def kadmin(self):
"""
Initiate the kadmin interface.
@return: self on success, False otherwise.
"""
try:
sub = subprocess.Popen([
self.config.kinitpath, '-c', self.krb5admincc, '-S',
'kadmin/admin',
'%s@%s' % (self.user, self.config.krb5realm)
],
stdin=subprocess.PIPE,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
(sout, serr) = sub.communicate(self.pw + '\n')
sub = subprocess.Popen(
[self.config.klistpath, '-c', self.krb5admincc],
stdout=subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(self.krb5admincc, user) = krb5.parse_name(sout)
if not (self.krb5cc and user):
raise (str(serr))
logging.debug('Successfully got kadmin ticket for %s\n', user)
self.kadm = [self.config.kadminpath, '-c', self.krb5admincc]
return self
except Exception, err:
logging.warning(
'Error while trying get admin credentials. Programm execution will continue, but we wont have any admin privileges in the authen backend\n'
+ str(err))
def authenticate(self, **args):
"""user authen is already done by third party.
This will extract the kerberos principal and data in the ticket file.
without arguments we get the ticket provided by the environment.
@param ccpath: path to the kerberos ticket cache. may be prefixed with 'FILE:' for compatibility reason. If not specified, we use KRB5CCNAME environment variable.
@type ccpath: string
@return: returns the I{Full qualified user name}. This includes the kerberos realm!
"""
try:
self.krb5cc = args.pop('ccpath')
if self.krb5cc.find(':') > 0:
self.krb5cc = self.krb5cc.split(':')[1]
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc],
stdout=subprocess.PIPE)
except KeyError:
sub = subprocess.Popen([self.config.klistpath],
stdout=subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_apache:krb5: %s', sout)
logging.debug('krb5_apache:krb5: %s', serr)
(self.krb5cc, self.user) = krb5.parse_name(sout)
if not (self.krb5cc and self.user):
return False
self.user = self.user.split('@')[0]
logging.info('krb5_apache:Got krb5path from ticket: %s', self.krb5cc)
logging.info('krb5_apache:Got principal from ticket: %s', self.user)
os.environ['KRB5CCNAME'] = self.krb5cc
self.is_authenticated = True
return self
def authenticate(self, **args):
"""user authen is already done by third party.
This will extract the kerberos principal and data in the ticket file.
without arguments we get the ticket provided by the environment.
@param ccpath: path to the kerberos ticket cache. may be prefixed with 'FILE:' for compatibility reason. If not specified, we use KRB5CCNAME environment variable.
@type ccpath: string
@return: returns the I{Full qualified user name}. This includes the kerberos realm!
"""
try:
self.krb5cc = args.pop('ccpath')
if self.krb5cc.find(':') > 0:
self.krb5cc = self.krb5cc.split(':')[1]
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout = subprocess.PIPE)
except KeyError:
sub = subprocess.Popen([self.config.klistpath], stdout = subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_apache:krb5: %s', sout)
logging.debug('krb5_apache:krb5: %s', serr)
(self.krb5cc, self.user) = krb5.parse_name(sout)
if not (self.krb5cc and self.user):
return False
self.user = self.user.split('@')[0]
logging.info( 'krb5_apache:Got krb5path from ticket: %s', self.krb5cc)
logging.info( 'krb5_apache:Got principal from ticket: %s', self.user)
os.environ['KRB5CCNAME'] = self.krb5cc
self.is_authenticated = True
return self
def authenticate(self, **args):
"""
authenticate a user using a keytab file
@param keytab: the keytab location. If not set, we use the keytab specified in the config object.
@type keytab: string
@return: returns self or False
"""
self.keytab = args.get('keytab', self.config.krb5keytab)
self.user = args.get('user', 'host/%s' % hostname())
if os.access(self.keytab, os.R_OK):
sub = subprocess.call([self.config.kinitpath, '-c',self.krb5cc, '-k','-t',self.keytab, '-p',self.user])
if sub == 0:
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout = subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(krb5cc, self.user) = krb5.parse_name(sout)
if not (krb5cc and self.user):
logging.warning('krb5_keytab:Invalid keycache at %s', krb5cc)
return False
if not krb5cc == self.krb5cc:
logging.warning('krb5_keytab: Using wrong keytab %s %s', krb5cc, self.krb5cc)
self.user = self.user.split('@')[0]
logging.debug( 'krb5_apache:Got krb5path from ticket: %s', self.krb5cc)
logging.info( 'krb5_apache:Got principal from ticket: %s', self.user)
self.is_authenticated = True
return self
logging.warning('Something went wrong while trying to kinit.')
else:
logging.error('Can not read from keytab file \'%s\'. Authentication failed.', self.keytab)
return False
def authenticate(self, **args):
"""
authenticate user.
Will ask for password B{interactively}.
If no Username is passed in, we will ask for that too.
@param user: if set, the login name to authenticate. if not set, this function asks interactively for a username
@type user: string
@param password: if set, the password for this user. if not set, this function asks interactively for a password
@type password: string
@return: returns self on success, False otherwise
"""
self.user = args.get('user', False)
if not self.user:
print "\nWelcome to the UnixDomain"
print "============================="
try:
while not self.user:
self.user = raw_input('account name : ')
except KeyboardInterrupt:
return False
self.pw = args.get('pw', '') # ONLY use this for testing!!!
while not self.pw:
self.pw = getpass('password : '******'-c', self.krb5cc,
'%s@%s' % (self.user, self.config.krb5realm)
],
stdin=subprocess.PIPE,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
(sout, serr) = sub.communicate(self.pw + '\n')
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc],
stdout=subprocess.PIPE)
(sout, serr) = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(self.krb5cc, self.user) = krb5.parse_name(sout)
if not (self.krb5cc and self.user):
logging.warning('krb5_keytab:Invalid keycache at %s', self.krb5cc)
return False
self.user = self.user.split('@')[0]
self.is_authenticated = True
return self
def authenticate(self, **args):
"""
authenticate a user using a keytab file
@param keytab: the keytab location. If not set, we use the keytab specified in the config object.
@type keytab: string
@return: returns self or False
"""
self.keytab = args.get('keytab', self.config.krb5keytab)
self.user = args.get('user', 'host/%s' % hostname())
if os.access(self.keytab, os.R_OK):
sub = subprocess.call([
self.config.kinitpath, '-c', self.krb5cc, '-k', '-t',
self.keytab, '-p', self.user
])
if sub == 0:
sub = subprocess.Popen(
[self.config.klistpath, '-c', self.krb5cc],
stdout=subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(krb5cc, self.user) = krb5.parse_name(sout)
if not (krb5cc and self.user):
logging.warning('krb5_keytab:Invalid keycache at %s',
krb5cc)
return False
if not krb5cc == self.krb5cc:
logging.warning('krb5_keytab: Using wrong keytab %s %s',
krb5cc, self.krb5cc)
self.user = self.user.split('@')[0]
logging.debug('krb5_apache:Got krb5path from ticket: %s',
self.krb5cc)
logging.info('krb5_apache:Got principal from ticket: %s',
self.user)
self.is_authenticated = True
return self
logging.warning('Something went wrong while trying to kinit.')
else:
logging.error(
'Can not read from keytab file \'%s\'. Authentication failed.',
self.keytab)
return False
def kadmin(self):
"""
Initiate the kadmin interface.
@return: self on success, False otherwise.
"""
try:
sub = subprocess.Popen([self.config.kinitpath, '-c', self.krb5admincc, '-S', 'kadmin/admin', '%s@%s' %(self.user, self.config.krb5realm)], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
(sout, serr) = sub.communicate(self.pw + '\n')
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5admincc], stdout=subprocess.PIPE)
sout, serr = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(self.krb5admincc, user) = krb5.parse_name(sout)
if not (self.krb5cc and user):
raise(str(serr))
logging.debug('Successfully got kadmin ticket for %s\n', user)
self.kadm = [self.config.kadminpath, '-c', self.krb5admincc]
return self
except Exception, err:
logging.warning('Error while trying get admin credentials. Programm execution will continue, but we wont have any admin privileges in the authen backend\n' + str(err))
def authenticate(self, **args):
"""
authenticate user.
Will ask for password B{interactively}.
If no Username is passed in, we will ask for that too.
@param user: if set, the login name to authenticate. if not set, this function asks interactively for a username
@type user: string
@param password: if set, the password for this user. if not set, this function asks interactively for a password
@type password: string
@return: returns self on success, False otherwise
"""
self.user = args.get('user', False)
if not self.user:
print "\nWelcome to the UnixDomain"
print "============================="
try:
while not self.user:
self.user = raw_input('account name : ')
except KeyboardInterrupt:
return False
self.pw = args.get('pw', '') # ONLY use this for testing!!!
while not self.pw :
self.pw = getpass('password : '******'-c', self.krb5cc, '%s@%s' %(self.user, self.config.krb5realm)], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
(sout, serr) = sub.communicate(self.pw + '\n')
sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout=subprocess.PIPE)
(sout, serr) = sub.communicate()
logging.debug('krb5_keytab:krb5: %s', sout)
logging.debug('krb5_keytab:krb5: %s', serr)
(self.krb5cc, self.user) = krb5.parse_name(sout)
if not (self.krb5cc and self.user):
logging.warning('krb5_keytab:Invalid keycache at %s', self.krb5cc)
return False
self.user = self.user.split('@')[0]
self.is_authenticated = True
return self
