Beispiel #1
0
    def run(self, context):
        complete = super(postgresql_serverSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        postinst.shellCommand(['/usr/bin/postgresql-setup', 'initdb'])

        return complete
Beispiel #2
0
    def run(self, context):
        complete = super(openssh_serverSetup, self).run(context)
        ldapHost = context.value('ldapHost')
        domain_parts = tuple(context.value('companyDomain').split('.'))
        banner = os.path.join(context.value('etcDir'), 'issue.net')
        _, new_banner_path = stageFile(banner, context=context)
        with open(new_banner_path, 'w') as new_banner:
            new_banner.write(
                'This server is private property. Authorized use only.\n')
        settings = {'Banner': banner}
        for key, vals in six.iteritems(
                self.managed['openssh-server']['files']):
            if key == self.sshd_conf:
                settings.update(vals[0][0])
        modify_config(self.sshd_conf,
                      settings=settings,
                      sep=' ',
                      context=context)

        ldapCertPath = os.path.join(context.value('etcDir'), 'pki', 'tls',
                                    'certs', '%s.crt' % ldapHost)
        names = {
            'ldapHost': ldapHost,
            'domainNat': domain_parts[0],
            'domainTop': domain_parts[1],
            'ldapCertPath': ldapCertPath
        }
        modify_config(
            self.ldap_conf,
            settings={
                'URI': 'ldaps://%(ldapHost)s' % names,
                'BASE': 'ou=people,dc=%(domainNat)s,dc=%(domainTop)s' % names,
                'TLS_CACERT': ldapCertPath,
                'TLS_REQCERT': 'demand',
                'TIMELIMIT': '15',
                'TIMEOUT': '20'
            },
            sep=' ',
            context=context)

        config_path = os.path.join('/usr', 'libexec', 'openssh',
                                   'ssh-ldap-wrapper')
        _, new_config_path = stageFile(config_path, context)
        with open(new_config_path, 'w') as new_config:
            new_config.write("""#!/bin/sh
if [ "$1" == "fedora" ] ; then
    exit 1
fi
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
""")
        postinst.shellCommand(['chmod', '755', config_path])
        postinst.shellCommand(['chmod', '644', self.ldap_conf])
        return complete
Beispiel #3
0
    def run(self, context):
        complete = super(openssh_serverSetup, self).run(context)
        banner = os.path.join(context.SYSCONFDIR, 'issue.net')
        _, new_banner_path = stageFile(
            banner, context=context)
        with open(new_banner_path, 'w') as new_banner:
            new_banner.write(
                'This server is private property. Authorized use only.\n')
        settings = {'Banner': banner}
        for key, vals in self.files.iteritems():
            if key == self.sshd_conf:
                settings.update(vals[0][0])
        modify_config(self.sshd_conf,
            settings=settings, sep=' ', context=context)

        ldapDomain = 'dbs.internal'
        domain_parts = tuple(context.value('domainName').split('.'))
        ldapCertPath = os.path.join(context.SYSCONFDIR,
            'pki', 'tls', 'certs', '%s.crt' % ldapDomain)
        names = {
            'ldapDomain': ldapDomain,
            'domainNat': domain_parts[0],
            'domainTop': domain_parts[1],
            'ldapCertPath': ldapCertPath
        }
        modify_config(self.ldap_conf,
            settings={
                'URI': 'ldaps://%(ldapDomain)s' % names,
                'BASE': 'ou=people,dc=%(domainNat)s,dc=%(domainTop)s' % names,
                'TLS_CACERT': ldapCertPath,
                'TLS_REQCERT': 'demand',
                'TIMELIMIT': '15',
                'TIMEOUT': '20'
            }, sep=' ', context=context)

        config_path = os.path.join(
            '/usr', 'libexec', 'openssh', 'ssh-ldap-wrapper')
        _, new_config_path = stageFile(config_path, context)
        with open(new_config_path, 'w') as new_config:
            new_config.write(
"""#!/bin/sh
if [ "$1" == "fedora" ] ; then
    exit 1
fi
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
""")
        postinst.shellCommand(['chmod', '755', config_path])
        postinst.shellCommand(['chmod', '644', self.ldap_conf])
        return complete
Beispiel #4
0
    def run(self, context):
        complete = super(postgresql_serverSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        db_host = context.value('dbHost')
        vpc_cidr = context.value('vpc_cidr')
        pg_user = context.value('dbUser')
        postgresql_conf = os.path.join(self.pgdata, 'postgresql.conf')
        pg_ident_conf = os.path.join(self.pgdata, 'pg_ident.conf')
        pg_hba_conf = os.path.join(self.pgdata, 'pg_hba.conf')

        if not os.path.exists(postgresql_conf):
            # /var/lib/pgsql/data will be empty unless we run initdb once.
            shell_command([self.postgresql_setup, 'initdb'])

        listen_addresses = "'localhost'"
        for key, val in six.iteritems(
                self.managed['%s-server' %
                             self.daemons[0].replace('-', '')]['files']):
            if key == 'listen_addresses':
                listen_addresses = ', '.join(
                    ["'%s'" % address[0] for address in val])

        postgresql_conf_settings = {'listen_addresses': listen_addresses}
        if db_host:
            db_ssl_key_file = "/etc/pki/tls/private/%s.key" % db_host
            db_ssl_cert_file = "/etc/pki/tls/certs/%s.crt" % db_host
            dh_params = "/etc/ssl/certs/dhparam.pem"
            if (os.path.exists(db_ssl_key_file)
                    and os.path.exists(db_ssl_cert_file)):
                postgresql_conf_settings.update({
                    'ssl':
                    "on",
                    'ssl_cert_file':
                    "'%s'" % db_ssl_cert_file,
                    'ssl_key_file':
                    "'%s'" % db_ssl_key_file,
                    'ssl_prefer_server_ciphers':
                    "on",
                    #ssl_ca_file = ''
                    #ssl_crl_file = ''
                    #ssl_ecdh_curve = 'prime256v1'
                    #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
                })
                if os.path.exists(dh_params):
                    postgresql_conf_settings.update({
                        'ssl_dh_params_file':
                        "'%s'" % dh_params,
                    })
                postinst.shellCommand(
                    ['chown', 'root:postgres', db_ssl_key_file])
                postinst.shellCommand(['chmod', '640', db_ssl_key_file])
                postinst.shellCommand(
                    ['chmod', '755',
                     os.path.dirname(db_ssl_key_file)])
        modify_config(postgresql_conf,
                      settings=postgresql_conf_settings,
                      sep=' = ',
                      context=context)

        # pg_ident
        system_to_pg_mapping = {'postgres': 'postgres'}
        if pg_user:
            system_to_pg_mapping.update({'/^(.*)$': pg_user})
        else:
            logging.warning("dbUser is '%s'. No regular user will be created"\
                " to access the database remotely.")
        old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                for line in old_conf.readlines():
                    look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
                    if look:
                        system_user = look.group(1)
                        if system_user in system_to_pg_mapping:
                            self.write_ident_line(
                                new_conf, system_user,
                                system_to_pg_mapping[system_user])
                            del system_to_pg_mapping[system_user]
                    else:
                        new_conf.write(line)
                for system_user, pgident_user in six.iteritems(
                        system_to_pg_mapping):
                    self.write_ident_line(new_conf, system_user, pgident_user)

        # pg_hba
        connections = [
            ['all', 'postgres', vpc_cidr],
            # 'all' because we need to add a constraint on auth_user
            ['all', pg_user, vpc_cidr]
        ]
        old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                source_host = 'host'
                if (postgresql_conf_settings.get('ssl')
                        and postgresql_conf_settings.get('ssl') == "on"):
                    source_host = 'hostssl'
                for line in old_conf.readlines():
                    look = re.match(r'^local.*peer$', line.strip())
                    if look:
                        new_conf.write(line.strip() + ' map=mymap\n')
                    else:
                        look = re.match(r'^(host|hostssl|hostnossl)\s+'\
'(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
                            line.strip())
                        if look:
                            found = None
                            remains = []
                            for conn in connections:
                                if (conn[0] == look.group('db')
                                        and conn[1] == look.group('pg_user')):
                                    found = conn
                                else:
                                    remains += [conn]
                            connections = remains
                            if found:
                                new_conf.write(
                                    '%(host)s    %(db)s%(pg_user)s%(cidr)smd5\n'
                                    % {
                                        'host': source_host.ljust(10),
                                        'db': found[0].ljust(16),
                                        'pg_user': found[1].ljust(16),
                                        'cidr': found[2].ljust(24)
                                    })
                            else:
                                new_conf.write(line)
                        else:
                            new_conf.write(line)
                if connections:
                    new_conf.write("# Remote connections\n")
                    for conn in connections:
                        new_conf.write(
                            '%(host)s    %(db)s%(pg_user)s%(cidr)smd5\n' % {
                                'host': source_host.ljust(10),
                                'db': conn[0].ljust(16),
                                'pg_user': conn[1].ljust(16),
                                'cidr': conn[2].ljust(24)
                            })

        self.create_cron_conf(context)
        #XXX optimizations?
        #https://people.planetpostgresql.org/devrim/index.php?/archives/83-Using-huge-pages-on-RHEL-7-and-PostgreSQL-9.4.html

        postinst.shellCommand([
            '[ -d %(pgdata)s/base ] ||' % {
                'pgdata': self.pgdata
            }, self.postgresql_setup, 'initdb'
        ])

        return complete
Beispiel #5
0
    def run(self, context):
        complete = super(openldap_serversSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete
        ldapHost = context.value('ldapHost')
        company_domain = context.value('companyDomain')
        password_hash = context.value('ldapPasswordHash')
        priv_key = os.path.join(context.value('etcDir'),
            'pki', 'tls', 'private', '%s.key' % ldapHost)
        config_path = os.path.join(context.value('etcDir'),
            'openldap', 'slapd.d', 'cn=config.ldif')
        _, new_config_path = stageFile(config_path, context)
        modify_config(config_path,
            sep=': ', context=context,
            settings={
                'olcTLSCACertificatePath': os.path.join(
                    context.value('etcDir'), 'pki', 'tls', 'certs'),
                'olcTLSCertificateFile': os.path.join(context.value('etcDir'),
                    'pki', 'tls', 'certs', '%s.crt' % ldapHost),
                'olcTLSCertificateKeyFile': priv_key
            })
        self._update_crc32(new_config_path)

        domain_parts = tuple(company_domain.split('.'))
        db_config_path = os.path.join(context.value('etcDir'),
            'openldap', 'slapd.d', 'cn=config', 'olcDatabase={0}config.ldif')
        _, new_config_path = stageFile(db_config_path, context)
        modify_config(db_config_path,
            sep=': ', enter_block_sep=None, exit_block_sep=None,
            one_per_line=True, context=context, settings={
               'olcRootPW': '%s' % password_hash
            })
        self._update_crc32(new_config_path)
        # XXX using hdb on Fedora27 with an encrypted EBS will lead
        #     to a `BDB0126 mmap: Invalid argument` error. just delete the file!
        for db_path in ['olcDatabase={2}hdb.ldif', 'olcDatabase={2}mdb.ldif']:
            db_path = os.path.join(context.value('etcDir'),
                'openldap', 'slapd.d', 'cn=config', db_path)
            _, new_config_path = stageFile(db_path, context)
            modify_config(db_path,
                sep=': ', enter_block_sep=None, exit_block_sep=None,
                one_per_line=True, context=context, settings={
                    'olcSuffix': 'dc=%s,dc=%s' % domain_parts,
                    'olcRootDN': 'cn=Manager,dc=%s,dc=%s' % domain_parts,
                    'olcRootPW': '%s' % password_hash,
                    'olcAccess': [
                        '{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
                        '{0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=%s,dc=%s" write by anonymous auth by * none' % domain_parts,
                        '{1}to * by dn.base="cn=Manager,dc=%s,dc=%s" write by self write by * read"' % domain_parts]
                })
            self._update_crc32(new_config_path)

        schema_path = os.path.join(context.value('etcDir'),
            'openldap', 'schema', 'openssh-ldap.ldif')
        _, new_schema_path = stageFile(schema_path, context)
        with open(new_schema_path, 'w') as schema_file:
            schema_file.write("""dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
  uid ) )
""")

        self.create_cron_conf(context)
        self.create_syslogng_conf(context)

        postinst.create_certificate(ldapHost)
        postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
        postinst.shellCommand(['chgrp', 'ldap', os.path.dirname(priv_key)])
        postinst.shellCommand(['chmod', '640', priv_key])
        postinst.shellCommand(['chgrp', 'ldap', priv_key])
        postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
        postinst.shellCommand(['chown', 'ldap:ldap',
            config_path, db_config_path, db_hdb_path])
        postinst.shellCommand(['chmod', '600',
            config_path, db_config_path, db_hdb_path])

        # We need to start the server before adding the schemas.
        postinst.shellCommand(['service', 'slapd', 'restart'])
        postinst.shellCommand(['systemctl', 'enable', 'slapd.service'])
        postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
            '-f', '/etc/openldap/schema/cosine.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
            '-f', '/etc/openldap/schema/nis.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
          '-f', '/etc/openldap/schema/inetorgperson.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
          '-f', '/etc/openldap/schema/openssh-ldap.ldif', '-D', '"cn=config"'])

        return complete
Beispiel #6
0
    def run(self, context):
        complete = super(postgresql_serverSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        pg_user = context.value('dbUser')
        vpc_cidr = context.value('vpc_cidr')
        postgresql_conf = '/var/lib/pgsql/data/postgresql.conf'
        pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
        pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
        pg_hba_conf = '/var/lib/pgsql/data/pg_hba.conf'

        listen_addresses = "'localhost'"
        for key, val in self.managed['postgresql-server']['files'].iteritems():
            if key == 'listen_addresses':
                listen_addresses = "'%s'" % val

        modify_config(postgresql_conf,
            settings={'listen_addresses': listen_addresses},
            sep=' = ', context=context)

        # pg_ident
        system_to_pg_mapping = {
            'postgres': 'postgres',
            '/^(.*)$': pg_user
        }
        old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                for line in old_conf.readlines():
                    look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
                    if look:
                        system_user = look.group(1)
                        if system_user in system_to_pg_mapping:
                            new_conf.write(
                                '%(map)s%(system_user)s%(pg_user)s\n' % {
                                    'map': 'mymap'.ljust(16),
                                    'system_user': system_user.ljust(24),
                        'pg_user': system_to_pg_mapping[system_user].ljust(16)})
                    else:
                        new_conf.write(line)

        # pg_hba
        connections = [['postgres', 'postgres', vpc_cidr],
                       ['all', pg_user, vpc_cidr]]
        old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                for line in old_conf.readlines():
                    look = re.match(r'^local.*peer$', line.strip())
                    if look:
                        new_conf.write(line.strip() + ' map=mymap\n')
                    else:
                        look = re.match(
r'^host\s+(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
                            line.strip())
                        if look:
                            found = None
                            remains = []
                            for conn in connections:
                                if (conn[0] == look.group('db')
                                    and conn[1] == look.group('pg_user')):
                                    found = conn
                                else:
                                    remains += [conn]
                            connections = remains
                            if found:
                                new_conf.write(
                                'host    %(db)s%(pg_user)s%(cidr)smd5\n' % {
                                    'db': found[0].ljust(16),
                                    'pg_user': found[1].ljust(16),
                                    'cidr': found[2].ljust(16)})
                            else:
                                new_conf.write(line)
                        else:
                            new_conf.write(line)
                if len(connections) > 0:
                    new_conf.write("# Remote connections\n")
                    for conn in connections:
                        new_conf.write(
                        'host    %(db)s%(pg_user)s%(cidr)smd5\n' % {
                            'db': conn[0].ljust(16),
                            'pg_user': conn[1].ljust(16),
                            'cidr': conn[2].ljust(16)})

        self.create_cron_conf(context)
        postinst.shellCommand(['[ -d /var/lib/pgsql/data/base ] ||',
            '/usr/bin/postgresql-setup', 'initdb'])

        return complete
Beispiel #7
0
    def run(self, context):
        complete = super(openldap_serversSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete
        domain = 'dbs.internal'
        company_domain = context.value('domainName')
        password_hash = context.value('ldapPasswordHash')
        priv_key = os.path.join(context.SYSCONFDIR,
            'pki', 'tls', 'private', '%s.key' % domain)
        config_path = os.path.join(context.SYSCONFDIR,
            'openldap', 'slapd.d', 'cn=config.ldif')
        _, new_config_path = stageFile(config_path, context)
        modify_config(config_path,
            sep=': ', context=context,
            settings={
                'olcTLSCACertificatePath': os.path.join(
                    context.SYSCONFDIR, 'pki', 'tls', 'certs'),
                'olcTLSCertificateFile': os.path.join(context.SYSCONFDIR,
                    'pki', 'tls', 'certs', '%s.crt' % domain),
                'olcTLSCertificateKeyFile': priv_key
            })
        self._update_crc32(new_config_path)

        domain_parts = tuple(company_domain.split('.'))
        config_path = os.path.join(context.SYSCONFDIR,
            'openldap', 'slapd.d', 'cn=config', 'olcDatabase={0}config.ldif')
        _, new_config_path = stageFile(config_path, context)
        modify_config(config_path,
            sep=': ', enter_block_sep=None, exit_block_sep=None,
            one_per_line=True, context=context, settings={
               'olcRootPW': '{SSHA}%s' % password_hash
            })
        self._update_crc32(new_config_path)
        config_path = os.path.join(context.SYSCONFDIR,
            'openldap', 'slapd.d', 'cn=config', 'olcDatabase={2}mdb.ldif')
        _, new_config_path = stageFile(config_path, context)
        modify_config(config_path,
            sep=': ', enter_block_sep=None, exit_block_sep=None,
            one_per_line=True, context=context, settings={
               'olcSuffix': 'dc=%s,dc=%s' % domain_parts,
               'olcRootDN': 'cn=Manager,dc=%s,dc=%s' % domain_parts,
               'olcRootPW': '{SSHA}%s' % password_hash,
               'olcAccess': [
                   '{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
                   '{0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=%s,dc=%s" write by anonymous auth by * none' % domain_parts,
                   '{1}to * by dn.base="cn=Manager,dc=%s,dc=%s" write by self write by * read"' % domain_parts]
            })
        self._update_crc32(new_config_path)

        schema_path = os.path.join(context.SYSCONFDIR,
            'openldap', 'schema', 'openssh-ldap.ldif')
        _, new_schema_path = stageFile(schema_path, context)
        with open(new_schema_path, 'w') as schema_file:
            schema_file.write("""dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
  uid ) )
""")

        postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
        postinst.shellCommand(['chgrp', 'ldap', os.path.dirname(priv_key)])
        postinst.shellCommand(['chmod', '640', priv_key])
        postinst.shellCommand(['chgrp', 'ldap', priv_key])

        self.create_syslogng_conf(context)
        postinst.shellCommand([
            'systemctl', 'enable', 'slapd.service'])

        postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
            '/etc/openldap/schema/cosine.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
            '/etc/openldap/schema/nis.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
            '/etc/openldap/schema/inetorgperson.ldif', '-D', '"cn=config"'])
        postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
            '/etc/openldap/schema/openssh-ldap.ldif', '-D', '"cn=config"'])

        return complete
Beispiel #8
0
    def run(self, context):
        complete = super(sssdSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        ldapDomain = 'dbs.internal'
        ldapCertPath = os.path.join(context.SYSCONFDIR,
            'pki', 'tls', 'certs', '%s.crt' % ldapDomain)
        domain_parts = tuple(context.value('domainName').split('.'))
        names = {
            'ldapDomain': ldapDomain,
            'domainNat': domain_parts[0],
            'domainTop': domain_parts[1],
            'ldapCertPath': ldapCertPath
        }
        _, new_config_path = stageFile(self.sssd_conf, context)
        with open(new_config_path, 'w') as new_config:
            new_config.write("""[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sudo]

[domain/LDAP]
# Debugging:
debug_level = 9

ldap_tls_reqcert = demand
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307bis
ldap_schema = rfc2307
ldap_search_base = dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://%(ldapDomain)s/
ldap_chpass_uri = ldaps://%(ldapDomain)s/
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = True
ldap_tls_cacert = %(ldapCertPath)s
entry_cache_timeout = 600
ldap_network_timeout = 3
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=%(domainNat)s,dc=%(domainTop)s
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
# Enable group mapping otherwise only the user's primary group will map
# correctly. Without this defined group membership won't work
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=group,dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_name = cn
ldap_group_member = memberUid
""" % names)

        postinst.shellCommand(['chmod', '600', self.sssd_conf])
        postinst.shellCommand(['authconfig',
            '--update', '--enablesssd', '--enablesssdauth'])
        postinst.shellCommand(['setsebool',
            '-P', 'authlogin_nsswitch_use_ldap', '1'])
        postinst.shellCommand([
            'systemctl', 'enable', 'sssd.service'])

        return complete
Beispiel #9
0
    def run(self, context):
        complete = super(sssdSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        ldapHost = context.value('ldapHost')
        domain_parts = tuple(context.value('domainName').split('.'))
        ldapCertPath = os.path.join(context.value('etcDir'), 'pki', 'tls',
                                    'certs', '%s.crt' % ldapHost)
        names = {
            'ldapHost': ldapHost,
            'domainNat': domain_parts[0],
            'domainTop': domain_parts[1],
            'ldapCertPath': ldapCertPath
        }
        _, new_config_path = stageFile(self.sssd_conf, context)
        with open(new_config_path, 'w') as new_config:
            new_config.write("""[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sudo]

[domain/LDAP]
# Debugging:
debug_level = 9

ldap_tls_reqcert = demand
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307bis
ldap_schema = rfc2307
ldap_search_base = dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://%(ldapHost)s/
ldap_chpass_uri = ldaps://%(ldapHost)s/
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = True
ldap_tls_cacert = %(ldapCertPath)s
entry_cache_timeout = 600
ldap_network_timeout = 3
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=%(domainNat)s,dc=%(domainTop)s
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
# Enable group mapping otherwise only the user's primary group will map
# correctly. Without this defined group membership won't work
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=groups,dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_name = cn
ldap_group_member = memberUid
""" % names)

        postinst.shellCommand(['chmod', '600', self.sssd_conf])
        postinst.shellCommand(
            ['authconfig', '--update', '--enablesssd', '--enablesssdauth'])
        postinst.shellCommand(
            ['setsebool', '-P', 'authlogin_nsswitch_use_ldap', '1'])
        return complete
Beispiel #10
0
    def run(self, context):
        complete = super(postgresql_serverSetup, self).run(context)
        if not complete:
            # As long as the default setup cannot find all prerequisite
            # executable, libraries, etc. we cannot update configuration
            # files here.
            return complete

        pg_user = context.value('dbUser')
        vpc_cidr = context.value('vpc_cidr')
        postgresql_conf = '/var/lib/pgsql/data/postgresql.conf'
        pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
        pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
        pg_hba_conf = '/var/lib/pgsql/data/pg_hba.conf'

        if not os.path.exists(postgresql_conf):
            # /var/lib/pgsql/data will be empty unless we run initdb once.
            shell_command(['/usr/bin/postgresql-setup', 'initdb'])

        listen_addresses = "'localhost'"
        for key, val in six.iteritems(
                self.managed['postgresql-server']['files']):
            if key == 'listen_addresses':
                listen_addresses = ', '.join(
                    ["'%s'" % address for address in val])

        modify_config(postgresql_conf,
                      settings={'listen_addresses': listen_addresses},
                      sep=' = ',
                      context=context)

        # pg_ident
        system_to_pg_mapping = {'postgres': 'postgres', '/^(.*)$': pg_user}
        old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                for line in old_conf.readlines():
                    look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
                    if look:
                        system_user = look.group(1)
                        if system_user in system_to_pg_mapping:
                            new_conf.write(
                                '%(map)s%(system_user)s%(pg_user)s\n' % {
                                    'map':
                                    'mymap'.ljust(16),
                                    'system_user':
                                    system_user.ljust(24),
                                    'pg_user':
                                    system_to_pg_mapping[system_user].ljust(16)
                                })
                    else:
                        new_conf.write(line)

        # pg_hba
        connections = [['postgres', 'postgres', vpc_cidr],
                       ['all', pg_user, vpc_cidr]]
        old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
        with open(new_conf_path, 'w') as new_conf:
            with open(old_conf_path) as old_conf:
                for line in old_conf.readlines():
                    look = re.match(r'^local.*peer$', line.strip())
                    if look:
                        new_conf.write(line.strip() + ' map=mymap\n')
                    else:
                        look = re.match(
                            r'^host\s+(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
                            line.strip())
                        if look:
                            found = None
                            remains = []
                            for conn in connections:
                                if (conn[0] == look.group('db')
                                        and conn[1] == look.group('pg_user')):
                                    found = conn
                                else:
                                    remains += [conn]
                            connections = remains
                            if found:
                                new_conf.write(
                                    'host    %(db)s%(pg_user)s%(cidr)smd5\n' %
                                    {
                                        'db': found[0].ljust(16),
                                        'pg_user': found[1].ljust(16),
                                        'cidr': found[2].ljust(16)
                                    })
                            else:
                                new_conf.write(line)
                        else:
                            new_conf.write(line)
                if connections:
                    new_conf.write("# Remote connections\n")
                    for conn in connections:
                        new_conf.write(
                            'host    %(db)s%(pg_user)s%(cidr)smd5\n' % {
                                'db': conn[0].ljust(16),
                                'pg_user': conn[1].ljust(16),
                                'cidr': conn[2].ljust(16)
                            })

        self.create_cron_conf(context)
        postinst.shellCommand([
            '[ -d /var/lib/pgsql/data/base ] ||', '/usr/bin/postgresql-setup',
            'initdb'
        ])

        return complete