def __add_ipa_ca_record(self):
self.__add_ipa_ca_records(self.fqdn, self.ip_addresses,
self.ca_configured)
if self.first_instance:
ldap = self.api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn),
ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))',
['dn'])
except errors.NotFound:
root_logger.debug('No server with CA found')
entries = []
for entry in entries:
fqdn = entry.dn[1]['cn']
if fqdn == self.fqdn:
continue
host, zone = fqdn.split('.', 1)
if dns_zone_exists(zone, self.api):
addrs = get_fwd_rr(zone, host, self.api)
else:
addrs = installutils.resolve_host(fqdn)
self.__add_ipa_ca_records(fqdn, addrs, True)
def authorise_ldap(username, password, binddn, server, ent):
res = False
bind_rdn = ""
server = ldap.initialize('ldap://' + server)
putenv("TLS_REQCERT=never")
ds = ldap.open(server, 636)
if (ds):
server.protocol_version = ldap.VERSION3
server.set_option(ldap.OPT_REFERRALS, 0)
server.simple_bind_s(username, password)
assert isinstance(ds, object)
r = ldap.bind(ds)
if (r):
sr = ldap.search(ds, binddn, ent.u)
if sr and ldap.count_entries(ds, sr) == 1:
info = ldap.get_entries(ds, sr)
bind_rdn = info[0]["dn"]
ldap.close(ds)
if bind_rdn != "":
ds = ldap.open("ldap.cs.cf.ac.uk/") #ldap_connect(server, 636)
if (ds):
ldap.set_option(ds, ldap.OPT_PROTOCOL_VERSION, 3)
ldap.set_option(ds, ldap.OPT_REFERRALS, 0)
r = ldap.simple_bind(ds)
if (ldap.simple_bind(ds, bind_rdn, password)):
res = True
ldap.close(ds)
return res
def _remove_server_host_services(self, ldap, master):
"""
delete server kerberos key and all its svc principals
"""
try:
# do not delete ldap principal if server-del command
# has been called on a machine which is being deleted
# since this will break replication.
# ldap principal to be cleaned later by topology plugin
# necessary changes to a topology plugin are tracked
# under https://pagure.io/freeipa/issue/7359
if master == self.api.env.host:
filter = ('(&(krbprincipalname=*/{}@{})'
'(!(krbprincipalname=ldap/*)))'.format(
master, self.api.env.realm))
else:
filter = '(krbprincipalname=*/{}@{})'.format(
master, self.api.env.realm)
entries = ldap.get_entries(self.api.env.basedn,
ldap.SCOPE_SUBTREE,
filter=filter)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
ldap.delete_entry(entry)
except errors.NotFound:
pass
except Exception as e:
self.add_message(
messages.ServerRemovalWarning(
message=_("Failed to cleanup server principals/keys: "
"%(err)s") % dict(err=e)))
def __add_ipa_ca_record(self):
self.__add_ipa_ca_records(self.fqdn, self.ip_addresses,
self.ca_configured)
if self.first_instance:
ldap = self.api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn),
ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))',
['dn'])
except errors.NotFound:
root_logger.debug('No server with CA found')
entries = []
for entry in entries:
fqdn = entry.dn[1]['cn']
if fqdn == self.fqdn:
continue
host, zone = fqdn.split('.', 1)
if dns_zone_exists(zone, self.api):
addrs = get_fwd_rr(zone, host, self.api)
else:
addrs = installutils.resolve_host(fqdn)
self.__add_ipa_ca_records(fqdn, addrs, True)
def information_ldap(user, binddn, server, entry):
info = ''
server = ldap.initialize('ldap://' + "address")
putenv("TLS_REQCERT=never")
#ds = ldap_connect(server, 636)
ds = ldap.open("ldap.cs.cf.ac.uk/")
if (ds):
server.protocol_version = 3
server.set_option(ldap.OPT_REFERRALS, 0)
r = ldap.bind_s(ds)
if r:
sr = ldap.search(ds, binddn, ent + "=" + u)
if sr and ldap.count_entries(ds, sr) == server:
info = ldap.get_entries(ds, sr)
ldap.close(ds)
return info
def convert_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME")
if not cnames:
return
root_logger.info('Converting IPA CA CNAME records to A/AAAA records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
ldap = api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn),
ldap.SCOPE_ONELEVEL, None, ['cn'])
masters = set(e['cn'][0] for e in entries)
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
root_logger.warning(
"Cannot convert IPA CA CNAME records to A/AAAA records, "
"please convert them manually if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname)
# add A/AAAA records
for cname in cnames:
fqdn = cname_fqdn[cname]
self.add_ipa_ca_dns_records(fqdn, domain_name, None)
def convert_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME")
if not cnames:
return
root_logger.info('Converting IPA CA CNAME records to A/AAAA records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
ldap = api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn),
ldap.SCOPE_ONELEVEL, None, ['cn'])
masters = set(e['cn'][0] for e in entries)
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
root_logger.warning(
"Cannot convert IPA CA CNAME records to A/AAAA records, "
"please convert them manually if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname)
# add A/AAAA records
for cname in cnames:
fqdn = cname_fqdn[cname]
self.add_ipa_ca_dns_records(fqdn, domain_name, None)
def remove_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
try:
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
except errors.NotFound:
# zone does not exists
cnames = None
if not cnames:
return
logger.info('Removing IPA CA CNAME records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
ldap = self.api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn),
ldap.SCOPE_ONELEVEL, None, ['cn'])
masters = set(e['cn'][0] for e in entries)
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
logger.warning(
"Cannot remove IPA CA CNAME please remove them manually "
"if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
def remove_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
try:
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
except errors.NotFound:
# zone does not exists
cnames = None
if not cnames:
return
logger.info('Removing IPA CA CNAME records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
ldap = self.api.Backend.ldap2
try:
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn),
ldap.SCOPE_ONELEVEL, None, ['cn'])
masters = set(e['cn'][0] for e in entries)
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
logger.warning(
"Cannot remove IPA CA CNAME please remove them manually "
"if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
def _remove_server_host_services(self, ldap, master):
"""
delete server kerberos key and all its svc principals
"""
try:
entries = ldap.get_entries(
self.api.env.basedn, ldap.SCOPE_SUBTREE,
filter='(krbprincipalname=*/{}@{})'.format(
master, self.api.env.realm))
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
ldap.delete_entry(entry)
except errors.NotFound:
pass
except Exception as e:
self.add_message(
messages.ServerRemovalWarning(
message=_("Failed to cleanup server principals/keys: "
"%(err)s") % dict(err=e)))
def _remove_server_host_services(self, ldap, master):
"""
delete server kerberos key and all its svc principals
"""
try:
entries = ldap.get_entries(
self.api.env.basedn, ldap.SCOPE_SUBTREE,
filter='(krbprincipalname=*/{}@{})'.format(
master, self.api.env.realm))
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
ldap.delete_entry(entry)
except errors.NotFound:
pass
except Exception as e:
self.add_message(
messages.ServerRemovalWarning(
message=_("Failed to cleanup server principals/keys: "
"%(err)s") % dict(err=e)))
def _remove_server_host_services(self, ldap, master):
"""
delete server kerberos key and all its svc principals
"""
try:
# do not delete ldap principal if server-del command
# has been called on a machine which is being deleted
# since this will break replication.
# ldap principal to be cleaned later by topology plugin
# necessary changes to a topology plugin are tracked
# under https://pagure.io/freeipa/issue/7359
if master == self.api.env.host:
filter = (
'(&(krbprincipalname=*/{}@{})'
'(!(krbprincipalname=ldap/*)))'
.format(master, self.api.env.realm)
)
else:
filter = '(krbprincipalname=*/{}@{})'.format(
master, self.api.env.realm
)
entries = ldap.get_entries(
self.api.env.basedn, ldap.SCOPE_SUBTREE, filter=filter
)
if entries:
entries.sort(key=lambda x: len(x.dn), reverse=True)
for entry in entries:
ldap.delete_entry(entry)
except errors.NotFound:
pass
except Exception as e:
self.add_message(
messages.ServerRemovalWarning(
message=_("Failed to cleanup server principals/keys: "
"%(err)s") % dict(err=e)))
