def __init__(self, realm, warnings=False, debug=False): self.warnings = warnings self.realm = realm.upper() # For the future if we have a non-os krb install. self.krb_prefix = "" sep = os.path.sep self.kadmin = os.path.join(sep, self.krb_prefix, "usr/sbin/kadmin.local") self.kdb5_util = os.path.join(sep, self.krb_prefix, "usr/sbin/kdb5_util") self.krb5kdc = os.path.join(sep, self.krb_prefix, "usr/sbin/krb5kdc") self.kdcconf = os.path.join(sep, self.krb_prefix, "var/kerberos/krb5kdc/kdc.conf") self.kdcpid = os.path.join(sep, self.krb_prefix, "var/run/krb5kdc.pid") self.krb5conf = os.path.join(sep, self.krb_prefix, "etc/krb5.conf") self.krb5confrealm = os.path.join(sep, self.krb_prefix, "etc/krb5.conf.d", self.realm.lower().replace('.', '-')) self.krb_master_password = password_generate() # Should we write this to a file? self.krb_env = {} if debug is True: self.krb_env['KRB5_TRACE'] = '/tmp/krb_lib389.trace'
def __init__(self, dirsrv, dbpassword=None): self.dirsrv = dirsrv self.log = self.dirsrv.log if dbpassword is None: self.dbpassword = password_generate() else: self.dbpassword = dbpassword
def _generate_noise(self, fpath): noise = password_generate(256) prv_mask = os.umask(0o177) try: with open(fpath, 'w') as f: f.write(noise) finally: prv_mask = os.umask(prv_mask)
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None): self.dirsrv = dirsrv self._certdb = dbpath if self._certdb is None: self._certdb = self.dirsrv.get_cert_dir() self.log = log if self.dirsrv is not None: self.log = self.dirsrv.log if dbpassword is None: self.dbpassword = password_generate() else: self.dbpassword = dbpassword
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None): self.dirsrv = dirsrv self._certdb = dbpath if self._certdb is None: self._certdb = self.dirsrv.get_cert_dir() self.log = log if self.dirsrv is not None: self.log = self.dirsrv.log if dbpassword is None: self.dbpassword = password_generate() else: self.dbpassword = dbpassword self.db_files = {"dbm_backend": ["%s/%s" % (self._certdb, f) for f in ("key3.db", "cert8.db", "secmod.db")], "sql_backend": ["%s/%s" % (self._certdb, f) for f in ("key4.db", "cert9.db", "pkcs11.txt")], "support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", PIN_TXT, PWD_TXT)]}
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None): self.dirsrv = dirsrv self._certdb = dbpath if self._certdb is None: self._certdb = self.dirsrv.get_cert_dir() self.log = log if self.dirsrv is not None: self.log = self.dirsrv.log if dbpassword is None: self.dbpassword = password_generate() else: self.dbpassword = dbpassword self.db_files = { group: [f"{self._certdb}/{f}" for f in files] for group, files in { "dbm_backend": ("key3.db", "cert8.db", "secmod.db"), "sql_backend": ("key4.db", "cert9.db", "pkcs11.txt"), "support": ("noise.txt", PIN_TXT, PWD_TXT) }.items() }
def __init__(self, realm, warnings=False, debug=False): self.warnings = warnings self.realm = realm.upper() # For the future if we have a non-os krb install. self.krb_prefix = "" # Probably should be using os.path.join ... self.kadmin = "%s/usr/sbin/kadmin.local" % self.krb_prefix self.kdb5_util = "%s/usr/sbin/kdb5_util" % self.krb_prefix self.krb5kdc = "%s/usr/sbin/krb5kdc" % self.krb_prefix self.kdcconf = "%s/var/kerberos/krb5kdc/kdc.conf" % self.krb_prefix self.kdcpid = "%s/var/run/krb5kdc.pid" % self.krb_prefix self.krb5conf = "%s/etc/krb5.conf" % (self.krb_prefix) self.krb5confrealm = ("%s/etc/krb5.conf.d/%s" % (self.krb_prefix, self.realm.lower().replace('.', '-'))) self.krb_master_password = password_generate() # Should we write this to a file? self.krb_env = {} if debug is True: self.krb_env['KRB5_TRACE'] = '/tmp/krb_lib389.trace'
def _prepare_ds(self, general, slapd, backends): self.log.info("Validate installation settings ...") assert_c(general['defaults'] is not None, "Configuration defaults in section [general] not found") self.log.debug("PASSED: using config settings %s" % general['defaults']) # Validate our arguments. assert_c(slapd['user'] is not None, "Configuration user in section [slapd] not found") # check the user exists assert_c(pwd.getpwnam(slapd['user']), "user %s not found on system" % slapd['user']) slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid assert_c(slapd['group'] is not None, "Configuration group in section [slapd] not found") assert_c(grp.getgrnam(slapd['group']), "group %s not found on system" % slapd['group']) slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid # check this group exists # Check that we are running as this user / group, or that we are root. assert_c( os.geteuid() == 0 or getpass.getuser() == slapd['user'], "Not running as user root or %s, may not have permission to continue" % slapd['user']) self.log.debug("PASSED: user / group checking") assert_c( general['full_machine_name'] is not None, "Configuration full_machine_name in section [general] not found") assert_c( general['strict_host_checking'] is not None, "Configuration strict_host_checking in section [general] not found" ) if general['strict_host_checking'] is True: # Check it resolves with dns assert_c( socket.gethostbyname(general['full_machine_name']), "Strict hostname check failed. Check your DNS records for %s" % general['full_machine_name']) self.log.debug("PASSED: Hostname strict checking") assert_c(slapd['prefix'] is not None, "Configuration prefix in section [slapd] not found") if (slapd['prefix'] != ""): assert_c(os.path.exists(slapd['prefix']), "Prefix location '%s' not found" % slapd['prefix']) self.log.debug("PASSED: prefix checking") # We need to know the prefix before we can do the instance checks assert_c(slapd['instance_name'] is not None, "Configuration instance_name in section [slapd] not found") assert_c( len(slapd['instance_name']) <= 80, "Server identifier should not be longer than 80 symbols") assert_c(all(ord(c) < 128 for c in slapd['instance_name']), "Server identifier can not contain non ascii characters") assert_c(' ' not in slapd['instance_name'], "Server identifier can not contain a space") assert_c( slapd['instance_name'] != 'admin', "Server identifier \"admin\" is reserved, please choose a different identifier" ) # Check that valid characters are used safe = re.compile(r'^[:\w@_-]+$').search assert_c( bool(safe(slapd['instance_name'])), "Server identifier has invalid characters, please choose a different value" ) # Check if the instance exists or not. # Should I move this import? I think this prevents some recursion from lib389 import DirSrv ds = DirSrv(verbose=self.verbose) ds.containerised = self.containerised ds.prefix = slapd['prefix'] insts = ds.list(serverid=slapd['instance_name']) assert_c( len(insts) == 0, "Another instance named '%s' may already exist" % slapd['instance_name']) self.log.debug("PASSED: instance checking") assert_c(slapd['root_dn'] is not None, "Configuration root_dn in section [slapd] not found") # Assert this is a valid DN assert_c(is_a_dn(slapd['root_dn']), "root_dn in section [slapd] is not a well formed LDAP DN") assert_c( slapd['root_password'] is not None and slapd['root_password'] != '', "Configuration attribute 'root_password' in section [slapd] not found" ) if len(slapd['root_password']) < 8: raise ValueError( "root_password must be at least 8 characters long") # Check if pre-hashed or not. # !!!!!!!!!!!!!! # Right now, the way that rootpw works on ns-slapd works, it force hashes the pw # see https://fedorahosted.org/389/ticket/48859 if not re.match('^([A-Z0-9]+).*$', slapd['root_password']): # We need to hash it. Call pwdhash-bin. # slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix']) pass else: pass # Create a random string # Hash it. # This will be our temporary rootdn password so that we can do # live mods and setup rather than static ldif manipulations. self._raw_secure_password = password_generate() self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir']) self.log.debug("INFO: temp root password set to %s" % self._raw_secure_password) self.log.debug("PASSED: root user checking") assert_c(slapd['port'] is not None, "Configuration port in section [slapd] not found") if self.containerised: if slapd['port'] <= 1024: self.log.warning( "WARNING: slapd port %s may not work without NET_BIND_SERVICE in containers" % slapd['port']) if slapd['secure_port'] <= 1024: self.log.warning( "WARNING: slapd secure_port %s may not work without NET_BIND_SERVICE in containers" % slapd['secure_port']) assert_c( socket_check_open('::1', slapd['port']) is False, "port %s is already in use, or missing NET_BIND_SERVICE" % slapd['port']) # We enable secure port by default. assert_c(slapd['secure_port'] is not None, "Configuration secure_port in section [slapd] not found") assert_c( socket_check_open('::1', slapd['secure_port']) is False, "secure_port %s is already in use, or missing NET_BIND_SERVICE" % slapd['secure_port']) self.log.debug("PASSED: network avaliability checking") # Make assertions of the paths? # Make assertions of the backends? # First fix some compat shenanigans. I hate legacy ... for be in backends: for k in BACKEND_PROPNAME_TO_ATTRNAME: if k in be: be[BACKEND_PROPNAME_TO_ATTRNAME[k]] = be[k] del (be[k]) for be in backends: assert_c('nsslapd-suffix' in be) assert_c('cn' in be)
def _generate_noise(self, fpath): noise = password_generate(256) with open(fpath, 'w') as f: f.write(noise)
def _prepare_ds(self, general, slapd, backends): assert(general['defaults'] is not None) if self.verbose: self.log.info("PASSED: using config settings %s" % general['defaults']) # Validate our arguments. assert(slapd['user'] is not None) # check the user exists assert(pwd.getpwnam(slapd['user'])) slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid assert(slapd['group'] is not None) assert(grp.getgrnam(slapd['group'])) slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid # check this group exists # Check that we are running as this user / group, or that we are root. assert(os.geteuid() == 0 or getpass.getuser() == slapd['user']) if self.verbose: self.log.info("PASSED: user / group checking") assert(general['full_machine_name'] is not None) assert(general['strict_host_checking'] is not None) if general['strict_host_checking'] is True: # Check it resolves with dns assert(socket.gethostbyname(general['full_machine_name'])) if self.verbose: self.log.info("PASSED: Hostname strict checking") assert(slapd['prefix'] is not None) if (slapd['prefix'] != ""): assert(os.path.exists(slapd['prefix'])) if self.verbose: self.log.info("PASSED: prefix checking") # We need to know the prefix before we can do the instance checks assert(slapd['instance_name'] is not None) # Check if the instance exists or not. # Should I move this import? I think this prevents some recursion from lib389 import DirSrv ds = DirSrv(verbose=self.verbose) ds.containerised = self.containerised ds.prefix = slapd['prefix'] insts = ds.list(serverid=slapd['instance_name']) assert(len(insts) == 0) if self.verbose: self.log.info("PASSED: instance checking") assert(slapd['root_dn'] is not None) # Assert this is a valid DN assert(is_a_dn(slapd['root_dn'])) assert(slapd['root_password'] is not None) # Check if pre-hashed or not. # !!!!!!!!!!!!!! # Right now, the way that rootpw works on ns-slapd works, it force hashes the pw # see https://fedorahosted.org/389/ticket/48859 if not re.match('^\{[A-Z0-9]+\}.*$', slapd['root_password']): # We need to hash it. Call pwdhash-bin. # slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix']) pass else: pass # Create a random string # Hash it. # This will be our temporary rootdn password so that we can do # live mods and setup rather than static ldif manipulations. self._raw_secure_password = password_generate() self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir']) if self.verbose: self.log.info("PASSED: root user checking") assert(slapd['port'] is not None) assert(socket_check_open('::1', slapd['port']) is False) assert(slapd['secure_port'] is not None) assert(socket_check_open('::1', slapd['secure_port']) is False) if self.verbose: self.log.info("PASSED: network avaliability checking")
def _prepare_ds(self, general, slapd, backends): assert_c(general['defaults'] is not None, "Configuration defaults in section [general] not found") if self.verbose: self.log.info("PASSED: using config settings %s" % general['defaults']) # Validate our arguments. assert_c(slapd['user'] is not None, "Configuration user in section [slapd] not found") # check the user exists assert_c(pwd.getpwnam(slapd['user']), "user %s not found on system" % slapd['user']) slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid assert_c(slapd['group'] is not None, "Configuration group in section [slapd] not found") assert_c(grp.getgrnam(slapd['group']), "group %s not found on system" % slapd['group']) slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid # check this group exists # Check that we are running as this user / group, or that we are root. assert_c(os.geteuid() == 0 or getpass.getuser() == slapd['user'], "Not running as user root or %s, may not have permission to continue" % slapd['user']) if self.verbose: self.log.info("PASSED: user / group checking") assert_c(general['full_machine_name'] is not None, "Configuration full_machine_name in section [general] not found") assert_c(general['strict_host_checking'] is not None, "Configuration strict_host_checking in section [general] not found") if general['strict_host_checking'] is True: # Check it resolves with dns assert_c(socket.gethostbyname(general['full_machine_name']), "Strict hostname check failed. Check your DNS records for %s" % general['full_machine_name']) if self.verbose: self.log.info("PASSED: Hostname strict checking") assert_c(slapd['prefix'] is not None, "Configuration prefix in section [slapd] not found") if (slapd['prefix'] != ""): assert_c(os.path.exists(slapd['prefix']), "Prefix location '%s' not found" % slapd['prefix']) if self.verbose: self.log.info("PASSED: prefix checking") # We need to know the prefix before we can do the instance checks assert_c(slapd['instance_name'] is not None, "Configuration instance_name in section [slapd] not found") # Check if the instance exists or not. # Should I move this import? I think this prevents some recursion from lib389 import DirSrv ds = DirSrv(verbose=self.verbose) ds.containerised = self.containerised ds.prefix = slapd['prefix'] insts = ds.list(serverid=slapd['instance_name']) assert_c(len(insts) == 0, "Another instance named '%s' may already exist" % slapd['instance_name']) if self.verbose: self.log.info("PASSED: instance checking") assert_c(slapd['root_dn'] is not None, "Configuration root_dn in section [slapd] not found") # Assert this is a valid DN assert_c(is_a_dn(slapd['root_dn']), "root_dn in section [slapd] is not a well formed LDAP DN") assert_c(slapd['root_password'] is not None, "Configuration root_password in section [slapd] not found") # Check if pre-hashed or not. # !!!!!!!!!!!!!! # Right now, the way that rootpw works on ns-slapd works, it force hashes the pw # see https://fedorahosted.org/389/ticket/48859 if not re.match('^\{[A-Z0-9]+\}.*$', slapd['root_password']): # We need to hash it. Call pwdhash-bin. # slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix']) pass else: pass # Create a random string # Hash it. # This will be our temporary rootdn password so that we can do # live mods and setup rather than static ldif manipulations. self._raw_secure_password = password_generate() self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir']) if self.verbose: self.log.info("INFO: temp root password set to %s" % self._raw_secure_password) self.log.info("PASSED: root user checking") assert_c(slapd['port'] is not None, "Configuration port in section [slapd] not found") assert_c(socket_check_open('::1', slapd['port']) is False, "port %s is already in use" % slapd['port']) # We enable secure port by default. assert_c(slapd['secure_port'] is not None, "Configuration secure_port in section [slapd] not found") assert_c(socket_check_open('::1', slapd['secure_port']) is False, "secure_port %s is already in use" % slapd['secure_port']) if self.verbose: self.log.info("PASSED: network avaliability checking")