def __configure_http(self):
self.update_httpd_service_ipa_conf()
self.update_httpd_wsgi_conf()
# create /etc/httpd/alias, see https://pagure.io/freeipa/issue/7529
session_dir = os.path.dirname(self.sub_dict['GSSAPI_SESSION_KEY'])
if not os.path.isdir(session_dir):
os.makedirs(session_dir)
# Must be world-readable / executable
os.chmod(session_dir, 0o755)
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa.conf.template"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa-rewrite.conf.template"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict["PIN"] = pin
ods_conf_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, "w")
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, "w")
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(
paths.SYSCONFIG_ODS, "SOFTHSM2_CONF", paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator="="
)
def __configure_http(self):
self.update_httpd_service_ipa_conf()
self.update_httpd_wsgi_conf()
# create /etc/httpd/alias, see https://pagure.io/freeipa/issue/7529
session_dir = os.path.dirname(self.sub_dict['GSSAPI_SESSION_KEY'])
if not os.path.isdir(session_dir):
os.makedirs(session_dir)
os.chmod(session_dir, 0o755)
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
# OpenDNSSEC 1.4
sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
else:
# OpenDNSSEC 2.x
sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
if not os.path.isfile(paths.SYSCONFIG_ODS):
# create file, it's not shipped on Debian
with open(paths.SYSCONFIG_ODS, 'a') as f:
os.fchmod(f.fileno(), 0o644)
directivesetter.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
def __setup_named_conf(self):
if not self.fstore.has_file(paths.NAMED_CONF):
self.fstore.backup_file(paths.NAMED_CONF)
named_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "bind.named.conf.template"),
self.sub_dict)
named_fd = open(paths.NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
named_add_ext_conf_file(paths.NAMED_CUSTOM_CFG_SRC,
paths.NAMED_CUSTOM_CONFIG)
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation",
"no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
# prevent repeated upgrade on new installs
sysupgrade.set_upgrade_state(
'named.conf', 'forward_policy_conflict_with_empty_zones_handled',
True)
def __write_smb_conf(self):
template = os.path.join(
paths.USR_SHARE_IPA_DIR, "smb.conf.template"
)
conf = ipautil.template_file(template, self.sub_dict)
with open(self.smb_conf, "w") as f:
f.write(conf)
def __configure_http(self):
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
def _ldap_mod(self,
ldif,
sub_dict=None,
raise_on_err=True,
ldap_uri=None,
dm_password=None):
pw_name = None
fd = None
if not os.path.isabs(ldif):
path = os.path.join(paths.USR_SHARE_IPA_DIR, ldif)
else:
path = ldif
nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
fd = ipautil.write_tmp_file(txt)
path = fd.name
# do not log passwords
if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = [paths.LDAPMODIFY, "-v", "-f", path]
# As we always connect to the local host,
# use URI of admin connection
if not ldap_uri:
ldap_uri = api.Backend.ldap2.ldap_uri
args += ["-H", ldap_uri]
if dm_password:
with tempfile.NamedTemporaryFile(mode='w',
delete=False) as pw_file:
pw_file.write(dm_password)
pw_name = pw_file.name
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else:
auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms
try:
try:
ipautil.run(args, nolog=nologlist)
except ipautil.CalledProcessError as e:
logger.critical("Failed to load %s: %s", ldif, str(e))
if raise_on_err:
raise
finally:
if pw_name:
os.remove(pw_name)
def __setup_named_conf(self):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf",
self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf")
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf'
http_txt = ipautil.template_file(
ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf")
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0644)
def __template_file(self, path, chmod=0o644):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
if chmod is not None:
os.chmod(path, chmod)
def __template_file(self, path, chmod=0o644):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
if chmod is not None:
os.chmod(path, chmod)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False,
separator='=')
def create_kdcproxy_conf(self):
"""Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy"""
target_fname = paths.HTTPD_IPA_KDCPROXY_CONF
sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG)
http_txt = ipautil.template_file(
ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict)
self.fstore.backup_file(target_fname)
with open(target_fname, 'w') as f:
f.write(http_txt)
os.chmod(target_fname, 0o644)
def create_kdcproxy_conf(self):
"""Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy"""
target_fname = paths.HTTPD_IPA_KDCPROXY_CONF
sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG)
http_txt = ipautil.template_file(
ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict)
self.fstore.backup_file(target_fname)
with open(target_fname, 'w') as f:
f.write(http_txt)
os.chmod(target_fname, 0o644)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE)
if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE):
self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE)
pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r")
pin = pin_fd.read()
pin_fd.close()
# add pin to template
sub_conf_dict = self.conf_file_dict
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
ods_conf_fd.write(ods_conf_txt)
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
ods_kasp_fd.write(ods_kasp_txt)
ods_kasp_fd.close()
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
def _ldap_mod(self,
ldif,
sub_dict=None,
raise_on_err=True,
ldap_uri=None,
dm_password=None):
pw_name = None
fd = None
path = ipautil.SHARE_DIR + ldif
nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
fd = ipautil.write_tmp_file(txt)
path = fd.name
# do not log passwords
if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = [paths.LDAPMODIFY, "-v", "-f", path]
# As we always connect to the local host,
# use URI of admin connection
if not ldap_uri:
ldap_uri = self.admin_conn.ldap_uri
args += ["-H", ldap_uri]
if dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, dm_password)
os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else:
auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms
try:
try:
ipautil.run(args, nolog=nologlist)
except ipautil.CalledProcessError as e:
root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
if raise_on_err:
raise
finally:
if pw_name:
os.remove(pw_name)
def http_proxy(self):
""" Update the http proxy file """
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
sub_dict = dict(
DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
)
template = ipautil.template_file(template_filename, sub_dict)
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
fd.write(template)
def http_proxy(self):
""" Update the http proxy file """
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
sub_dict = dict(
DOGTAG_PORT=8009,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
)
template = ipautil.template_file(template_filename, sub_dict)
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
fd.write(template)
def __configure_http(self):
self.update_httpd_service_ipa_conf()
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template'
template = os.path.join(ipautil.SHARE_DIR, template_file)
sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
LDAP_URI=installutils.realm_to_ldapi_uri(self.realm))
conf = ipautil.template_file(template, sub_dict)
fd = open(self.config_file, "w+")
fd.write(conf)
fd.flush()
fd.close()
def __configure_http(self):
self.update_httpd_service_ipa_conf()
target_fname = paths.HTTPD_IPA_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
target_fname = paths.HTTPD_IPA_REWRITE_CONF
http_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"),
self.sub_dict)
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
http_fd = open(target_fname, "w")
http_fd.write(http_txt)
http_fd.close()
os.chmod(target_fname, 0o644)
def __write_smb_registry(self):
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
tmp_conf.flush()
ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
def http_proxy(self):
""" Update the http proxy file """
template_filename = (os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa-pki-proxy.conf.template"))
sub_dict = dict(
DOGTAG_PORT=8009,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
)
template = ipautil.template_file(template_filename, sub_dict)
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
fd.write(template)
def __template_file(self, path, chmod=0o644, client_template=False):
if client_template:
sharedir = paths.USR_SHARE_IPA_CLIENT_DIR
else:
sharedir = paths.USR_SHARE_IPA_DIR
template = os.path.join(sharedir, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
with open(path, 'w') as f:
if chmod is not None:
os.fchmod(f.fileno(), chmod)
f.write(conf)
def __write_smb_registry(self):
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
tmp_conf.flush()
ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
pw_name = None
fd = None
path = ipautil.SHARE_DIR + ldif
nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
fd = ipautil.write_tmp_file(txt)
path = fd.name
# do not log passwords
if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = [paths.LDAPMODIFY, "-v", "-f", path]
# As we always connect to the local host,
# use URI of admin connection
if not self.admin_conn:
self.ldap_connect()
args += ["-H", self.admin_conn.ldap_uri]
# If DM password is available, use it
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password)
os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else:
auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms
try:
try:
ipautil.run(args, nolog=nologlist)
except ipautil.CalledProcessError as e:
if raise_on_err:
raise
root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
finally:
if pw_name:
os.remove(pw_name)
if fd is not None:
fd.close()
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
ldap_uri=None, dm_password=None):
pw_name = None
fd = None
path = os.path.join(paths.USR_SHARE_IPA_DIR, ldif)
nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
fd = ipautil.write_tmp_file(txt)
path = fd.name
# do not log passwords
if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = [paths.LDAPMODIFY, "-v", "-f", path]
# As we always connect to the local host,
# use URI of admin connection
if not ldap_uri:
ldap_uri = api.Backend.ldap2.ldap_uri
args += ["-H", ldap_uri]
if dm_password:
with tempfile.NamedTemporaryFile(
mode='w', delete=False) as pw_file:
pw_file.write(dm_password)
pw_name = pw_file.name
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else:
auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms
try:
try:
ipautil.run(args, nolog=nologlist)
except ipautil.CalledProcessError as e:
root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
if raise_on_err:
raise
finally:
if pw_name:
os.remove(pw_name)
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
[tmp_fd, tmp_name] = tempfile.mkstemp()
os.write(tmp_fd, conf)
os.close(tmp_fd)
args = [paths.NET, "conf", "import", tmp_name]
try:
ipautil.run(args)
finally:
os.remove(tmp_name)
def __template_file(self, path, chmod=0o644, client_template=False):
if client_template:
sharedir = paths.USR_SHARE_IPA_CLIENT_DIR
else:
sharedir = paths.USR_SHARE_IPA_DIR
template = os.path.join(
sharedir, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
with open(path, 'w') as f:
if chmod is not None:
os.fchmod(f.fileno(), chmod)
f.write(conf)
def __write_smb_registry(self):
"""Import IPA specific config into Samba registry
Configuration is imported after __write_smb_conf() has modified
smb.conf to include registry.
"""
template = os.path.join(paths.USR_SHARE_IPA_DIR,
"smb.conf.registry.template")
conf = ipautil.template_file(template, self.sub_dict)
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
tmp_conf.flush()
ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
[tmp_fd, tmp_name] = tempfile.mkstemp()
os.write(tmp_fd, conf)
os.close(tmp_fd)
args = [paths.NET, "conf", "import", tmp_name]
try:
ipautil.run(args)
finally:
os.remove(tmp_name)
def configure_and_start_sssd(self):
uri, base = self.get_uri_and_base()
template = os.path.join(paths.USR_SHARE_IPA_DIR, 'advise', 'legacy',
'sssd.conf.template')
sssd_conf = template_file(template, dict(URI=uri, BASE=base))
self.log.comment('Configure SSSD')
self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
'%s\nEOF' % sssd_conf)
self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
self.log.comment('Start SSSD')
self.log.command('service sssd start')
def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template'
template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
IPA_CUSTODIA_KEYS=paths.IPA_CUSTODIA_KEYS,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
LDAP_URI=ipaldap.realm_to_ldapi_uri(self.realm),
UID=constants.HTTPD_USER.uid,
GID=constants.HTTPD_USER.pgid)
conf = ipautil.template_file(template, sub_dict)
with open(self.config_file, "w") as f:
f.write(conf)
ipautil.flush_sync(f)
def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template'
template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
httpd_info = pwd.getpwnam(constants.HTTPD_USER)
sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
UID=httpd_info.pw_uid, GID=httpd_info.pw_gid)
conf = ipautil.template_file(template, sub_dict)
fd = open(self.config_file, "w+")
fd.write(conf)
fd.flush()
fd.close()
def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template'
template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
httpd_info = pwd.getpwnam(constants.HTTPD_USER)
sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
UID=httpd_info.pw_uid,
GID=httpd_info.pw_gid)
conf = ipautil.template_file(template, sub_dict)
fd = open(self.config_file, "w+")
fd.write(conf)
fd.flush()
fd.close()
def __setup_named_conf(self):
if not self.fstore.has_file(NAMED_CONF):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation", "no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
def http_proxy(self):
""" Update the http proxy file """
template_filename = (os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa-pki-proxy.conf.template"))
sub_dict = dict(
DOGTAG_PORT=8009,
CLONE='' if self.clone else '#',
FQDN=self.fqdn,
DOGTAG_AJP_SECRET='',
)
if self.ajp_secret:
sub_dict['DOGTAG_AJP_SECRET'] = "secret={}".format(self.ajp_secret)
template = ipautil.template_file(template_filename, sub_dict)
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
fd.write(template)
os.fchmod(fd.fileno(), 0o640)
def __setup_named_conf(self):
if not self.fstore.has_file(NAMED_CONF):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation", "no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
def configure_and_start_sssd(self):
uri, base = self.get_uri_and_base()
template = os.path.join(
SHARE_DIR,
'advise',
'legacy',
'sssd.conf.template'
)
sssd_conf = template_file(template, dict(URI=uri, BASE=base))
self.log.comment('Configure SSSD')
self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
'%s\nEOF' % sssd_conf)
self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
self.log.comment('Start SSSD')
self.log.command('service sssd start')
def named_add_ext_conf_file(src, dest, t_params={}):
"""
Ensure included file is present, but don't override it.
:param src: String. Absolute path to source template
:param dest: String. Absolute path to destination
:param t_params: Dict. Parameters for source template
"""
if not os.path.exists(dest):
ipa_ext_txt = ipautil.template_file(src, t_params)
gid = pwd.getpwnam(constants.NAMED_USER).pw_gid
with open(dest, 'w') as ipa_ext:
os.fchmod(ipa_ext.fileno(), 0o640)
os.fchown(ipa_ext.fileno(), 0, gid)
ipa_ext.write(ipa_ext_txt)
return True
return False
def __write_smb_registry(self):
template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
[tmp_fd, tmp_name] = tempfile.mkstemp()
os.write(tmp_fd, conf)
os.close(tmp_fd)
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
args = [paths.NET, "conf", "import", tmp_name]
try:
ipautil.run(args)
finally:
os.remove(tmp_name)
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
[tmp_fd, tmp_name] = tempfile.mkstemp()
os.write(tmp_fd, conf)
os.close(tmp_fd)
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
args = [paths.NET, "conf", "import", tmp_name]
try:
ipautil.run(args)
finally:
os.remove(tmp_name)
def __setup_named_conf(self):
if not self.fstore.has_file(NAMED_CONF):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation", "no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
# prevent repeated upgrade on new installs
sysupgrade.set_upgrade_state(
'named.conf',
'forward_policy_conflict_with_empty_zones_handled', True
)
def __write_smb_registry(self):
"""Import IPA specific config into Samba registry
Configuration is imported after __write_smb_conf() has modified
smb.conf to include registry.
"""
template = os.path.join(
paths.USR_SHARE_IPA_DIR, "smb.conf.registry.template"
)
conf = ipautil.template_file(template, self.sub_dict)
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
tmp_conf.flush()
try:
ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
except ipautil.CalledProcessError as e:
if e.returncode == 255:
# We have old Samba that doesn't support IPA DC server role
# re-try again with the older variant, upgrade code will
# take care to change the role later when Samba is upgraded
# as well.
self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD
self.__write_smb_registry()
def setup_named_openssl_conf(self):
if constants.NAMED_OPENSSL_ENGINE is not None:
logger.debug("Setup OpenSSL config for BIND")
# setup OpenSSL config for BIND,
# this one is needed because FreeIPA installation
# disables p11-kit-proxy PKCS11 module
conf_file_dict = {
'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
}
if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
opensslcnf_tmpl = "bind.openssl.cnf.template"
else:
opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
named_openssl_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
conf_file_dict)
with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
os.fchmod(f.fileno(), 0o640)
os.fchown(f.fileno(), 0, gid=constants.NAMED_GROUP.gid)
f.write(named_openssl_txt)
def create_sample_bind_zone(self):
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
os.write(bind_fd, bind_txt)
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
def create_kdc_cert(self, nickname, hostname, destdir):
"""Create a new certificate with the spcial othername encoding needed
by a KDC certificate.
nickname: the CN name set in the certificate
destdir: the location where cert and key are to be installed
destdir will contain kdc.pem if the operation is successful
"""
reqcfg = "kdc_req.conf"
extcfg = ipautil.SHARE_DIR + "kdc_extensions.template"
key_fname = destdir + "/kdckey.pem"
cert_fname = destdir + "/kdccert.pem"
key_cert_fname = destdir + "/kdc.pem"
# Setup the temp dir
self.setup_cert_request()
# Copy the CA password file because openssl apparently can't use
# the same file twice within the same command and throws an error
ca_pwd_file = self.reqdir + "pwdfile.txt"
shutil.copyfile(self.passwd_fname, ca_pwd_file)
# Extract the cacert.pem file used by openssl to sign the certs
ipautil.run(["/usr/bin/openssl", "pkcs12",
"-in", self.pk12_fname,
"-passin", "file:" + self.passwd_fname,
"-passout", "file:" + ca_pwd_file,
"-out", "cacert.pem"])
# Create the kdc key
ipautil.run(["/usr/bin/openssl", "genrsa",
"-out", key_fname, "2048"])
# Prepare a simple cert request
req_dict = dict(PASSWORD=self.gen_password(),
SUBJBASE=self.subject_base,
CERTNAME=DN(('CN', nickname)))
req_template = ipautil.SHARE_DIR + reqcfg + ".template"
conf = ipautil.template_file(req_template, req_dict)
fd = open(reqcfg, "w+")
fd.write(conf)
fd.close()
base = str(self.subject_base).replace(",", "/")
esc_subject = DN(('CN', '%s/%s' % (nickname, base)))
ipautil.run(["/usr/bin/openssl", "req", "-new",
"-config", reqcfg,
"-subj", str(esc_subject),
"-key", key_fname,
"-out", "kdc.req"])
# Finally, sign the cert using the extensions file to set the
# special name
ipautil.run(["/usr/bin/openssl", "x509", "-req",
"-CA", "cacert.pem",
"-extfile", extcfg,
"-extensions", "kdc_cert",
"-passin", "file:" + ca_pwd_file,
"-set_serial", next_serial(),
"-in", "kdc.req",
"-out", cert_fname],
env = { 'REALM':self.realm, 'HOST_FQDN':hostname })
# Merge key and cert in a single file
fd = open(key_fname, "r")
key = fd.read()
fd.close()
fd = open(cert_fname, "r")
cert = fd.read()
fd.close()
fd = open(key_cert_fname, "w")
fd.write(key)
fd.write(cert)
fd.close()
os.unlink(key_fname)
os.unlink(cert_fname)
def create_sample_bind_zone(self):
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
os.write(bind_fd, bind_txt)
os.close(bind_fd)
print "Sample zone file for bind has been created in "+bind_name
for filename in self.files:
if not os.path.exists(filename):
raise admintool.ScriptError("%s: file not found" % filename)
if os.getegid() == 0:
try:
installutils.check_server_configuration()
except RuntimeError, e:
print unicode(e)
sys.exit(1)
elif not os.path.exists('/etc/ipa/default.conf'):
print "IPA is not configured on this system."
sys.exit(1)
if options.password:
pw = ipautil.template_file(options.password, [])
self.dirman_password = pw.strip()
else:
self.dirman_password = None
def setup_logging(self):
ipa_log_manager.standard_logging_setup(self.log_file_name,
console_format='%(levelname)s: %(message)s',
debug=self.options.debug, filemode='a')
ipa_log_manager.log_mgr.get_logger(self, True)
def run(self):
super(LDAPUpdater, self).run()
api.bootstrap(
in_server=True,
def setup_named_conf(self, backup=False):
"""Create, update, or migrate named configuration files
The method is used by installer and upgrade process. The named.conf
is backed up the first time and overwritten every time. The user
specific config files are created once and not modified in subsequent
calls.
The "dnssec-validation" option is migrated
:returns: True if any config file was modified, else False
"""
# files are owned by root:named and are readable by user and group
uid = 0
gid = constants.NAMED_GROUP.gid
mode = 0o640
changed = False
if not self.fstore.has_file(paths.NAMED_CONF):
self.fstore.backup_file(paths.NAMED_CONF)
# named.conf
txt = ipautil.template_file(
os.path.join(paths.NAMED_CONF_SRC), self.sub_dict
)
with open(paths.NAMED_CONF) as f:
old_txt = f.read()
if txt == old_txt:
logger.debug("%s is unmodified", paths.NAMED_CONF)
else:
if backup:
if not os.path.isfile(paths.NAMED_CONF_BAK):
shutil.copyfile(paths.NAMED_CONF, paths.NAMED_CONF_BAK)
logger.info("created backup %s", paths.NAMED_CONF_BAK)
else:
logger.warning(
"backup %s already exists", paths.NAMED_CONF_BAK
)
with open(paths.NAMED_CONF, "w") as f:
os.fchmod(f.fileno(), mode)
os.fchown(f.fileno(), uid, gid)
f.write(txt)
logger.info("created new %s", paths.NAMED_CONF)
changed = True
# user configurations
user_configs = (
(paths.NAMED_CUSTOM_CONF_SRC, paths.NAMED_CUSTOM_CONF),
(
paths.NAMED_CUSTOM_OPTIONS_CONF_SRC,
paths.NAMED_CUSTOM_OPTIONS_CONF
),
(
paths.NAMED_LOGGING_OPTIONS_CONF_SRC,
paths.NAMED_LOGGING_OPTIONS_CONF,
),
)
for src, dest in user_configs:
if not os.path.exists(dest):
txt = ipautil.template_file(src, self.sub_dict)
with open(dest, "w") as f:
os.fchmod(f.fileno(), mode)
os.fchown(f.fileno(), uid, gid)
f.write(txt)
logger.info("created named user config '%s'", dest)
changed = True
else:
logger.info("named user config '%s' already exists", dest)
return changed
