def __configure_http(self): self.update_httpd_service_ipa_conf() self.update_httpd_wsgi_conf() # create /etc/httpd/alias, see https://pagure.io/freeipa/issue/7529 session_dir = os.path.dirname(self.sub_dict['GSSAPI_SESSION_KEY']) if not os.path.isdir(session_dir): os.makedirs(session_dir) # Must be world-readable / executable os.chmod(session_dir, 0o755) target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644)
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict["PIN"] = pin ods_conf_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, "w") ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file(ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, "w") ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) installutils.set_directive( paths.SYSCONFIG_ODS, "SOFTHSM2_CONF", paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator="=" )
def __configure_http(self): self.update_httpd_service_ipa_conf() self.update_httpd_wsgi_conf() # create /etc/httpd/alias, see https://pagure.io/freeipa/issue/7529 session_dir = os.path.dirname(self.sub_dict['GSSAPI_SESSION_KEY']) if not os.path.isdir(session_dir): os.makedirs(session_dir) os.chmod(session_dir, 0o755) target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf.template"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644)
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE): self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): # OpenDNSSEC 1.4 sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>' else: # OpenDNSSEC 2.x sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->' ods_conf_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"), self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) if not os.path.isfile(paths.SYSCONFIG_ODS): # create file, it's not shipped on Debian with open(paths.SYSCONFIG_ODS, 'a') as f: os.fchmod(f.fileno(), 0o644) directivesetter.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644)
def __setup_named_conf(self): if not self.fstore.has_file(paths.NAMED_CONF): self.fstore.backup_file(paths.NAMED_CONF) named_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "bind.named.conf.template"), self.sub_dict) named_fd = open(paths.NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close() named_add_ext_conf_file(paths.NAMED_CUSTOM_CFG_SRC, paths.NAMED_CUSTOM_CONFIG) if self.no_dnssec_validation: # disable validation named_conf_set_directive("dnssec-validation", "no", section=NAMED_SECTION_OPTIONS, str_val=False) # prevent repeated upgrade on new installs sysupgrade.set_upgrade_state( 'named.conf', 'forward_policy_conflict_with_empty_zones_handled', True)
def __write_smb_conf(self): template = os.path.join( paths.USR_SHARE_IPA_DIR, "smb.conf.template" ) conf = ipautil.template_file(template, self.sub_dict) with open(self.smb_conf, "w") as f: f.write(conf)
def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644)
def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644)
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, ldap_uri=None, dm_password=None): pw_name = None fd = None if not os.path.isabs(ldif): path = os.path.join(paths.USR_SHARE_IPA_DIR, ldif) else: path = ldif nologlist = [] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name # do not log passwords if 'PASSWORD' in sub_dict: nologlist.append(sub_dict['PASSWORD']) if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) args = [paths.LDAPMODIFY, "-v", "-f", path] # As we always connect to the local host, # use URI of admin connection if not ldap_uri: ldap_uri = api.Backend.ldap2.ldap_uri args += ["-H", ldap_uri] if dm_password: with tempfile.NamedTemporaryFile(mode='w', delete=False) as pw_file: pw_file.write(dm_password) pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: auth_parms = ["-Y", "EXTERNAL"] args += auth_parms try: try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError as e: logger.critical("Failed to load %s: %s", ldif, str(e)) if raise_on_err: raise finally: if pw_name: os.remove(pw_name)
def __setup_named_conf(self): self.fstore.backup_file(NAMED_CONF) named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open(NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close()
def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa.conf") http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) target_fname = '/etc/httpd/conf.d/ipa-rewrite.conf' http_txt = ipautil.template_file( ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file("/etc/httpd/conf.d/ipa-rewrite.conf") http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644)
def __template_file(self, path, chmod=0o644): template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() if chmod is not None: os.chmod(path, chmod)
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE): self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin ods_conf_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"), self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) installutils.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def create_kdcproxy_conf(self): """Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy""" target_fname = paths.HTTPD_IPA_KDCPROXY_CONF sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG) http_txt = ipautil.template_file( ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict) self.fstore.backup_file(target_fname) with open(target_fname, 'w') as f: f.write(http_txt) os.chmod(target_fname, 0o644)
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, ldap_uri=None, dm_password=None): pw_name = None fd = None path = ipautil.SHARE_DIR + ldif nologlist = [] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name # do not log passwords if 'PASSWORD' in sub_dict: nologlist.append(sub_dict['PASSWORD']) if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) args = [paths.LDAPMODIFY, "-v", "-f", path] # As we always connect to the local host, # use URI of admin connection if not ldap_uri: ldap_uri = self.admin_conn.ldap_uri args += ["-H", ldap_uri] if dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, dm_password) os.close(pw_fd) auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: auth_parms = ["-Y", "EXTERNAL"] args += auth_parms try: try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError as e: root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) if raise_on_err: raise finally: if pw_name: os.remove(pw_name)
def http_proxy(self): """ Update the http proxy file """ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" sub_dict = dict( DOGTAG_PORT=self.dogtag_constants.AJP_PORT, CLONE='' if self.clone else '#', FQDN=self.fqdn, ) template = ipautil.template_file(template_filename, sub_dict) with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: fd.write(template)
def http_proxy(self): """ Update the http proxy file """ template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf" sub_dict = dict( DOGTAG_PORT=8009, CLONE='' if self.clone else '#', FQDN=self.fqdn, ) template = ipautil.template_file(template_filename, sub_dict) with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: fd.write(template)
def __configure_http(self): self.update_httpd_service_ipa_conf() target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-rewrite.conf"), self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0o644)
def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' template = os.path.join(ipautil.SHARE_DIR, template_file) sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR, IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG, LDAP_URI=installutils.realm_to_ldapi_uri(self.realm)) conf = ipautil.template_file(template, sub_dict) fd = open(self.config_file, "w+") fd.write(conf) fd.flush() fd.close()
def __write_smb_registry(self): # Workaround for: https://fedorahosted.org/freeipa/ticket/5687 # We make sure that paths.SMB_CONF file exists, hence touch it with open(paths.SMB_CONF, 'a'): os.utime(paths.SMB_CONF, None) template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) with tempfile.NamedTemporaryFile(mode='w') as tmp_conf: tmp_conf.write(conf) tmp_conf.flush() ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
def http_proxy(self): """ Update the http proxy file """ template_filename = (os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template")) sub_dict = dict( DOGTAG_PORT=8009, CLONE='' if self.clone else '#', FQDN=self.fqdn, ) template = ipautil.template_file(template_filename, sub_dict) with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: fd.write(template)
def __template_file(self, path, chmod=0o644, client_template=False): if client_template: sharedir = paths.USR_SHARE_IPA_CLIENT_DIR else: sharedir = paths.USR_SHARE_IPA_DIR template = os.path.join(sharedir, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) self.fstore.backup_file(path) with open(path, 'w') as f: if chmod is not None: os.fchmod(f.fileno(), chmod) f.write(conf)
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False): pw_name = None fd = None path = ipautil.SHARE_DIR + ldif nologlist = [] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name # do not log passwords if 'PASSWORD' in sub_dict: nologlist.append(sub_dict['PASSWORD']) if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) args = [paths.LDAPMODIFY, "-v", "-f", path] # As we always connect to the local host, # use URI of admin connection if not self.admin_conn: self.ldap_connect() args += ["-H", self.admin_conn.ldap_uri] # If DM password is available, use it if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, self.dm_password) os.close(pw_fd) auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: auth_parms = ["-Y", "EXTERNAL"] args += auth_parms try: try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError as e: if raise_on_err: raise root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) finally: if pw_name: os.remove(pw_name) if fd is not None: fd.close()
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, ldap_uri=None, dm_password=None): pw_name = None fd = None path = os.path.join(paths.USR_SHARE_IPA_DIR, ldif) nologlist = [] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) fd = ipautil.write_tmp_file(txt) path = fd.name # do not log passwords if 'PASSWORD' in sub_dict: nologlist.append(sub_dict['PASSWORD']) if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) args = [paths.LDAPMODIFY, "-v", "-f", path] # As we always connect to the local host, # use URI of admin connection if not ldap_uri: ldap_uri = api.Backend.ldap2.ldap_uri args += ["-H", ldap_uri] if dm_password: with tempfile.NamedTemporaryFile( mode='w', delete=False) as pw_file: pw_file.write(dm_password) pw_name = pw_file.name auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: auth_parms = ["-Y", "EXTERNAL"] args += auth_parms try: try: ipautil.run(args, nolog=nologlist) except ipautil.CalledProcessError as e: root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) if raise_on_err: raise finally: if pw_name: os.remove(pw_name)
def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) [tmp_fd, tmp_name] = tempfile.mkstemp() os.write(tmp_fd, conf) os.close(tmp_fd) args = [paths.NET, "conf", "import", tmp_name] try: ipautil.run(args) finally: os.remove(tmp_name)
def __template_file(self, path, chmod=0o644, client_template=False): if client_template: sharedir = paths.USR_SHARE_IPA_CLIENT_DIR else: sharedir = paths.USR_SHARE_IPA_DIR template = os.path.join( sharedir, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) self.fstore.backup_file(path) with open(path, 'w') as f: if chmod is not None: os.fchmod(f.fileno(), chmod) f.write(conf)
def __write_smb_registry(self): """Import IPA specific config into Samba registry Configuration is imported after __write_smb_conf() has modified smb.conf to include registry. """ template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.registry.template") conf = ipautil.template_file(template, self.sub_dict) with tempfile.NamedTemporaryFile(mode='w') as tmp_conf: tmp_conf.write(conf) tmp_conf.flush() ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
def configure_and_start_sssd(self): uri, base = self.get_uri_and_base() template = os.path.join(paths.USR_SHARE_IPA_DIR, 'advise', 'legacy', 'sssd.conf.template') sssd_conf = template_file(template, dict(URI=uri, BASE=base)) self.log.comment('Configure SSSD') self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' '%s\nEOF' % sssd_conf) self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') self.log.comment('Start SSSD') self.log.command('service sssd start')
def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file) sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR, IPA_CUSTODIA_KEYS=paths.IPA_CUSTODIA_KEYS, IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG, LDAP_URI=ipaldap.realm_to_ldapi_uri(self.realm), UID=constants.HTTPD_USER.uid, GID=constants.HTTPD_USER.pgid) conf = ipautil.template_file(template, sub_dict) with open(self.config_file, "w") as f: f.write(conf) ipautil.flush_sync(f)
def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file) httpd_info = pwd.getpwnam(constants.HTTPD_USER) sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR, IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG, LDAP_URI=installutils.realm_to_ldapi_uri(self.realm), UID=httpd_info.pw_uid, GID=httpd_info.pw_gid) conf = ipautil.template_file(template, sub_dict) fd = open(self.config_file, "w+") fd.write(conf) fd.flush() fd.close()
def __setup_named_conf(self): if not self.fstore.has_file(NAMED_CONF): self.fstore.backup_file(NAMED_CONF) named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open(NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close() if self.no_dnssec_validation: # disable validation named_conf_set_directive("dnssec-validation", "no", section=NAMED_SECTION_OPTIONS, str_val=False)
def http_proxy(self): """ Update the http proxy file """ template_filename = (os.path.join(paths.USR_SHARE_IPA_DIR, "ipa-pki-proxy.conf.template")) sub_dict = dict( DOGTAG_PORT=8009, CLONE='' if self.clone else '#', FQDN=self.fqdn, DOGTAG_AJP_SECRET='', ) if self.ajp_secret: sub_dict['DOGTAG_AJP_SECRET'] = "secret={}".format(self.ajp_secret) template = ipautil.template_file(template_filename, sub_dict) with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: fd.write(template) os.fchmod(fd.fileno(), 0o640)
def configure_and_start_sssd(self): uri, base = self.get_uri_and_base() template = os.path.join( SHARE_DIR, 'advise', 'legacy', 'sssd.conf.template' ) sssd_conf = template_file(template, dict(URI=uri, BASE=base)) self.log.comment('Configure SSSD') self.log.command('cat > /etc/sssd/sssd.conf << EOF \n' '%s\nEOF' % sssd_conf) self.log.command('chmod 0600 /etc/sssd/sssd.conf\n') self.log.comment('Start SSSD') self.log.command('service sssd start')
def named_add_ext_conf_file(src, dest, t_params={}): """ Ensure included file is present, but don't override it. :param src: String. Absolute path to source template :param dest: String. Absolute path to destination :param t_params: Dict. Parameters for source template """ if not os.path.exists(dest): ipa_ext_txt = ipautil.template_file(src, t_params) gid = pwd.getpwnam(constants.NAMED_USER).pw_gid with open(dest, 'w') as ipa_ext: os.fchmod(ipa_ext.fileno(), 0o640) os.fchown(ipa_ext.fileno(), 0, gid) ipa_ext.write(ipa_ext_txt) return True return False
def __write_smb_registry(self): template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) [tmp_fd, tmp_name] = tempfile.mkstemp() os.write(tmp_fd, conf) os.close(tmp_fd) # Workaround for: https://fedorahosted.org/freeipa/ticket/5687 # We make sure that paths.SMB_CONF file exists, hence touch it with open(paths.SMB_CONF, 'a'): os.utime(paths.SMB_CONF, None) args = [paths.NET, "conf", "import", tmp_name] try: ipautil.run(args) finally: os.remove(tmp_name)
def __write_smb_registry(self): template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template") conf = ipautil.template_file(template, self.sub_dict) [tmp_fd, tmp_name] = tempfile.mkstemp() os.write(tmp_fd, conf) os.close(tmp_fd) # Workaround for: https://fedorahosted.org/freeipa/ticket/5687 # We make sure that paths.SMB_CONF file exists, hence touch it with open(paths.SMB_CONF, 'a'): os.utime(paths.SMB_CONF, None) args = [paths.NET, "conf", "import", tmp_name] try: ipautil.run(args) finally: os.remove(tmp_name)
def __setup_named_conf(self): if not self.fstore.has_file(NAMED_CONF): self.fstore.backup_file(NAMED_CONF) named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open(NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close() if self.no_dnssec_validation: # disable validation named_conf_set_directive("dnssec-validation", "no", section=NAMED_SECTION_OPTIONS, str_val=False) # prevent repeated upgrade on new installs sysupgrade.set_upgrade_state( 'named.conf', 'forward_policy_conflict_with_empty_zones_handled', True )
def __write_smb_registry(self): """Import IPA specific config into Samba registry Configuration is imported after __write_smb_conf() has modified smb.conf to include registry. """ template = os.path.join( paths.USR_SHARE_IPA_DIR, "smb.conf.registry.template" ) conf = ipautil.template_file(template, self.sub_dict) with tempfile.NamedTemporaryFile(mode='w') as tmp_conf: tmp_conf.write(conf) tmp_conf.flush() try: ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) except ipautil.CalledProcessError as e: if e.returncode == 255: # We have old Samba that doesn't support IPA DC server role # re-try again with the older variant, upgrade code will # take care to change the role later when Samba is upgraded # as well. self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD self.__write_smb_registry()
def setup_named_openssl_conf(self): if constants.NAMED_OPENSSL_ENGINE is not None: logger.debug("Setup OpenSSL config for BIND") # setup OpenSSL config for BIND, # this one is needed because FreeIPA installation # disables p11-kit-proxy PKCS11 module conf_file_dict = { 'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE, 'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO, 'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE, } if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None: opensslcnf_tmpl = "bind.openssl.cnf.template" else: opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template" named_openssl_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl), conf_file_dict) with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f: os.fchmod(f.fileno(), 0o640) os.fchown(f.fileno(), 0, gid=constants.NAMED_GROUP.gid) f.write(named_openssl_txt)
def create_sample_bind_zone(self): bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") os.write(bind_fd, bind_txt) os.close(bind_fd) print "Sample zone file for bind has been created in "+bind_name
def create_kdc_cert(self, nickname, hostname, destdir): """Create a new certificate with the spcial othername encoding needed by a KDC certificate. nickname: the CN name set in the certificate destdir: the location where cert and key are to be installed destdir will contain kdc.pem if the operation is successful """ reqcfg = "kdc_req.conf" extcfg = ipautil.SHARE_DIR + "kdc_extensions.template" key_fname = destdir + "/kdckey.pem" cert_fname = destdir + "/kdccert.pem" key_cert_fname = destdir + "/kdc.pem" # Setup the temp dir self.setup_cert_request() # Copy the CA password file because openssl apparently can't use # the same file twice within the same command and throws an error ca_pwd_file = self.reqdir + "pwdfile.txt" shutil.copyfile(self.passwd_fname, ca_pwd_file) # Extract the cacert.pem file used by openssl to sign the certs ipautil.run(["/usr/bin/openssl", "pkcs12", "-in", self.pk12_fname, "-passin", "file:" + self.passwd_fname, "-passout", "file:" + ca_pwd_file, "-out", "cacert.pem"]) # Create the kdc key ipautil.run(["/usr/bin/openssl", "genrsa", "-out", key_fname, "2048"]) # Prepare a simple cert request req_dict = dict(PASSWORD=self.gen_password(), SUBJBASE=self.subject_base, CERTNAME=DN(('CN', nickname))) req_template = ipautil.SHARE_DIR + reqcfg + ".template" conf = ipautil.template_file(req_template, req_dict) fd = open(reqcfg, "w+") fd.write(conf) fd.close() base = str(self.subject_base).replace(",", "/") esc_subject = DN(('CN', '%s/%s' % (nickname, base))) ipautil.run(["/usr/bin/openssl", "req", "-new", "-config", reqcfg, "-subj", str(esc_subject), "-key", key_fname, "-out", "kdc.req"]) # Finally, sign the cert using the extensions file to set the # special name ipautil.run(["/usr/bin/openssl", "x509", "-req", "-CA", "cacert.pem", "-extfile", extcfg, "-extensions", "kdc_cert", "-passin", "file:" + ca_pwd_file, "-set_serial", next_serial(), "-in", "kdc.req", "-out", cert_fname], env = { 'REALM':self.realm, 'HOST_FQDN':hostname }) # Merge key and cert in a single file fd = open(key_fname, "r") key = fd.read() fd.close() fd = open(cert_fname, "r") cert = fd.read() fd.close() fd = open(key_cert_fname, "w") fd.write(key) fd.write(cert) fd.close() os.unlink(key_fname) os.unlink(cert_fname)
for filename in self.files: if not os.path.exists(filename): raise admintool.ScriptError("%s: file not found" % filename) if os.getegid() == 0: try: installutils.check_server_configuration() except RuntimeError, e: print unicode(e) sys.exit(1) elif not os.path.exists('/etc/ipa/default.conf'): print "IPA is not configured on this system." sys.exit(1) if options.password: pw = ipautil.template_file(options.password, []) self.dirman_password = pw.strip() else: self.dirman_password = None def setup_logging(self): ipa_log_manager.standard_logging_setup(self.log_file_name, console_format='%(levelname)s: %(message)s', debug=self.options.debug, filemode='a') ipa_log_manager.log_mgr.get_logger(self, True) def run(self): super(LDAPUpdater, self).run() api.bootstrap( in_server=True,
def setup_named_conf(self, backup=False): """Create, update, or migrate named configuration files The method is used by installer and upgrade process. The named.conf is backed up the first time and overwritten every time. The user specific config files are created once and not modified in subsequent calls. The "dnssec-validation" option is migrated :returns: True if any config file was modified, else False """ # files are owned by root:named and are readable by user and group uid = 0 gid = constants.NAMED_GROUP.gid mode = 0o640 changed = False if not self.fstore.has_file(paths.NAMED_CONF): self.fstore.backup_file(paths.NAMED_CONF) # named.conf txt = ipautil.template_file( os.path.join(paths.NAMED_CONF_SRC), self.sub_dict ) with open(paths.NAMED_CONF) as f: old_txt = f.read() if txt == old_txt: logger.debug("%s is unmodified", paths.NAMED_CONF) else: if backup: if not os.path.isfile(paths.NAMED_CONF_BAK): shutil.copyfile(paths.NAMED_CONF, paths.NAMED_CONF_BAK) logger.info("created backup %s", paths.NAMED_CONF_BAK) else: logger.warning( "backup %s already exists", paths.NAMED_CONF_BAK ) with open(paths.NAMED_CONF, "w") as f: os.fchmod(f.fileno(), mode) os.fchown(f.fileno(), uid, gid) f.write(txt) logger.info("created new %s", paths.NAMED_CONF) changed = True # user configurations user_configs = ( (paths.NAMED_CUSTOM_CONF_SRC, paths.NAMED_CUSTOM_CONF), ( paths.NAMED_CUSTOM_OPTIONS_CONF_SRC, paths.NAMED_CUSTOM_OPTIONS_CONF ), ( paths.NAMED_LOGGING_OPTIONS_CONF_SRC, paths.NAMED_LOGGING_OPTIONS_CONF, ), ) for src, dest in user_configs: if not os.path.exists(dest): txt = ipautil.template_file(src, self.sub_dict) with open(dest, "w") as f: os.fchmod(f.fileno(), mode) os.fchown(f.fileno(), uid, gid) f.write(txt) logger.info("created named user config '%s'", dest) changed = True else: logger.info("named user config '%s' already exists", dest) return changed