err)s") % dict(master=master, err=e)))
 
+    def _remove_server_custodia_keys(self, ldap, master):
+        """
+        Delete all Custodia encryption and signing keys
+        """
+        conn = self.Backend.ldap2
+        env = self.api.env
+        # search for memberPrincipal=*/fqdn@realm
+        member_filter = ldap.make_filter_from_attr(
+            'memberPrincipal', "/{}@{}".format(master, env.realm),
+            exact=False, leading_wildcard=True, trailing_wildcard=False)
+        custodia_subtree = DN(env.container_custodia, env.basedn)
+        try:
+            entries = conn.get_entries(custodia_subtree,
+                                       ldap.SCOPE_SUBTREE,
+                                       filter=member_filter)
+            for entry in entries:
+                conn.delete_entry(entry)
+        except errors.NotFound:
+            pass
+        except Exception as e:
+            self.add_message(
+                messages.ServerRemovalWarning(
+                    message=_(
+                        "Failed to clean up Custodia keys for "
+                        "%(master)s: %(err)s") % dict(master=master, err=e)))
+
     def _remove_server_host_services(self, ldap, master):
         """
         delete server kerberos key and all its svc principals
@@ -682,6 +708,9 @@ class server_del(LDAPDelete):
         # remove the references to master's ldap/http principals
         self._remove_server_principal_references(pkey)
 
+        # remove Custodia encryption and signing keys
+        self._remove_server_custodia_keys(ldap, pkey)
+
         # finally destroy all Kerberos principals
         self._remove_server_host_services(ldap, pkey)
author	Christian Heimes <cheimes@redhat.com>	2016-08-08 16:06:08 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-08-24 14:26:57 +0200
commit	c346a2d1d19dea645d5afbc9578e7d6049d36275 (patch)
tree	cddc8b1e533eb6d5d4dec3d483322497de260f50 /ipaserver/plugins/server.py
parent	775c37bb812604496594524d8c6c7d936b4d3b15 (diff)
download	freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.tar.gz freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.tar.xz freeipa-c346a2d1d19dea645d5afbc9578e7d6049d36275.zip