def setUp(self):
self.config = Classes.Config(plugin_author='ldapdbadmin')
#self.config = Classes.Config(krb5keytab='/root/janitor/keytab', plugin_author='ldapdbadmin')
self.authen = Classes.Authen(self.config)
self.author = Classes.Author(self.config)
self.usid = self.authen.authenticate()
self.db = self.author.authorize(self.usid)
def client_run():
print(
"\n---------------------------------------------\nUniDomain managed system is updating account, group and policy settings ... \n---------------------------------------------\n"
)
config = Classes.Config()
authen = Classes.Authen(config).authenticate()
if not authen:
logging.critical(
'authentication of this host failed. Is this host registered in a domain? Network is up?'
)
return 1
# connect to database
db = Classes.DB(authen).connect()
if not db:
logging.critical('can not connect to database.')
return 2
#get a AttributeCollection about this host
hostAttributes = db.get_host_data(db.userID)
logging.debug(hostAttributes.__str__())
udPolicies = hostAttributes.getPolicies()
# update the database. this is used for dead host detection.
udPolicies['updateDbPolicy'] = None
logging.info('instantiating udPolicyEngine with %i policies' %
len(udPolicies))
runner = udPolicyEngine.udPolicyEngine(udPolicies, db, config)
logging.info('running udPolicyEngine.')
runner.run()
def setUp(self):
self.config = Classes.Config(plugin_authen='krb5_login',
krb5keytab='./keytab')
self.authen = Classes.Authen(self.config)
self.usid = self.authen.authenticate(
user=sys.modules['__main__'].username,
pw=sys.modules['__main__'].userpw)
self.authen.kadmin()
def setUp(self):
self.config = Classes.Config(plugin_authen='krb5_login',
plugin_author='ldapdbadmin')
#self.config = Classes.Config(krb5keytab='/root/janitor/keytab', plugin_author='ldapdbadmin')
self.authen = Classes.Authen(self.config)
self.author = Classes.Author(self.config)
self.usid = self.authen.authenticate(
user=sys.modules['__main__'].username,
pw=sys.modules['__main__'].userpw)
self.db = self.author.authorize(self.usid.split('@')[0])
def testPasswordAuthen(self):
"""check if password login works"""
config = Classes.Config(plugin_authen='krb5_login')
authen = Classes.Authen(config)
self.assertEqual(authen.__module__, 'UniDomain.plugins.krb5_login')
authen.authenticate(user=sys.modules['__main__'].username,
pw=sys.modules['__main__'].userpw)
self.assertTrue(authen.isAuthenticated,
'isAuthenticated is not set after login.')
authen.kadmin()
self.assertTrue(authen.kadm, 'cant acquire kadmin ticket.')
def testdefaultAuthen(self):
"""check if default login is non-interactive and works"""
config = Classes.Config()
authen = Classes.Authen()
self.assertEqual(authen.__module__, 'UniDomain.plugins.krb5_keytab')
self.assertEqual(authen.authenticate(),
'host/' + socket.getfqdn() + '@' + config.krb5realm,
'default login with keytab failed.')
self.assertTrue(authen.isAuthenticated,
'isAuthenticated is not set after login.')
authen.kadmin()
self.assertTrue(authen.kadm, 'cant acquire kadmin ticket.')
def open_ud2_connection(env):
config = Classes.Config(file='/opt/UD2/etc/www_conf.xml')
authen = Classes.Authen(config).authenticate(ccpath=env['KRB5CCNAME'])
if not authen:
return ("403 Forbidden", "Can not validate kerberos Ticket Data")
#return writeError(req, apache.HTTP_FORBIDDEN, "Can not validate kerberos Ticket Data")
db = Classes.DB(authen).connect()
if not db:
return ("403 Forbidden", "Database Connection failed for user %s" %
(env['REMOTE_USER']))
#return writeError(req, apache.HTTP_FORBIDDEN, "Database Connection failed for user %s" % (req.subprocess_env['REMOTE_USER']))
return (False, db)
def testDefaultAuthor(self):
"""check if default loads non-admin backend"""
author = Classes.Author(self.config)
dbconn = author.authorize(self.host_usid)
self.assertEqual(dbconn.__module__, 'UniDomain.plugins.ldapdb',
'wrong default author plugin')
self.assertTrue(dbconn, 'authorization failed')
def get_node_data(self, node_id):
"""
@see UniDomain.Classes.db#get_node_data
"""
node = Classes.AttributeCollection()
ldap_result = self.udBase(node_id, '(objectClass=*)',
node.supported_attributes())
if len(ldap_result) > 0:
if len(ldap_result
) > 1: #since we search for DNs this never should happen.
logging.warning('multiple records found for %s, using %s.',
node_id, ldap_result[0][0])
ats = ldap_result[0][1]
for at in ats.keys():
node.data[at] = [(val, norm_dn(node_id)) for val in ats[at]]
#load policies for this node.
ldap_result = self.conn.search_s(node_id, ldap.SCOPE_ONELEVEL,
'(objectClass=udPolicy)')
for policy in ldap_result:
logging.debug('----policy is %s', policy)
policyName = policy[0].split(',')[0].split('=')[1].strip()
node.policies[policyName] = [(norm_dn(policy[0]), policy[1])]
logging.debug('---- now is %s', node.policies[policyName])
else:
logging.error('no node data for dn %s.', node_id)
return node
def testAdminAuthor(self):
"""Check if we can load the admin db backend"""
self.config.plugin_author = 'ldapdbadmin'
author = Classes.Author(self.config)
dbconn = author.authorize(self.host_usid)
self.assertEqual(dbconn.__module__, 'UniDomain.plugins.ldapdbadmin',
'wrong admin author plugin')
self.assertTrue(dbconn, 'authorization failed')
def test_readconf(self):
"""check if readconf behaves like we want"""
self.config = Classes.Config(file='testconf.xml', passwdfile='xyz')
self.assertEqual(len(self.config.ldapservers), 1,
'reading value from file does not work.')
self.assertEqual(type(self.config.debug), type(True),
'debug value is not bool!')
self.assertEqual(self.config.passwdfile, 'xyz',
'passing config vars as args doesnt work')
def testApacheAuthen(self):
"""test if apache authen works"""
config = Classes.Config(plugin_authen='krb5_apache')
authen = Classes.Authen(config)
self.assertEqual(authen.__module__, 'UniDomain.plugins.krb5_apache',
'apache laods wrong plugin')
self.assertEqual(
authen.authenticate(ccfile='FILE:' +
sys.modules['__main__'].krb5cc),
sys.modules['__main__'].username + '@' + config.krb5realm,
'apache_authen returns wrong username')
self.assertTrue(authen.isAuthenticated,
'isAuthenticated is not set after login.')
self.assertFalse(
authen.kadm,
'apache authen sets kadmin. we dont have kadmin privileges')
try:
authen.kadmin()
self.fail('apache plugin should not have a kadmin interface.')
except:
pass
def main():
config = Classes.Config(krb5keytab="/root/janitor/janitor.keytab",
plugin_author='ldapdbadmin')
authen = Classes.Authen(config)
if not authen:
print "bad auth"
return
userid = authen.authenticate(user='******')
if not userid: return
authen.kadmin()
author = Classes.Author(config)
db = author.authorize('janitor/admin')
config = Classes.Config(krb5keytab="/root/janitor/janitor.keytab",
plugin_author='ldapdbadmin')
authen = Classes.Authen(config)
if not authen:
sys.exit(3)
userid = authen.authenticate()
if not userid:
sys.exit(4)
authen.kadmin()
author = Classes.Author(config)
if not author:
sys.exit(3)
db = author.authorize(userid.split('@')[0])
if not db:
sys.exit(4)
db.update_dnsSOA()
def test_Config(self):
"""Check if required config defaults are set"""
self.config = Classes.Config()
self.assertTrue('plugin_authen' in self.config.config,
'no authen plugin in default config')
self.assertTrue('plugin_author' in self.config.config,
'no author plugin in default config')
self.assertTrue('cachedir' in self.config.config,
'no cache directory in default config')
self.assertTrue('policydir' in self.config.config,
'no policy directory in default config')
self.assertTrue('dnszone' in self.config.config,
'no dnszone in default config')
self.assertTrue('passwdfile' in self.config.config,
'no passwdfile in default config')
self.assertTrue('groupfile' in self.config.config,
'no groupfile in default config')
def get_udGroup_data(self, group):
"""load data of a udGroup and its metagroups."""
mydn = set(self.userID.split(
',')) # sets have the & operator to find interesctions.
query = self.udSub('(&(objectClass=udGroup)(cn=%s))' % group)
groups = [
(
dn,
len(set(norm_dn(dn).split(','))
& mydn) #match common path parts to user dn
) for dn, atts in self.conn.result(query)[1]
]
if len(groups) == 0:
logging.warning('no such udGroup %s', group)
return Classes.AttributeCollection()
groups.sort(key=lambda x: x[1],
reverse=True) # longest matching path wins
logging.debug('using %s for group name %s', groups[0][0], group)
node = self.get_node_data(groups[0][0])
return node
help=
"assume the principal already exists in the kdc. Just retrieve the key to the local keytab",
default=True)
parser.add_option("-l",
action="store_false",
dest="add_ldap",
help="assume the host already exists in the ldap.",
default=True)
(options, args) = parser.parse_args()
if options.debug:
logging.basicConfig(level=logging.DEBUG)
if len(args) < 1:
sys.exit(2)
if options.janitor:
config = Classes.Config(krb5keytab="/root/janitor/janitor.keytab")
else:
config = Classes.Config(plugin_authen="krb5_login")
authen = Classes.Authen(config).authenticate()
if not authen:
print 'Authentication error'
sys.exit(4)
db = Classes.DB(authen).connect()
if not db:
print 'db connection error'
sys.exit(3)
print '***%s***' % args
for host in args:
print 'Adding %s:' % host
target = hostreg.askTarget(db)
def askPolicies():
print 'Specify any policies you want set for this host (one per line, end with newline)'
policies = []
input = raw_input('policy : ')
while input:
policies.append(input)
input = raw_input('policy : ')
return policies
if __name__ == "__main__":
if len(sys.argv) > 1 and sys.argv[1] == "-d":
logging.basicConfig(level=logging.DEBUG)
config = Classes.Config(plugin_authen='krb5_login')
try:
authen = Classes.Authen(config).authenticate()
except IndexError, e:
print 'Authentication error (wrong password?)'
sys.exit(1)
db = Classes.DB(authen).connect()
if not db:
print 'db connection error'
sys.exit(2)
fqdn = askName()
functions.set_hostname(fqdn)
target = askTarget(db)
classes = askClasses()
def setUp(self):
self.config = Classes.Config()
self.authen = Classes.Authen(self.config)
self.host_usid = self.authen.authenticate()
dest="add_kdc",
help=
"assume the principal already exists in the kdc. Just retrieve the key to the local keytab",
default=True)
(options, args) = parser.parse_args()
#if len(args) > 0:
# # do not get keytab if we maualy add hosts.
# options.get_keytab = False
if options.debug:
logging.basicConfig(level=logging.DEBUG)
# get the correct rights.
# if we only want retrieve the key file, we only require host privileges.
if options.add_kdc:
if options.janitor:
config = Classes.Config(krb5keytab="/root/janitor/janitor.keytab")
# janitor operation assumes we want add host principals without getting the key to the local keytab.
options.get_keytab = False
else:
config = Classes.Config(plugin_authen="krb5_login")
else:
config = Classes.Config()
authen = Classes.Authen(config)
if not authen:
sys.exit(3)
userid = authen.authenticate()
if not userid:
sys.exit(4)
authen.kadmin()
if options.add_kdc:
if len(sys.argv) > 1:
if sys.argv[1] == '-d':
logging.basicConfig(level=logging.DEBUG)
elif sys.argv[1] == '-q':
logging.basicConfig(level=logging.CRITICAL)
else:
logging.basicConfig(level=logging.ERROR)
else:
logging.basicConfig(level=logging.ERROR)
print "\n-- Testing Author plugin compatibility --"
suite = unittest.defaultTestLoader.loadTestsFromTestCase(TestAuthor)
if not unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful():
sys.exit(1)
print "\n-- Testing Basic db backend functionality. --"
suite = unittest.defaultTestLoader.loadTestsFromTestCase(TestDB)
if not unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful():
sys.exit(1)
authen = Classes.Authen(
Classes.Config(plugin_authen='krb5_login',
plugin_author='ldapdbadmin'))
if not authen.authenticate():
print "\nadmin functionality check skipped."
sys.exit(0)
print "\n-- Testing admin functionality --"
username = authen.user
userpw = authen.pw
suite = unittest.defaultTestLoader.loadTestsFromTestCase(TestDBDomad)
if not unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful():
sys.exit(1)
print "-- Congratulations. All Tests for db passed."
parser = OptionParser(usage="usage: %prog [options] [days]", description="""
search for hosts who did not report back within [days]. default is 4 weeks""")
parser.add_option("-v", action="store_true", dest="debug", help="be verbose", default=False)
(options, args) = parser.parse_args()
if len(args) > 1:
parser.print_help()
sys.exit(2)
if options.debug:
logging.basicConfig(level=logging.DEBUG)
if len(args) == 0:
delta = datetime.timedelta(weeks=4)
else:
delta = datetime.timedelta(days=int(args[0]))
config = Classes.Config(plugin_authen='krb5_login', plugin_author='ldapdbadmin')
authen = Classes.Authen(config)
if not authen:
sys.exit(3)
userid = authen.authenticate()
if not userid:
sys.exit(4)
author = Classes.Author(config)
if not author:
sys.exit(3)
db = author.authorize(userid.split('@')[0])
if not db:
sys.exit(4)
print 'The following hosts have not been seen in the last %s days:' % delta.days
res = db.conn.result(db.conn.search(config.ldapbase, ldap.SCOPE_SUBTREE, '(&(objectClass=udHost)(lastSeen<=%s))'%((datetime.date.today() - delta).strftime("1%y%m%d00")) , ['cn', 'FQDN', 'USID', 'description', 'lastSeen']))[1]
list domad accounts.
Specify a domain implies --author
if neither --authen nor --author are specified we list from authentication and database """)
parser.add_option("-j", action="store_true", dest="janitor", help="use janitor account", default=False)
parser.add_option("--authen", action="store_true", dest="authen", help="list from authen backend (kerberos)", default=False)
parser.add_option("--author", action="store_true", dest="author", help="list from database backend (ldap)", default=False)
parser.add_option("-v", action="store_true", dest="debug", help="be verbose", default=False)
(options, args) = parser.parse_args()
if len(args) > 1:
parser.print_help()
sys.exit(2)
if options.debug:
logging.basicConfig(level=logging.DEBUG)
if options.janitor:
config = Classes.Config(krb5keytab="/root/janitor/janitor.keytab",plugin_author='ldapdbadmin')
else:
config = Classes.Config(plugin_authen="krb5_login", plugin_author='ldapdbadmin')
if not (options.author or options.authen):
options.authen = True
options.author = True
authen = Classes.Authen(config)
if not authen:
sys.exit(3)
userid = authen.authenticate()
if not userid:
sys.exit(4)
authen.kadmin()
author = Classes.Author(config)
if not author:
sys.exit(3)
