diff options
Diffstat (limited to 'ipaserver/install/plugins')
-rw-r--r-- | ipaserver/install/plugins/Makefile.am | 16 | ||||
-rw-r--r-- | ipaserver/install/plugins/__init__.py | 28 | ||||
-rw-r--r-- | ipaserver/install/plugins/baseupdate.py | 68 | ||||
-rw-r--r-- | ipaserver/install/plugins/rename_managed.py | 132 | ||||
-rw-r--r-- | ipaserver/install/plugins/updateclient.py | 182 |
5 files changed, 426 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am new file mode 100644 index 000000000..a96d0be5c --- /dev/null +++ b/ipaserver/install/plugins/Makefile.am @@ -0,0 +1,16 @@ +NULL = + +appdir = $(pythondir)/ipaserver/install +app_PYTHON = \ + __init__.py \ + baseupdate.py \ + rename_managed.py \ + updateclient.py \ + $(NULL) + +EXTRA_DIST = \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/ipaserver/install/plugins/__init__.py b/ipaserver/install/plugins/__init__.py new file mode 100644 index 000000000..49bef4df8 --- /dev/null +++ b/ipaserver/install/plugins/__init__.py @@ -0,0 +1,28 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +""" +Provide a separate api for updates. +""" +PRE_UPDATE = 1 +POST_UPDATE = 2 + +FIRST = 1 +MIDDLE = 2 +LAST = 4 diff --git a/ipaserver/install/plugins/baseupdate.py b/ipaserver/install/plugins/baseupdate.py new file mode 100644 index 000000000..227dc917a --- /dev/null +++ b/ipaserver/install/plugins/baseupdate.py @@ -0,0 +1,68 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipalib import api +from ipalib import errors +from ipalib import Updater, Object +from ipaserver.install import service +from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, MIDDLE + +class DSRestart(service.Service): + """ + Restart the 389-ds service. + """ + def __init__(self): + """ + This class is present to provide ldapupdate the means to + restart 389-ds. + """ + service.Service.__init__(self, "dirsrv") + + def create_instance(self): + self.step("stopping directory server", self.stop) + self.step("starting directory server", self.start) + self.start_creation("Restarting Directory server to apply updates") + +class update(Object): + """ + Generic object used to register all updates into a single namespace. + """ + backend_name = 'ldap2' + +api.register(update) + +class PreUpdate(Updater): + """ + Base class for updates that run prior to file processing. + """ + updatetype = PRE_UPDATE + order = MIDDLE + + def __init__(self): + super(PreUpdate, self).__init__() + +class PostUpdate(Updater): + """ + Base class for updates that run after file processing. + """ + updatetype = POST_UPDATE + order = MIDDLE + + def __init__(self): + super(PostUpdate, self).__init__() diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py new file mode 100644 index 000000000..a9eed0be3 --- /dev/null +++ b/ipaserver/install/plugins/rename_managed.py @@ -0,0 +1,132 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST +from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST +from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate +from ipalib.frontend import Updater +from ipaserver.install.plugins import baseupdate +from ipalib import api, errors +from ipapython import ipautil +import ldap as _ldap + +def entry_to_update(entry): + """ + Convert an entry into a name/value pair list that looks like an update. + + An entry is a dict. + + An update is a list of name/value pairs. + """ + update = [] + for attr in entry.keys(): + if isinstance(entry[attr], list): + for i in xrange(len(entry[attr])): + update.append('%s:%s' % (str(attr), str(entry[attr][i]))) + else: + update.append('%s:%s' % (str(attr), str(entry[attr]))) + + return update + +def generate_update(ldap, deletes=False): + """ + We need to separate the deletes that need to happen from the + new entries that need to be added. + """ + suffix = ipautil.realm_to_suffix(api.env.realm) + searchfilter = '(objectclass=*)' + definitions_managed_entries = [] + old_template_container = 'cn=etc,%s' % suffix + old_definition_container = 'cn=managed entries,cn=plugins,cn=config' + new = 'cn=Managed Entries,cn=etc,%s' % suffix + sub = ['cn=Definitions,', 'cn=Templates,'] + new_managed_entries = [] + old_templates = [] + template = None + restart = False + + # If the old entries don't exist the server has already been updated. + try: + (definitions_managed_entries, truncated) = ldap.find_entries( + searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False + ) + except errors.NotFound, e: + return (False, new_managed_entries) + + for entry in definitions_managed_entries: + new_definition = {} + definition_managed_entry_updates = {} + if deletes: + old_definition = {'dn': str(entry[0]), 'deleteentry': ['dn: %s' % str(entry[0])]} + old_template = str(entry[1]['managedtemplate'][0]) + definition_managed_entry_updates[old_definition['dn']] = old_definition + old_templates.append(old_template) + else: + entry[1]['managedtemplate'] = str(entry[1]['managedtemplate'][0].replace(old_template_container, sub[1] + new)) + new_definition['dn'] = str(entry[0].replace(old_definition_container, sub[0] + new)) + new_definition['default'] = entry_to_update(entry[1]) + definition_managed_entry_updates[new_definition['dn']] = new_definition + new_managed_entries.append(definition_managed_entry_updates) + for old_template in old_templates: # Only happens when deletes is True + try: + (dn, template) = ldap.get_entry(old_template, ['*'], normalize=False) + dn = str(dn) + new_template = {} + template_managed_entry_updates = {} + old_template = {'dn': dn, 'deleteentry': ['dn: %s' % dn]} + new_template['dn'] = str(dn.replace(old_template_container, sub[1] + new)) + new_template['default'] = entry_to_update(template) + template_managed_entry_updates[new_template['dn']] = new_template + template_managed_entry_updates[old_template['dn']] = old_template + new_managed_entries.append(template_managed_entry_updates) + except errors.NotFound, e: + pass + + if len(new_managed_entries) > 0: + restart = True + new_managed_entries.sort(reverse=True) + + return (restart, new_managed_entries) + +class update_managed_post_first(PreUpdate): + """ + Update managed entries + """ + order=FIRST + + def execute(self, **options): + # Never need to restart with the pre-update changes + (ignore, new_managed_entries) = generate_update(self.obj.backend, False) + + return (False, True, new_managed_entries) + +api.register(update_managed_post_first) + +class update_managed_post(PostUpdate): + """ + Update managed entries + """ + order=LAST + + def execute(self, **options): + (restart, new_managed_entries) = generate_update(self.obj.backend, True) + + return (restart, True, new_managed_entries) + +api.register(update_managed_post) diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py new file mode 100644 index 000000000..8f463fa69 --- /dev/null +++ b/ipaserver/install/plugins/updateclient.py @@ -0,0 +1,182 @@ +# Authors: Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +from ipaserver.install import installutils +from ipaserver.install.plugins import FIRST, MIDDLE, LAST +from ipaserver.install.plugins import POST_UPDATE +from ipaserver.install.plugins.baseupdate import DSRestart +from ipaserver.install.ldapupdate import LDAPUpdate +from ipalib import api +from ipalib import backend +import ldap as _ldap + +class updateclient(backend.Executioner): + """ + Backend used for applying LDAP updates via plugins + + An update plugin can be executed before the file-based plugins or + afterward. Each plugin returns three values: + + 1. restart: dirsrv needs to be restarted BEFORE this update is + applied. + 2. apply_now: when True the update is applied when the plugin + returns. Otherwise the update is cached until all + plugins of that update type are complete, then they + are applied together. + 3. updates: A dictionary of updates to be applied. + + updates is a dictionary keyed on dn. The value of an update is a + dictionary with the following possible values: + - dn: str, duplicate of the key + - updates: list of updates against the dn + - default: list of the default entry to be added if it doesn't + exist + - deleteentry: list of dn's to be deleted (typically single dn) + + For example, this update file: + + dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX + replace:krbPwdLockoutDuration:10::600 + replace: krbPwdMaxFailure:3::6 + + Generates this update dictionary: + + dict('cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com': + dict( + 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', + 'updates': ['replace:krbPwdLockoutDuration:10::600', + 'replace:krbPwdMaxFailure:3::6'] + ) + ) + + Here is another example showing how a default entry is configured: + + dn: cn=Managed Entries,cn=etc,$SUFFIX + default: objectClass: nsContainer + default: objectClass: top + default: cn: Managed Entries + + This generates: + + dict('cn=Managed Entries,cn=etc,dc=example,dc=com', + dict( + 'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com', + 'default': ['objectClass:nsContainer', + 'objectClass:top', + 'cn:Managed Entries' + ] + ) + ) + + Note that the variable substitution in both examples has been completed. + + A PRE_UPDATE plugin is executed before file-based updates. + + A POST_UPDATE plugin is executed after file-based updates. + + Plugins are executed automatically when ipa-ldap-updater is run + in upgrade mode (--upgrade). They are not executed normally otherwise. + To execute plugins as well use the --plugins flag. + + Either may make changes directly in LDAP or can return updates in + update format. + """ + def create_context(self, dm_password): + if dm_password: + autobind = False + else: + autobind = True + self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind) + + def order(self, updatetype): + """ + Calculate rough order of plugins. + """ + order = [] + for plugin in api.Updater(): #pylint: disable=E1101 + if plugin.updatetype != updatetype: + continue + if plugin.order == FIRST: + order.insert(0, plugin) + elif plugin.order == MIDDLE: + order.insert(len(order)/2, plugin) + else: + order.append(plugin) + + for o in order: + yield o + + def update(self, updatetype, dm_password, ldapi, live_run): + """ + Execute all update plugins of type updatetype. + """ + self.create_context(dm_password) + kw = dict(live_run=live_run) + result = [] + ld = LDAPUpdate(dm_password=dm_password, sub_dict={}, live_run=live_run, ldapi=ldapi) + for update in self.order(updatetype): + (restart, apply_now, res) = self.run(update.name, **kw) + if restart: + self.restart(dm_password, live_run) + dn_list = {} + for upd in res: + for dn in upd: + dn_explode = _ldap.explode_dn(dn.lower()) + l = len(dn_explode) + if dn_list.get(l): + if dn not in dn_list[l]: + dn_list[l].append(dn) + else: + dn_list[l] = [dn] + updates = {} + for entry in res: + updates.update(entry) + + if apply_now: + ld.update_from_dict(dn_list, updates) + elif res: + result.extend(res) + + self.destroy_context() + + return result + + def run(self, method, **kw): + """ + Execute the update plugin. + """ + return self.Updater[method](**kw) #pylint: disable=E1101 + + def restart(self, dm_password, live_run): + if os.getegid() != 0: + self.log.warn("Not root, skipping restart") + return + dsrestart = DSRestart() + socket_name = '/var/run/slapd-%s.socket' % \ + api.env.realm.replace('.','-') + if live_run: + self.destroy_context() + dsrestart.create_instance() + installutils.wait_for_open_socket(socket_name) + self.create_context(dm_password) + else: + self.log.warn("Test mode, skipping restart") + +api.register(updateclient) |