def remove_ipa_ca_cnames(self, domain_name): # get ipa-ca CNAMEs try: cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api) except errors.NotFound: # zone does not exists cnames = None if not cnames: return logger.info('Removing IPA CA CNAME records') # create CNAME to FQDN mapping cname_fqdn = {} for cname in cnames: if cname.endswith('.'): fqdn = cname[:-1] else: fqdn = '%s.%s' % (cname, domain_name) cname_fqdn[cname] = fqdn # get FQDNs of all IPA masters try: masters = set(get_masters(self.api.Backend.ldap2)) except errors.NotFound: masters = set() # check if all CNAMEs point to IPA masters for cname in cnames: fqdn = cname_fqdn[cname] if fqdn not in masters: logger.warning( "Cannot remove IPA CA CNAME please remove them manually " "if necessary") return # delete all CNAMEs for cname in cnames: del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
def disable_agreements(self): ''' Find all replication agreements on all masters and disable them. Warn very loudly about any agreements/masters we cannot contact. ''' try: conn = self.get_connection() except Exception as e: logger.error('Unable to get connection, skipping disabling ' 'agreements: %s', e) return masters = get_masters(conn) for master in masters: if master == api.env.host: continue try: repl = ReplicationManager(api.env.realm, master, self.dirman_password) except Exception as e: logger.critical("Unable to disable agreement on %s: %s", master, e) continue master_dn = DN(('cn', master), api.env.container_masters, api.env.basedn) try: services = repl.conn.get_entries(master_dn, repl.conn.SCOPE_ONELEVEL) except errors.NotFound: continue services_cns = [s.single_value['cn'] for s in services] host_entries = repl.find_ipa_replication_agreements() hosts = [rep.single_value.get('nsds5replicahost') for rep in host_entries] for host in hosts: logger.info('Disabling replication agreement on %s to %s', master, host) repl.disable_agreement(host) if 'CA' in services_cns: try: repl = get_cs_replication_manager(api.env.realm, master, self.dirman_password) except Exception as e: logger.critical("Unable to disable agreement on %s: %s", master, e) continue host_entries = repl.find_ipa_replication_agreements() hosts = [rep.single_value.get('nsds5replicahost') for rep in host_entries] for host in hosts: logger.info('Disabling CA replication agreement on %s to ' '%s', master, host) repl.hostnames = [master, host] repl.disable_agreement(host)
def execute(self, *keys, **options): ldap = self.obj.backend dn = self.api.Object.user.get_either_dn(*keys, **options) attr_list = [ 'krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock' ] disabled = False masters = get_masters(ldap) entries = [] count = 0 for host in masters: if host == api.env.host: other_ldap = self.obj.backend else: try: other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) other_ldap.gssapi_bind() except Exception as e: logger.error( "user_status: Connecting to %s failed with " "%s", host, str(e)) newresult = {'dn': dn} newresult['server'] = _("%(host)s failed: %(error)s" ) % dict(host=host, error=str(e)) entries.append(newresult) count += 1 continue try: entry = other_ldap.get_entry(dn, attr_list) newresult = {'dn': dn} for attr in ['krblastsuccessfulauth', 'krblastfailedauth']: newresult[attr] = entry.get(attr, [u'N/A']) newresult['krbloginfailedcount'] = entry.get( 'krbloginfailedcount', u'0') if not options.get('raw', False): for attr in ['krblastsuccessfulauth', 'krblastfailedauth']: try: if newresult[attr][0] == u'N/A': continue newtime = time.strptime(newresult[attr][0], '%Y%m%d%H%M%SZ') newresult[attr][0] = unicode( time.strftime('%Y-%m-%dT%H:%M:%SZ', newtime)) except Exception as e: logger.debug("time conversion failed with %s", str(e)) newresult['server'] = host if options.get('raw', False): time_format = '%Y%m%d%H%M%SZ' else: time_format = '%Y-%m-%dT%H:%M:%SZ' newresult['now'] = unicode(strftime(time_format, gmtime())) convert_nsaccountlock(entry) if 'nsaccountlock' in entry: disabled = entry['nsaccountlock'] self.api.Object.user.get_preserved_attribute(entry, options) entries.append(newresult) count += 1 except errors.NotFound: raise self.api.Object.user.handle_not_found(*keys) except Exception as e: logger.error( "user_status: Retrieving status for %s failed " "with %s", dn, str(e)) newresult = {'dn': dn} newresult['server'] = _("%(host)s failed") % dict(host=host) entries.append(newresult) count += 1 if host != api.env.host: other_ldap.close() return dict( result=entries, count=count, truncated=False, summary=unicode( _('Account disabled: %(disabled)s' % dict(disabled=disabled))), )
def execute(self, *keys, **options): ldap = self.obj.backend dn = self.api.Object.user.get_either_dn(*keys, **options) attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock'] disabled = False masters = get_masters(ldap) entries = [] count = 0 for host in masters: if host == api.env.host: other_ldap = self.obj.backend else: try: other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) other_ldap.gssapi_bind() except Exception as e: logger.error("user_status: Connecting to %s failed with " "%s", host, str(e)) newresult = {'dn': dn} newresult['server'] = _("%(host)s failed: %(error)s") % dict(host=host, error=str(e)) entries.append(newresult) count += 1 continue try: entry = other_ldap.get_entry(dn, attr_list) newresult = {'dn': dn} for attr in ['krblastsuccessfulauth', 'krblastfailedauth']: newresult[attr] = entry.get(attr, [u'N/A']) newresult['krbloginfailedcount'] = entry.get('krbloginfailedcount', u'0') if not options.get('raw', False): for attr in ['krblastsuccessfulauth', 'krblastfailedauth']: try: if newresult[attr][0] == u'N/A': continue newtime = time.strptime(newresult[attr][0], '%Y%m%d%H%M%SZ') newresult[attr][0] = unicode(time.strftime('%Y-%m-%dT%H:%M:%SZ', newtime)) except Exception as e: logger.debug("time conversion failed with %s", str(e)) newresult['server'] = host if options.get('raw', False): time_format = '%Y%m%d%H%M%SZ' else: time_format = '%Y-%m-%dT%H:%M:%SZ' newresult['now'] = unicode(strftime(time_format, gmtime())) convert_nsaccountlock(entry) if 'nsaccountlock' in entry: disabled = entry['nsaccountlock'] self.api.Object.user.get_preserved_attribute(entry, options) entries.append(newresult) count += 1 except errors.NotFound: raise self.api.Object.user.handle_not_found(*keys) except Exception as e: logger.error("user_status: Retrieving status for %s failed " "with %s", dn, str(e)) newresult = {'dn': dn} newresult['server'] = _("%(host)s failed") % dict(host=host) entries.append(newresult) count += 1 if host != api.env.host: other_ldap.close() return dict(result=entries, count=count, truncated=False, summary=unicode(_('Account disabled: %(disabled)s' % dict(disabled=disabled))), )