def __create_ds_keytab(self):
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
self.move_service(ldap_principal)
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
constants.DS_USER.chown(paths.DS_KEYTAB)
def __create_http_keytab(self):
installutils.kadmin_addprinc(self.principal)
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal)
self.add_cert_to_service()
pent = pwd.getpwnam("apache")
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_ds_keytab(self):
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
self.move_service(ldap_principal)
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
pent = pwd.getpwnam(constants.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_http_keytab(self):
if not self.promote:
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.kadmin_addprinc(self.principal)
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal)
pent = pwd.getpwnam(HTTPD_USER)
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_http_keytab(self):
if not self.promote:
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.kadmin_addprinc(self.principal)
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
self.move_service(self.principal)
pent = pwd.getpwnam(HTTPD_USER)
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_ds_keytab(self):
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
self.move_service(ldap_principal)
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
pent = pwd.getpwnam(constants.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __setup_principal(self):
assert self.ods_uid is not None
for f in [
paths.IPA_ODS_EXPORTER_CCACHE, paths.IPA_ODS_EXPORTER_KEYTAB
]:
try:
os.remove(f)
except OSError:
pass
dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_exporter_principal)
# Store the keytab on disk
installutils.create_keytab(paths.IPA_ODS_EXPORTER_KEYTAB,
dns_exporter_principal)
p = self.move_service(dns_exporter_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dns_exporter_principal_dn = DN(
('krbprincipalname', dns_exporter_principal),
('cn', 'services'), ('cn', 'accounts'), self.suffix)
else:
dns_exporter_principal_dn = p
# Make sure access is strictly reserved to the ods user
os.chmod(paths.IPA_ODS_EXPORTER_KEYTAB, 0o440)
os.chown(paths.IPA_ODS_EXPORTER_KEYTAB, 0, self.ods_gid)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
try:
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
root_logger.critical("Could not modify principal's %s entry: %s" %
(dns_exporter_principal_dn, str(e)))
raise
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
self.admin_conn.modify_s(dns_exporter_principal_dn, mod)
except Exception as e:
root_logger.critical(
"Could not set principal's %s LDAP limits: %s" %
(dns_exporter_principal_dn, str(e)))
raise
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"
princ_realm = "%s@%s" % (princ, self.realm)
# Create the special anonymous principal
installutils.kadmin_addprinc(princ_realm)
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
entry = self.admin_conn.get_entry(dn)
entry['nsAccountlock'] = ['TRUE']
self.admin_conn.update_entry(entry)
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"
princ_realm = "%s@%s" % (princ, self.realm)
# Create the special anonymous principal
installutils.kadmin_addprinc(princ_realm)
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
entry = self.admin_conn.get_entry(dn)
entry['nsAccountlock'] = ['TRUE']
self.admin_conn.update_entry(entry)
def __create_host_keytab(self):
host_principal = "host/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(host_principal)
self.fstore.backup_file(paths.KRB5_KEYTAB)
installutils.create_keytab(paths.KRB5_KEYTAB, host_principal)
# Make sure access is strictly reserved to root only for now
os.chown(paths.KRB5_KEYTAB, 0, 0)
os.chmod(paths.KRB5_KEYTAB, 0o600)
self.move_service_to_host(host_principal)
def service_in_kerberos_subtree(request):
princ = u'svc1/{0.host}@{0.realm}'.format(api.env)
installutils.kadmin_addprinc(princ)
def fin():
try:
installutils.kadmin(
'delprinc -force {}'.format(princ))
except Exception:
pass
request.addfinalizer(fin)
return princ
def __create_host_keytab(self):
host_principal = "host/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(host_principal)
self.fstore.backup_file(paths.KRB5_KEYTAB)
installutils.create_keytab(paths.KRB5_KEYTAB, host_principal)
# Make sure access is strictly reserved to root only for now
os.chown(paths.KRB5_KEYTAB, 0, 0)
os.chmod(paths.KRB5_KEYTAB, 0o600)
self.move_service_to_host(host_principal)
def service_in_kerberos_subtree(request):
princ = u'svc1/{0.host}@{0.realm}'.format(api.env)
installutils.kadmin_addprinc(princ)
def fin():
try:
installutils.kadmin('delprinc -force {}'.format(princ))
except Exception:
pass
request.addfinalizer(fin)
return princ
def __setup_principal(self):
assert self.ods_uid is not None
for f in [paths.IPA_ODS_EXPORTER_CCACHE, self.keytab]:
try:
os.remove(f)
except OSError:
pass
installutils.kadmin_addprinc(self.principal)
# Store the keytab on disk
installutils.create_keytab(paths.IPA_ODS_EXPORTER_KEYTAB,
self.principal)
p = self.move_service(self.principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dns_exporter_principal_dn = DN(
('krbprincipalname', self.principal),
('cn', 'services'), ('cn', 'accounts'), self.suffix)
else:
dns_exporter_principal_dn = p
# Make sure access is strictly reserved to the ods user
os.chmod(self.keytab, 0o440)
os.chown(self.keytab, 0, self.ods_gid)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
try:
api.Backend.ldap2.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
logger.critical("Could not modify principal's %s entry: %s",
dns_exporter_principal_dn, str(e))
raise
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod)
except Exception as e:
logger.critical("Could not set principal's %s LDAP limits: %s",
dns_exporter_principal_dn, str(e))
raise
def __create_ds_keytab(self):
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
self.move_service(ldap_principal)
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
vardict = {"KRB5_KTNAME": paths.DS_KEYTAB}
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
replacevars=vardict)
pent = pwd.getpwnam(constants.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_ds_keytab(self):
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
self.move_service(ldap_principal)
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
vardict = {"KRB5_KTNAME": paths.DS_KEYTAB}
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
replacevars=vardict)
pent = pwd.getpwnam(constants.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __setup_principal(self):
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_principal)
# Store the keytab on disk
self.fstore.backup_file(paths.NAMED_KEYTAB)
installutils.create_keytab(paths.NAMED_KEYTAB, dns_principal)
p = self.move_service(dns_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dns_principal = DN(('krbprincipalname', dns_principal),
('cn', 'services'), ('cn', 'accounts'),
self.suffix)
else:
dns_principal = p
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
os.chmod(paths.NAMED_KEYTAB, 0o400)
# modify the principal so that it is marked as an ipa service so that
# it can host the memberof attribute, then also add it to the
# dnsserver role group, this way the DNS is allowed to perform
# DNS Updates
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
try:
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
root_logger.critical("Could not modify principal's %s entry: %s" \
% (dns_principal, str(e)))
raise
# bind-dyndb-ldap persistent search feature requires both size and time
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
self.admin_conn.modify_s(dns_principal, mod)
except Exception as e:
root_logger.critical("Could not set principal's %s LDAP limits: %s" \
% (dns_principal, str(e)))
raise
def add_anonymous_principal(self):
# Create the special anonymous principal
princ_realm = self.get_anonymous_principal_name()
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
try:
self.api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
installutils.kadmin_addprinc(princ_realm)
self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
try:
self.api.Backend.ldap2.set_entry_active(dn, True)
except errors.AlreadyActive:
pass
def add_anonymous_principal(self):
# Create the special anonymous principal
princ_realm = self.get_anonymous_principal_name()
dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix())
try:
self.api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
installutils.kadmin_addprinc(princ_realm)
self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
try:
self.api.Backend.ldap2.set_entry_active(dn, True)
except errors.AlreadyActive:
pass
def __setup_principal(self):
assert self.ods_gid is not None
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dnssynckey_principal)
# Store the keytab on disk
installutils.create_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB,
dnssynckey_principal)
p = self.move_service(dnssynckey_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dnssynckey_principal_dn = DN(
('krbprincipalname', dnssynckey_principal), ('cn', 'services'),
('cn', 'accounts'), self.suffix)
else:
dnssynckey_principal_dn = p
# Make sure access is strictly reserved to the named user
os.chown(paths.IPA_DNSKEYSYNCD_KEYTAB, 0, self.ods_gid)
os.chmod(paths.IPA_DNSKEYSYNCD_KEYTAB, 0o440)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
try:
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
self.logger.critical("Could not modify principal's %s entry: %s" %
(dnssynckey_principal_dn, str(e)))
raise
# bind-dyndb-ldap persistent search feature requires both size and time
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
self.admin_conn.modify_s(dnssynckey_principal_dn, mod)
except Exception as e:
self.logger.critical(
"Could not set principal's %s LDAP limits: %s" %
(dnssynckey_principal_dn, str(e)))
raise
def __setup_principal(self):
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_principal)
# Store the keytab on disk
self.fstore.backup_file(paths.NAMED_KEYTAB)
installutils.create_keytab(paths.NAMED_KEYTAB, dns_principal)
p = self.move_service(dns_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dns_principal = DN(('krbprincipalname', dns_principal),
('cn', 'services'), ('cn', 'accounts'), self.suffix)
else:
dns_principal = p
# Make sure access is strictly reserved to the named user
pent = pwd.getpwnam(self.named_user)
os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
os.chmod(paths.NAMED_KEYTAB, 0o400)
# modify the principal so that it is marked as an ipa service so that
# it can host the memberof attribute, then also add it to the
# dnsserver role group, this way the DNS is allowed to perform
# DNS Updates
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'), ('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
try:
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
root_logger.critical("Could not modify principal's %s entry: %s" \
% (dns_principal, str(e)))
raise
# bind-dyndb-ldap persistent search feature requires both size and time
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
self.admin_conn.modify_s(dns_principal, mod)
except Exception as e:
root_logger.critical("Could not set principal's %s LDAP limits: %s" \
% (dns_principal, str(e)))
raise
def __setup_principal(self):
assert self.ods_gid is not None
installutils.remove_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB)
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dnssynckey_principal)
# Store the keytab on disk
installutils.create_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB, dnssynckey_principal)
p = self.move_service(dnssynckey_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dnssynckey_principal_dn = DN(
('krbprincipalname', dnssynckey_principal),
('cn', 'services'), ('cn', 'accounts'), self.suffix)
else:
dnssynckey_principal_dn = p
# Make sure access is strictly reserved to the named user
os.chown(paths.IPA_DNSKEYSYNCD_KEYTAB, 0, self.ods_gid)
os.chmod(paths.IPA_DNSKEYSYNCD_KEYTAB, 0o440)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
try:
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
self.logger.critical("Could not modify principal's %s entry: %s"
% (dnssynckey_principal_dn, str(e)))
raise
# bind-dyndb-ldap persistent search feature requires both size and time
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
self.admin_conn.modify_s(dnssynckey_principal_dn, mod)
except Exception as e:
self.logger.critical("Could not set principal's %s LDAP limits: %s"
% (dnssynckey_principal_dn, str(e)))
raise
def __setup_principal(self):
ipautil.remove_keytab(self.keytab)
installutils.kadmin_addprinc(self.principal)
# Store the keytab on disk
installutils.create_keytab(self.keytab, self.principal)
p = self.move_service(self.principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dnssynckey_principal_dn = DN(('krbprincipalname', self.principal),
('cn', 'services'),
('cn', 'accounts'), self.suffix)
else:
dnssynckey_principal_dn = p
# Make sure access is strictly reserved to the named user
os.chown(self.keytab, 0, constants.ODS_GROUP.gid)
os.chmod(self.keytab, 0o440)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
try:
api.Backend.ldap2.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
logger.critical("Could not modify principal's %s entry: %s",
dnssynckey_principal_dn, str(e))
raise
# bind-dyndb-ldap persistent search feature requires both size and time
# limit-free connection
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
api.Backend.ldap2.modify_s(dnssynckey_principal_dn, mod)
except Exception as e:
logger.critical("Could not set principal's %s LDAP limits: %s",
dnssynckey_principal_dn, str(e))
raise
def add_anonymous_principal(self):
# Create the special anonymous principal
princ_realm = self.get_anonymous_principal_name()
installutils.kadmin_addprinc(princ_realm)
self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)
def add_anonymous_principal(self):
# Create the special anonymous principal
princ_realm = self.get_anonymous_principal_name()
installutils.kadmin_addprinc(princ_realm)
