def initialize(self, framework, config, options=None):
super().initialize(framework, config)
installutils.check_server_configuration()
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True, context='ipahealthcheck', log=None)
if not api.isdone('finalize'):
api.finalize()
def initialize(self, framework, config, options):
super(ClusterRegistry, self).initialize(framework, config, options)
self.json = {}
self.load_files(options.dir)
if not api.isdone('finalize'):
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True,
context='ipahealthcheck',
log=None)
if not api.isdone('finalize'):
api.finalize()
def initialize(self, framework, config, options=None):
super().initialize(framework, config)
# deferred import for mock
# pylint: disable=import-outside-toplevel
from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole
# pylint: enable=import-outside-toplevel
installutils.check_server_configuration()
if not api.isdone('finalize'):
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True,
context='ipahealthcheck',
log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except (errors.CCacheError, errors.NetworkError) as e:
logger.debug('Failed to connect to LDAP: %s', e)
return
ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host)
self.ca_configured = ca.is_configured()
# This package is pulled in when the trust package is installed
# and is required to lookup trust users. If this is not installed
# then it can be inferred that trust is not enabled.
try:
# pylint: disable=unused-import,import-outside-toplevel
import pysss_nss_idmap # noqa: F401
# pylint: enable=unused-import,import-outside-toplevel
except ImportError:
return
roles = (
ADtrustBasedRole(u"ad_trust_agent_server", u"AD trust agent"),
ServiceBasedRole(u"ad_trust_controller_server",
u"AD trust controller",
component_services=['ADTRUST']),
)
role = roles[0].status(api)[0]
if role.get('status') == 'enabled':
self.trust_agent = True
role = roles[1].status(api)[0]
if role.get('status') == 'enabled':
self.trust_controller = True
def initialize(self, framework, config, options=None):
super().initialize(framework, config)
installutils.check_server_configuration()
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True, context='ipahealthcheck', log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except errors.CCacheError:
pass
except errors.NetworkError:
pass
def get_api_env():
# get api.env
if not api.isdone("bootstrap"):
# Workaround for FreeIPA 4.4, use host keytab to fetch LDAP
# schema cache.
os.environ["KRB5CCNAME"] = "/tmp/krb5cc_workaround"
os.environ["KRB5_CLIENT_KTNAME"] = "/etc/krb5.keytab"
try:
api.bootstrap(context="cli")
api.finalize()
finally:
os.environ.pop("KRB5_CLIENT_KTNAME")
subprocess.Popen(["kdestroy", "-q"], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
os.environ.pop("KRB5CCNAME")
result = {}
for name in dir(api.env):
if name.startswith("_"):
continue
value = getattr(api.env, name)
if isinstance(value, (str, text, bool, int)):
result[name] = value
elif isinstance(value, DN):
result[name] = str(value)
return result
def get_api_env():
# get api.env
if not api.isdone('bootstrap'):
# Workaround for FreeIPA 4.4, use host keytab to fetch LDAP
# schema cache.
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_workaround'
os.environ['KRB5_CLIENT_KTNAME'] = '/etc/krb5.keytab'
try:
api.bootstrap(context='cli')
api.finalize()
finally:
os.environ.pop('KRB5_CLIENT_KTNAME')
subprocess.Popen(['kdestroy', '-q'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).communicate()
os.environ.pop('KRB5CCNAME')
result = {}
for name in dir(api.env):
if name.startswith('_'):
continue
value = getattr(api.env, name)
if isinstance(value, (str, text, bool, int)):
result[name] = value
elif isinstance(value, DN):
result[name] = str(value)
return result
def use_api_as_principal(principal, keytab):
with ipautil.private_ccache() as ccache_file:
try:
old_principal = getattr(context, "principal", None)
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {"ccache": ccache_file, "client_keytab": keytab}
gssapi.Credentials(name=name, usage="initiate", store=store)
# Finalize API when TGT obtained using host keytab exists
if not api.isdone("finalize"):
api.finalize()
# Now we have a TGT, connect to IPA
try:
if api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.disconnect()
api.Backend.rpcclient.connect()
yield
except gssapi.exceptions.GSSError as e:
raise Exception(
"Unable to bind to IPA server. Error initializing "
"principal %s in %s: %s" % (principal, keytab, str(e)))
finally:
if api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.disconnect()
setattr(context, "principal", old_principal)
def __init__(self):
if self.__kerberos_has_ticket() is False:
self.__kerberos_init()
if api.isdone('finalize') is False:
api.bootstrap_with_global_options(context='api')
api.finalize()
api.Backend.rpcclient.connect()
self.redis = redis.StrictRedis(host=settings.REDIS_HOST, port=settings.REDIS_PORT, db=settings.REDIS_DB, password=settings.REDIS_PASSWORD)
def initialize(self, framework):
# deferred import for mock
from ipaserver.servroles import ADtrustBasedRole, ServiceBasedRole
installutils.check_server_configuration()
if not api.isdone('finalize'):
if not api.isdone('bootstrap'):
api.bootstrap(in_server=True,
context='ipahealthcheck',
log=None)
if not api.isdone('finalize'):
api.finalize()
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect()
except (errors.CCacheError, errors.NetworkError) as e:
logging.debug('Failed to connect to LDAP: %s', e)
return
# This package is pulled in when the trust package is installed
# and is required to lookup trust users. If this is not installed
# then it can be inferred that trust is not enabled.
try:
import pysss_nss_idmap # noqa: F401
except ImportError:
return
roles = (
ADtrustBasedRole(u"ad_trust_agent_server",
u"AD trust agent"),
ServiceBasedRole(
u"ad_trust_controller_server",
u"AD trust controller",
component_services=['ADTRUST']
),
)
role = roles[0].status(api)[0]
if role.get('status') == 'enabled':
self.trust_agent = True
role = roles[1].status(api)[0]
if role.get('status') == 'enabled':
self.trust_controller = True
def api_connect():
"""Initialize and connect to FreeIPA's RPC server.
"""
# delay initialization of API for pre-forking web servers
if not api.isdone('bootstrap'):
api.bootstrap(context='cli')
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
def api_connect():
"""Initialize and connect to FreeIPA's RPC server.
"""
# delay initialization of API for pre-forking web servers
if not api.isdone("bootstrap"):
api.bootstrap(context="cli")
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
def get_group_info(self):
assert api.isdone("finalize")
group = self.safe_options.group
if group is None:
return None
try:
result = api.Command.group_show(group, no_members=True)
return result["result"]
except errors.NotFound:
raise ScriptError(f"Unknown users group '{group}'.")
def _read_configuration(self):
"""Merge in the EPN configuration from /etc/ipa/epn.conf"""
base_config = dict(
context="epn",
confdir=paths.ETC_IPA,
in_server=False,
)
api.bootstrap(**base_config)
api.env._merge(**EPN_CONFIG)
if not api.isdone("finalize"):
api.finalize()
def __init__(self):
try:
self.ntries = CONF.connect_retries
except cfg.NoSuchOptError:
self.ntries = 1
if not ipalib_imported:
return
self.ccache = "MEMORY:" + str(uuid.uuid4())
os.environ['KRB5CCNAME'] = self.ccache
if self._ipa_client_configured() and not api.isdone('finalize'):
api.bootstrap(context='novajoin')
api.finalize()
def connect(self, sanity_check=True):
"""
Connect to FreeIPA server
"""
try:
if not api.isdone('bootstrap'):
api.bootstrap(context='fleetcommander', log=None)
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
api.Command.ping()
# Sanity check
if sanity_check:
self._do_sanity_check()
except Exception as e:
logging.error(
'FreeIPAConnector: Error connecting to FreeIPA: %s' % e)
raise
def api_connect():
"""Initialize and connect to FreeIPA's RPC server.
"""
# delay initialization of API for pre-forking web servers
if not api.isdone('bootstrap'):
# set client keytab env var for authentication
keytab = config.client_keytab
if keytab is not None:
os.environ['KRB5_CLIENT_KTNAME'] = keytab
ccname = config.ccache_name
if ccname is not None:
os.environ['KRB5CCNAME'] = ccname
api.bootstrap(context='cli')
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
def api_connect():
"""Initialize and connect to FreeIPA's RPC server.
"""
# delay initialization of API for pre-forking web servers
if not api.isdone('bootstrap'):
# set client keytab env var for authentication
keytab = config.client_keytab
if keytab is not None:
os.environ['KRB5_CLIENT_KTNAME'] = keytab
ccname = config.ccache_name
if ccname is not None:
os.environ['KRB5CCNAME'] = ccname
api.bootstrap(context='cli')
api.finalize()
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
def get_api_env(context):
# get api.env
if not api.isdone('bootstrap'):
# only call bootstrap, finalize() triggers a download that requires
# valid Kerberos credentials.
api.bootstrap(context=context)
result = {}
for name in dir(api.env):
if name.startswith('_'):
continue
value = getattr(api.env, name)
if isinstance(value, (str, text, bool, numbers.Real)):
result[name] = value
elif value is None:
result[name] = None
elif isinstance(value, DN):
result[name] = str(value)
return result
def main():
parser = common.mkparser(description='ipa-custodia LDAP DM hash handler')
if os.getegid() != 0:
parser.error("Must be run as root user.\n")
# create LDAP connection using LDAPI and EXTERNAL bind as root
if not api.isdone('bootstrap'):
api.bootstrap()
realm = api.env.realm
ldap_uri = realm_to_ldapi_uri(realm)
conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
try:
conn.external_bind()
except Exception as e:
parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e))
with conn:
common.main(parser, export_key, import_key, conn=conn)
def main():
parser = common.mkparser(
description='ipa-custodia LDAP DM hash handler'
)
if os.getegid() != 0:
parser.error("Must be run as root user.\n")
# create LDAP connection using LDAPI and EXTERNAL bind as root
if not api.isdone('bootstrap'):
api.bootstrap()
realm = api.env.realm
ldap_uri = realm_to_ldapi_uri(realm)
conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
try:
conn.external_bind()
except Exception as e:
parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e))
with conn:
common.main(parser, export_key, import_key, conn=conn)
def __init__(self, backoff=0):
try:
self.ntries = CONF.connect_retries
except cfg.NoSuchOptError:
self.ntries = 1
if not ipalib_imported:
return
try:
self.keytab = CONF.keytab
except cfg.NoSuchOptError:
self.keytab = '/etc/novajoin/krb5.keytab'
self.ccache = "MEMORY:" + str(uuid.uuid4())
os.environ['KRB5CCNAME'] = self.ccache
os.environ['KRB5_CLIENT_KTNAME'] = '/home/stack/krb5.keytab'
if self._ipa_client_configured() and not api.isdone('finalize'):
api.bootstrap(context='novajoin')
api.finalize()
self.batch_args = list()
self.backoff = backoff
(_hostname, domain, realm) = self.get_host_domain_and_realm()
self.domain = domain
self.realm = realm
def wrapped(obj, *args, **kwargs):
if not api.isdone('bootstrap'):
obj.connect()
return f(obj, *args, **kwargs)