def main(): parser = common.mkparser(description='ipa-custodia LDAP DM hash handler') if os.getegid() != 0: parser.error("Must be run as root user.\n") # create LDAP connection using LDAPI and EXTERNAL bind as root if not api.isdone('bootstrap'): api.bootstrap() realm = api.env.realm ldap_uri = realm_to_ldapi_uri(realm) conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True) try: conn.external_bind() except Exception as e: parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e)) with conn: common.main(parser, export_key, import_key, conn=conn)
def main(): parser = common.mkparser( description='ipa-custodia LDAP DM hash handler' ) if os.getegid() != 0: parser.error("Must be run as root user.\n") # create LDAP connection using LDAPI and EXTERNAL bind as root if not api.isdone('bootstrap'): api.bootstrap() realm = api.env.realm ldap_uri = realm_to_ldapi_uri(realm) conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True) try: conn.external_bind() except Exception as e: parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e)) with conn: common.main(parser, export_key, import_key, conn=conn)
def create_connection(self, ccache=None, bind_dn=None, bind_pw='', cacert=None, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=_missing, size_limit=_missing): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option cacert -- TLS CA certificate filename autobind - autobind as the current user time_limit, size_limit -- maximum time and size limit for LDAP possible options: - value - sets the given value - None - reads value from ipaconfig - _missing - keeps previously configured settings (unlimited set by default in constructor) Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN(('cn', 'directory manager')) assert isinstance(bind_dn, DN) if cacert is None: cacert = paths.IPA_CA_CRT if time_limit is not _missing: object.__setattr__(self, 'time_limit', time_limit) if size_limit is not _missing: object.__setattr__(self, 'size_limit', size_limit) client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates, cacert=cacert) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: client.external_bind(server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn
def create_connection( self, ccache=None, bind_dn=None, bind_pw='', cacert=None, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=_missing, size_limit=_missing): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option cacert -- TLS CA certificate filename autobind - autobind as the current user time_limit, size_limit -- maximum time and size limit for LDAP possible options: - value - sets the given value - None - reads value from ipaconfig - _missing - keeps previously configured settings (unlimited set by default in constructor) Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN(('cn', 'directory manager')) assert isinstance(bind_dn, DN) if cacert is None: cacert = constants.CACERT if time_limit is not _missing: self.time_limit = time_limit if size_limit is not _missing: self.size_limit = size_limit client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates, cacert=cacert) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: client.external_bind(server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn
def get_config(dirsrv): base = DN( ("cn", api.env.host), ("cn", "masters"), ("cn", "ipa"), ("cn", "etc"), api.env.basedn, ) srcfilter = LDAPClient.combine_filters( [ LDAPClient.make_filter({"objectClass": "ipaConfigObject"}), LDAPClient.make_filter( {"ipaConfigString": [ENABLED_SERVICE, HIDDEN_SERVICE]}, rules=LDAPClient.MATCH_ANY, ), ], rules=LDAPClient.MATCH_ALL, ) attrs = ["cn", "ipaConfigString"] if not dirsrv.is_running(): raise IpactlError( "Failed to get list of services to probe status:\n" "Directory Server is stopped", 3, ) try: # The start/restart functions already wait for the server to be # started. What we are doing with this wait is really checking to see # if the server is listening at all. lurl = ldapurl.LDAPUrl(api.env.ldap_uri) if lurl.urlscheme == "ldapi": wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout) else: (host, port) = lurl.hostport.split(":") wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout) con = LDAPClient(api.env.ldap_uri) con.external_bind() res = con.get_entries( base, filter=srcfilter, attrs_list=attrs, scope=con.SCOPE_SUBTREE, time_limit=10, ) except errors.NetworkError: # LSB status code 3: program is not running raise IpactlError( "Failed to get list of services to probe status:\n" "Directory Server is stopped", 3, ) except errors.NotFound: masters_list = [] dn = DN(("cn", "masters"), ("cn", "ipa"), ("cn", "etc"), api.env.basedn) attrs = ["cn"] try: entries = con.get_entries(dn, con.SCOPE_ONELEVEL, attrs_list=attrs) except Exception as e: masters_list.append("No master found because of error: %s" % str(e)) else: for master_entry in entries: masters_list.append(master_entry.single_value["cn"]) masters = "\n".join(masters_list) raise IpactlError( "Failed to get list of services to probe status!\n" "Configured hostname '%s' does not match any master server in " "LDAP:\n%s" % (api.env.host, masters)) except Exception as e: raise IpactlError( "Unknown error when retrieving list of services from LDAP: %s" % str(e)) svc_list = [] for entry in res: name = entry.single_value["cn"] for p in entry["ipaConfigString"]: if p.startswith("startOrder "): try: order = int(p.split()[1]) except ValueError: raise IpactlError("Expected order as integer in: %s:%s" % (name, p)) svc_list.append([order, name]) ordered_list = [] for order, svc in sorted(svc_list): if svc in service.SERVICE_LIST: ordered_list.append(service.SERVICE_LIST[svc].systemd_name) return deduplicate(ordered_list)
def create_connection(self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, debug_level=0, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=None, size_limit=None): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option tls_cacertfile -- TLS CA certificate filename tls_certfile -- TLS certificate filename tls_keyfile - TLS bind key filename autobind - autobind as the current user Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN() assert isinstance(bind_dn, DN) if tls_cacertfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) if tls_certfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile) if tls_keyfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile) if time_limit is not None: self.time_limit = time_limit if size_limit is not None: self.size_limit = size_limit if debug_level: _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level) client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: pw_name = pwd.getpwuid(os.geteuid()).pw_name client.external_bind(pw_name, server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn