def main():
parser = common.mkparser(description='ipa-custodia LDAP DM hash handler')
if os.getegid() != 0:
parser.error("Must be run as root user.\n")
# create LDAP connection using LDAPI and EXTERNAL bind as root
if not api.isdone('bootstrap'):
api.bootstrap()
realm = api.env.realm
ldap_uri = realm_to_ldapi_uri(realm)
conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
try:
conn.external_bind()
except Exception as e:
parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e))
with conn:
common.main(parser, export_key, import_key, conn=conn)
def main():
parser = common.mkparser(
description='ipa-custodia LDAP DM hash handler'
)
if os.getegid() != 0:
parser.error("Must be run as root user.\n")
# create LDAP connection using LDAPI and EXTERNAL bind as root
if not api.isdone('bootstrap'):
api.bootstrap()
realm = api.env.realm
ldap_uri = realm_to_ldapi_uri(realm)
conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
try:
conn.external_bind()
except Exception as e:
parser.error("Failed to connect to {}: {}\n".format(ldap_uri, e))
with conn:
common.main(parser, export_key, import_key, conn=conn)
def create_connection(self,
ccache=None,
bind_dn=None,
bind_pw='',
cacert=None,
autobind=AUTOBIND_AUTO,
serverctrls=None,
clientctrls=None,
time_limit=_missing,
size_limit=_missing):
"""
Connect to LDAP server.
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos ccache name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
cacert -- TLS CA certificate filename
autobind - autobind as the current user
time_limit, size_limit -- maximum time and size limit for LDAP
possible options:
- value - sets the given value
- None - reads value from ipaconfig
- _missing - keeps previously configured settings
(unlimited set by default in constructor)
Extends backend.Connectible.create_connection.
"""
if bind_dn is None:
bind_dn = DN(('cn', 'directory manager'))
assert isinstance(bind_dn, DN)
if cacert is None:
cacert = paths.IPA_CA_CRT
if time_limit is not _missing:
object.__setattr__(self, 'time_limit', time_limit)
if size_limit is not _missing:
object.__setattr__(self, 'size_limit', size_limit)
client = LDAPClient(self.ldap_uri,
force_schema_updates=self._force_schema_updates,
cacert=cacert)
conn = client._conn
with client.error_handler():
minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
# Always connect with at least an SSF of 56, confidentiality
# This also protects us from a broken ldap.conf
if minssf < 56:
minssf = 56
conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
ldapi = self.ldap_uri.startswith('ldapi://')
if bind_pw:
client.simple_bind(bind_dn,
bind_pw,
server_controls=serverctrls,
client_controls=clientctrls)
elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi:
try:
client.external_bind(server_controls=serverctrls,
client_controls=clientctrls)
except errors.NotFound:
if autobind == AUTOBIND_ENABLED:
# autobind was required and failed, raise
# exception that it failed
raise
else:
if ldapi:
with client.error_handler():
conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
if ccache is None:
os.environ.pop('KRB5CCNAME', None)
else:
os.environ['KRB5CCNAME'] = ccache
principal = krb_utils.get_principal(ccache_name=ccache)
client.gssapi_bind(server_controls=serverctrls,
client_controls=clientctrls)
setattr(context, 'principal', principal)
return conn
def create_connection(
self, ccache=None, bind_dn=None, bind_pw='', cacert=None,
autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None,
time_limit=_missing, size_limit=_missing):
"""
Connect to LDAP server.
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos ccache name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
cacert -- TLS CA certificate filename
autobind - autobind as the current user
time_limit, size_limit -- maximum time and size limit for LDAP
possible options:
- value - sets the given value
- None - reads value from ipaconfig
- _missing - keeps previously configured settings
(unlimited set by default in constructor)
Extends backend.Connectible.create_connection.
"""
if bind_dn is None:
bind_dn = DN(('cn', 'directory manager'))
assert isinstance(bind_dn, DN)
if cacert is None:
cacert = constants.CACERT
if time_limit is not _missing:
self.time_limit = time_limit
if size_limit is not _missing:
self.size_limit = size_limit
client = LDAPClient(self.ldap_uri,
force_schema_updates=self._force_schema_updates,
cacert=cacert)
conn = client._conn
with client.error_handler():
minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
# Always connect with at least an SSF of 56, confidentiality
# This also protects us from a broken ldap.conf
if minssf < 56:
minssf = 56
conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
ldapi = self.ldap_uri.startswith('ldapi://')
if bind_pw:
client.simple_bind(bind_dn, bind_pw,
server_controls=serverctrls,
client_controls=clientctrls)
elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi:
try:
client.external_bind(server_controls=serverctrls,
client_controls=clientctrls)
except errors.NotFound:
if autobind == AUTOBIND_ENABLED:
# autobind was required and failed, raise
# exception that it failed
raise
else:
if ldapi:
with client.error_handler():
conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
if ccache is None:
os.environ.pop('KRB5CCNAME', None)
else:
os.environ['KRB5CCNAME'] = ccache
principal = krb_utils.get_principal(ccache_name=ccache)
client.gssapi_bind(server_controls=serverctrls,
client_controls=clientctrls)
setattr(context, 'principal', principal)
return conn
def get_config(dirsrv):
base = DN(
("cn", api.env.host),
("cn", "masters"),
("cn", "ipa"),
("cn", "etc"),
api.env.basedn,
)
srcfilter = LDAPClient.combine_filters(
[
LDAPClient.make_filter({"objectClass": "ipaConfigObject"}),
LDAPClient.make_filter(
{"ipaConfigString": [ENABLED_SERVICE, HIDDEN_SERVICE]},
rules=LDAPClient.MATCH_ANY,
),
],
rules=LDAPClient.MATCH_ALL,
)
attrs = ["cn", "ipaConfigString"]
if not dirsrv.is_running():
raise IpactlError(
"Failed to get list of services to probe status:\n"
"Directory Server is stopped",
3,
)
try:
# The start/restart functions already wait for the server to be
# started. What we are doing with this wait is really checking to see
# if the server is listening at all.
lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
if lurl.urlscheme == "ldapi":
wait_for_open_socket(lurl.hostport,
timeout=api.env.startup_timeout)
else:
(host, port) = lurl.hostport.split(":")
wait_for_open_ports(host, [int(port)],
timeout=api.env.startup_timeout)
con = LDAPClient(api.env.ldap_uri)
con.external_bind()
res = con.get_entries(
base,
filter=srcfilter,
attrs_list=attrs,
scope=con.SCOPE_SUBTREE,
time_limit=10,
)
except errors.NetworkError:
# LSB status code 3: program is not running
raise IpactlError(
"Failed to get list of services to probe status:\n"
"Directory Server is stopped",
3,
)
except errors.NotFound:
masters_list = []
dn = DN(("cn", "masters"), ("cn", "ipa"), ("cn", "etc"),
api.env.basedn)
attrs = ["cn"]
try:
entries = con.get_entries(dn, con.SCOPE_ONELEVEL, attrs_list=attrs)
except Exception as e:
masters_list.append("No master found because of error: %s" %
str(e))
else:
for master_entry in entries:
masters_list.append(master_entry.single_value["cn"])
masters = "\n".join(masters_list)
raise IpactlError(
"Failed to get list of services to probe status!\n"
"Configured hostname '%s' does not match any master server in "
"LDAP:\n%s" % (api.env.host, masters))
except Exception as e:
raise IpactlError(
"Unknown error when retrieving list of services from LDAP: %s" %
str(e))
svc_list = []
for entry in res:
name = entry.single_value["cn"]
for p in entry["ipaConfigString"]:
if p.startswith("startOrder "):
try:
order = int(p.split()[1])
except ValueError:
raise IpactlError("Expected order as integer in: %s:%s" %
(name, p))
svc_list.append([order, name])
ordered_list = []
for order, svc in sorted(svc_list):
if svc in service.SERVICE_LIST:
ordered_list.append(service.SERVICE_LIST[svc].systemd_name)
return deduplicate(ordered_list)
def create_connection(self,
ccache=None,
bind_dn=None,
bind_pw='',
tls_cacertfile=None,
tls_certfile=None,
tls_keyfile=None,
debug_level=0,
autobind=AUTOBIND_AUTO,
serverctrls=None,
clientctrls=None,
time_limit=None,
size_limit=None):
"""
Connect to LDAP server.
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos ccache name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
tls_cacertfile -- TLS CA certificate filename
tls_certfile -- TLS certificate filename
tls_keyfile - TLS bind key filename
autobind - autobind as the current user
Extends backend.Connectible.create_connection.
"""
if bind_dn is None:
bind_dn = DN()
assert isinstance(bind_dn, DN)
if tls_cacertfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
if tls_certfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile)
if tls_keyfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile)
if time_limit is not None:
self.time_limit = time_limit
if size_limit is not None:
self.size_limit = size_limit
if debug_level:
_ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level)
client = LDAPClient(self.ldap_uri,
force_schema_updates=self._force_schema_updates)
conn = client._conn
with client.error_handler():
minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
# Always connect with at least an SSF of 56, confidentiality
# This also protects us from a broken ldap.conf
if minssf < 56:
minssf = 56
conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
ldapi = self.ldap_uri.startswith('ldapi://')
if bind_pw:
client.simple_bind(bind_dn,
bind_pw,
server_controls=serverctrls,
client_controls=clientctrls)
elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi:
try:
pw_name = pwd.getpwuid(os.geteuid()).pw_name
client.external_bind(pw_name,
server_controls=serverctrls,
client_controls=clientctrls)
except errors.NotFound:
if autobind == AUTOBIND_ENABLED:
# autobind was required and failed, raise
# exception that it failed
raise
else:
if ldapi:
with client.error_handler():
conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
if ccache is None:
os.environ.pop('KRB5CCNAME', None)
else:
os.environ['KRB5CCNAME'] = ccache
principal = krb_utils.get_principal(ccache_name=ccache)
client.gssapi_bind(server_controls=serverctrls,
client_controls=clientctrls)
setattr(context, 'principal', principal)
return conn
def create_connection(self, ccache=None, bind_dn=None, bind_pw='',
tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
debug_level=0, autobind=AUTOBIND_AUTO, serverctrls=None,
clientctrls=None, time_limit=None, size_limit=None):
"""
Connect to LDAP server.
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos ccache name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
tls_cacertfile -- TLS CA certificate filename
tls_certfile -- TLS certificate filename
tls_keyfile - TLS bind key filename
autobind - autobind as the current user
Extends backend.Connectible.create_connection.
"""
if bind_dn is None:
bind_dn = DN()
assert isinstance(bind_dn, DN)
if tls_cacertfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
if tls_certfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile)
if tls_keyfile is not None:
_ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile)
if time_limit is not None:
self.time_limit = time_limit
if size_limit is not None:
self.size_limit = size_limit
if debug_level:
_ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level)
client = LDAPClient(self.ldap_uri,
force_schema_updates=self._force_schema_updates)
conn = client._conn
with client.error_handler():
minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
# Always connect with at least an SSF of 56, confidentiality
# This also protects us from a broken ldap.conf
if minssf < 56:
minssf = 56
conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf)
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
ldapi = self.ldap_uri.startswith('ldapi://')
if bind_pw:
client.simple_bind(bind_dn, bind_pw,
server_controls=serverctrls,
client_controls=clientctrls)
elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi:
try:
pw_name = pwd.getpwuid(os.geteuid()).pw_name
client.external_bind(pw_name,
server_controls=serverctrls,
client_controls=clientctrls)
except errors.NotFound:
if autobind == AUTOBIND_ENABLED:
# autobind was required and failed, raise
# exception that it failed
raise
else:
if ldapi:
with client.error_handler():
conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
if ccache is None:
os.environ.pop('KRB5CCNAME', None)
else:
os.environ['KRB5CCNAME'] = ccache
principal = krb_utils.get_principal(ccache_name=ccache)
client.gssapi_bind(server_controls=serverctrls,
client_controls=clientctrls)
setattr(context, 'principal', principal)
return conn
