コード例 #1
0
 def ldap_connect(self):
     # If DM password is provided, we use it
     # If autobind was requested, attempt autobind when root and ldapi
     # If autobind was disabled or not succeeded, go with GSSAPI
     # LDAPI can be used with either autobind or GSSAPI
     # LDAPI requires realm to be set
     try:
         if self.ldapi:
             if not self.realm:
                 raise errors.NotFound(reason="realm is missing for %s" %
                                       (self))
             conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
         else:
             conn = ipaldap.IPAdmin(self.fqdn, port=389)
         if self.dm_password:
             conn.do_simple_bind(bindpw=self.dm_password)
         elif self.autobind in [AUTO, ENABLED]:
             if os.getegid() == 0 and self.ldapi:
                 try:
                     # autobind
                     pw_name = pwd.getpwuid(os.geteuid()).pw_name
                     conn.do_external_bind(pw_name)
                 except errors.NotFound, e:
                     if self.autobind == AUTO:
                         # Fall back
                         conn.do_sasl_gssapi_bind()
                     else:
                         # autobind was required and failed, raise
                         # exception that it failed
                         raise e
             else:
                 conn.do_sasl_gssapi_bind()
         else:
コード例 #2
0
    def execute(self, **options):
        # We need an IPAdmin connection to the backend
        self.log.debug("Start replication agreement exclude list update task")
        conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm)
        conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)

        repl = replication.ReplicationManager(api.env.realm,
                                              api.env.host,
                                              None,
                                              conn=conn)
        entries = repl.find_replication_agreements()
        self.log.debug("Found %d agreement(s)", len(entries))
        for replica in entries:
            self.log.debug(replica.getValue('description'))

            self._update_attr(repl,
                              replica,
                              'nsDS5ReplicatedAttributeList',
                              replication.EXCLUDES,
                              template=EXCLUDE_TEMPLATE)
            self._update_attr(repl,
                              replica,
                              'nsDS5ReplicatedAttributeListTotal',
                              replication.TOTAL_EXCLUDES,
                              template=EXCLUDE_TEMPLATE)
            self._update_attr(repl, replica, 'nsds5ReplicaStripAttrs',
                              replication.STRIP_ATTRS)

        self.log.debug("Done updating agreements")

        return (False, False, [])  # No restart, no apply now, no updates
コード例 #3
0
    def setUp(self):
        fqdn = installutils.get_fqdn()
        pwfile = api.env.dot_ipa + os.sep + ".dmpw"
        if ipautil.file_exists(pwfile):
            fp = open(pwfile, "r")
            self.dm_password = fp.read().rstrip()
            fp.close()
        else:
            raise nose.SkipTest("No directory manager password")
        self.updater = LDAPUpdate(dm_password=self.dm_password,
                                  sub_dict={},
                                  live_run=True)
        self.ld = ipaldap.IPAdmin(fqdn)
        self.ld.do_simple_bind(bindpw=self.dm_password)
        if ipautil.file_exists("0_reset.update"):
            self.testdir = "./"
        elif ipautil.file_exists("tests/test_install/0_reset.update"):
            self.testdir = "./tests/test_install/"
        else:
            raise nose.SkipTest("Unable to find test update files")

        self.container_dn = DN(
            self.updater._template_str('cn=test, cn=accounts, $SUFFIX'))
        self.user_dn = DN(
            self.updater._template_str(
                'uid=tuser, cn=test, cn=accounts, $SUFFIX'))
コード例 #4
0
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None):
    """
    Test whether the dns container exists.
    """

    def object_exists(dn):      # FIXME, this should be a IPAdmin/ldap2 method so it can be shared
        """
        Test whether the given object exists in LDAP.
        """
        assert isinstance(dn, DN)
        try:
            conn.search_ext_s(dn, ldap.SCOPE_BASE)
        except ldap.NO_SUCH_OBJECT:
            return False
        else:
            return True

    assert isinstance(suffix, DN)
    try:
        # At install time we may need to use LDAPI to avoid chicken/egg
        # issues with SSL certs and truting CAs
        if ldapi:
            conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm)
        else:
            conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=service.CACERT)

        if dm_password:
            conn.do_simple_bind(bindpw=dm_password)
        else:
            conn.do_sasl_gssapi_bind()
    except ldap.SERVER_DOWN:
        raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)

    ret = object_exists(DN(('cn', 'dns'), suffix))
    conn.unbind_s()

    return ret
コード例 #5
0
 def create_connection(self):
     if self.online:
         if self.ldapi:
             self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
         else:
             self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'],
                                         ldapi=False,
                                         realm=self.realm)
         try:
             if self.dm_password:
                 self.conn.do_simple_bind(binddn=DN(
                     ('cn', 'directory manager')),
                                          bindpw=self.dm_password)
             elif os.getegid() == 0:
                 try:
                     # autobind
                     self.conn.do_external_bind(self.pw_name)
                 except errors.NotFound:
                     # Fall back
                     self.conn.do_sasl_gssapi_bind()
             else:
                 self.conn.do_sasl_gssapi_bind()
         except ldap.LOCAL_ERROR, e:
             raise RuntimeError('%s' % e.args[0].get('info', '').strip())
コード例 #6
0
    def init_memberof(self):

        if not self.run_init_memberof:
            return

        self._ldap_mod("memberof-task.ldif", self.sub_dict)
        # Note, keep dn in sync with dn in install/share/memberof-task.ldif
        dn = DN(('cn', 'IPA install %s' % self.sub_dict["TIME"]),
                ('cn', 'memberof task'), ('cn', 'tasks'), ('cn', 'config'))
        root_logger.debug("Waiting for memberof task to complete.")
        conn = ipaldap.IPAdmin(self.fqdn)
        if self.dm_password:
            conn.simple_bind_s(DN(('cn', 'directory manager')),
                               self.dm_password)
        else:
            conn.do_sasl_gssapi_bind()
        conn.checkTask(dn, dowait=True)
        conn.unbind()
コード例 #7
0
    def __init__(self,
                 dm_password,
                 sub_dict={},
                 live_run=True,
                 online=True,
                 ldapi=False,
                 plugins=False):
        '''
        :parameters:
            dm_password
                Directory Manager password
            sub_dict
                substitution dictionary
            live_run
                Apply the changes or just test
            online
                Do an online LDAP update or use an experimental LDIF updater
            ldapi
                Bind using ldapi. This assumes autobind is enabled.
            plugins
                execute the pre/post update plugins

        Data Structure Example:
        -----------------------

        dn_by_rdn_count = {
            3: 'cn=config,dc=example,dc=com':
            4: 'cn=bob,ou=people,dc=example,dc=com',
        }

        all_updates = {
        'dn': 'cn=config,dc=example,dc=com':
            {
                'dn': 'cn=config,dc=example,dc=com',
                'default': ['attr1':default1'],
                'updates': ['action:attr1:value1',
                            'action:attr2:value2]
            },
        'dn': 'cn=bob,ou=people,dc=example,dc=com':
            {
                'dn': 'cn=bob,ou=people,dc=example,dc=com',
                'default': ['attr3':default3'],
                'updates': ['action:attr3:value3',
                            'action:attr4:value4],
            }
        }

        The default and update lists are "dispositions"


        '''
        log_mgr.get_logger(self, True)
        self.sub_dict = sub_dict
        self.live_run = live_run
        self.dm_password = dm_password
        self.conn = None
        self.modified = False
        self.online = online
        self.ldapi = ldapi
        self.plugins = plugins
        self.pw_name = pwd.getpwuid(os.geteuid()).pw_name
        self.realm = None
        suffix = None

        if sub_dict.get("REALM"):
            self.realm = sub_dict["REALM"]
        else:
            krbctx = krbV.default_context()
            try:
                self.realm = krbctx.default_realm
                suffix = ipautil.realm_to_suffix(self.realm)
            except krbV.Krb5Error:
                self.realm = None
                suffix = None

        if suffix is not None:
            assert isinstance(suffix, DN)
        domain = ipautil.get_domain_name()
        libarch = self._identify_arch()

        fqdn = installutils.get_fqdn()
        if fqdn is None:
            raise RuntimeError("Unable to determine hostname")
        fqhn = fqdn  # Save this for the sub_dict variable
        if self.ldapi:
            fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join(
                self.realm.split("."))

        if not self.sub_dict.get("REALM") and self.realm is not None:
            self.sub_dict["REALM"] = self.realm
        if not self.sub_dict.get("FQDN"):
            self.sub_dict["FQDN"] = fqhn
        if not self.sub_dict.get("DOMAIN"):
            self.sub_dict["DOMAIN"] = domain
        if not self.sub_dict.get("SUFFIX") and suffix is not None:
            self.sub_dict["SUFFIX"] = suffix
        if not self.sub_dict.get("ESCAPED_SUFFIX"):
            self.sub_dict["ESCAPED_SUFFIX"] = str(suffix)
        if not self.sub_dict.get("LIBARCH"):
            self.sub_dict["LIBARCH"] = libarch
        if not self.sub_dict.get("TIME"):
            self.sub_dict["TIME"] = int(time.time())
        if not self.sub_dict.get("DOMAIN") and domain is not None:
            self.sub_dict["DOMAIN"] = domain

        if online:
            # Try out the connection/password
            try:
                conn = ipaldap.IPAdmin(fqdn,
                                       ldapi=self.ldapi,
                                       realm=self.realm)
                if self.dm_password:
                    conn.do_simple_bind(binddn=DN(('cn', 'directory manager')),
                                        bindpw=self.dm_password)
                elif os.getegid() == 0:
                    try:
                        # autobind
                        conn.do_external_bind(self.pw_name)
                    except errors.NotFound:
                        # Fall back
                        conn.do_sasl_gssapi_bind()
                else:
                    conn.do_sasl_gssapi_bind()
                conn.unbind()
            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
                raise RuntimeError("Unable to connect to LDAP server %s" %
                                   fqdn)
            except ldap.INVALID_CREDENTIALS:
                raise RuntimeError(
                    "The password provided is incorrect for LDAP server %s" %
                    fqdn)
            except ldap.LOCAL_ERROR, e:
                raise RuntimeError('%s' % e.args[0].get('info', '').strip())
コード例 #8
0
    def __enable_ssl(self):
        dirname = config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm_name,
                            nssdir=dirname,
                            subject_base=self.subject_base)
        if self.pkcs12_info:
            dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
            server_certs = dsdb.find_server_certs()
            if len(server_certs) == 0:
                raise RuntimeError(
                    "Could not find a suitable server cert in import in %s" %
                    self.pkcs12_info[0])

            # We only handle one server cert
            nickname = server_certs[0][0]
            self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
            dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname,
                                   'restart_dirsrv %s' % self.serverid)
        else:
            nickname = "Server-Cert"
            cadb = certs.CertDB(self.realm_name,
                                host_name=self.fqdn,
                                subject_base=self.subject_base)
            if self.self_signed_ca:
                dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                self.dercert = dsdb.create_server_cert("Server-Cert",
                                                       self.fqdn, cadb)
                dsdb.track_server_cert("Server-Cert", self.principal,
                                       dsdb.passwd_fname,
                                       'restart_dirsrv %s' % self.serverid)
                dsdb.create_pin_file()
            else:
                # FIXME, need to set this nickname in the RA plugin
                cadb.export_ca_cert('ipaCert', False)
                dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                self.dercert = dsdb.create_server_cert("Server-Cert",
                                                       self.fqdn, cadb)
                dsdb.track_server_cert("Server-Cert", self.principal,
                                       dsdb.passwd_fname,
                                       'restart_dirsrv %s' % self.serverid)
                dsdb.create_pin_file()

        conn = ipaldap.IPAdmin(self.fqdn)
        conn.simple_bind_s(DN(('cn', 'directory manager')), self.dm_password)

        mod = [
            (ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
            (ldap.MOD_REPLACE, "nsSSL3Ciphers",
             "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
+tls_rsa_export1024_with_des_cbc_sha")
        ]
        conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)

        mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
        conn.modify_s(DN(('cn', 'config')), mod)

        entry = ipaldap.Entry(
            DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')))

        entry.setValues("objectclass", "top", "nsEncryptionModule")
        entry.setValues("cn", "RSA")
        entry.setValues("nsSSLPersonalitySSL", nickname)
        entry.setValues("nsSSLToken", "internal (software)")
        entry.setValues("nsSSLActivation", "on")

        conn.addEntry(entry)

        conn.unbind()

        # check for open secure port 636 from now on
        self.open_ports.append(636)