def __init__(self, realm, warnings=False, debug=False):
self.warnings = warnings
self.realm = realm.upper()
# For the future if we have a non-os krb install.
self.krb_prefix = ""
sep = os.path.sep
self.kadmin = os.path.join(sep, self.krb_prefix,
"usr/sbin/kadmin.local")
self.kdb5_util = os.path.join(sep, self.krb_prefix,
"usr/sbin/kdb5_util")
self.krb5kdc = os.path.join(sep, self.krb_prefix, "usr/sbin/krb5kdc")
self.kdcconf = os.path.join(sep, self.krb_prefix,
"var/kerberos/krb5kdc/kdc.conf")
self.kdcpid = os.path.join(sep, self.krb_prefix, "var/run/krb5kdc.pid")
self.krb5conf = os.path.join(sep, self.krb_prefix, "etc/krb5.conf")
self.krb5confrealm = os.path.join(sep, self.krb_prefix,
"etc/krb5.conf.d",
self.realm.lower().replace('.', '-'))
self.krb_master_password = password_generate()
# Should we write this to a file?
self.krb_env = {}
if debug is True:
self.krb_env['KRB5_TRACE'] = '/tmp/krb_lib389.trace'
def __init__(self, dirsrv, dbpassword=None):
self.dirsrv = dirsrv
self.log = self.dirsrv.log
if dbpassword is None:
self.dbpassword = password_generate()
else:
self.dbpassword = dbpassword
def _generate_noise(self, fpath):
noise = password_generate(256)
prv_mask = os.umask(0o177)
try:
with open(fpath, 'w') as f:
f.write(noise)
finally:
prv_mask = os.umask(prv_mask)
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None):
self.dirsrv = dirsrv
self._certdb = dbpath
if self._certdb is None:
self._certdb = self.dirsrv.get_cert_dir()
self.log = log
if self.dirsrv is not None:
self.log = self.dirsrv.log
if dbpassword is None:
self.dbpassword = password_generate()
else:
self.dbpassword = dbpassword
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None):
self.dirsrv = dirsrv
self._certdb = dbpath
if self._certdb is None:
self._certdb = self.dirsrv.get_cert_dir()
self.log = log
if self.dirsrv is not None:
self.log = self.dirsrv.log
if dbpassword is None:
self.dbpassword = password_generate()
else:
self.dbpassword = dbpassword
self.db_files = {"dbm_backend": ["%s/%s" % (self._certdb, f) for f in ("key3.db", "cert8.db", "secmod.db")],
"sql_backend": ["%s/%s" % (self._certdb, f) for f in ("key4.db", "cert9.db", "pkcs11.txt")],
"support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", PIN_TXT, PWD_TXT)]}
def __init__(self, dirsrv=None, dbpassword=None, dbpath=None):
self.dirsrv = dirsrv
self._certdb = dbpath
if self._certdb is None:
self._certdb = self.dirsrv.get_cert_dir()
self.log = log
if self.dirsrv is not None:
self.log = self.dirsrv.log
if dbpassword is None:
self.dbpassword = password_generate()
else:
self.dbpassword = dbpassword
self.db_files = {
group: [f"{self._certdb}/{f}" for f in files]
for group, files in {
"dbm_backend": ("key3.db", "cert8.db", "secmod.db"),
"sql_backend": ("key4.db", "cert9.db", "pkcs11.txt"),
"support": ("noise.txt", PIN_TXT, PWD_TXT)
}.items()
}
def __init__(self, realm, warnings=False, debug=False):
self.warnings = warnings
self.realm = realm.upper()
# For the future if we have a non-os krb install.
self.krb_prefix = ""
# Probably should be using os.path.join ...
self.kadmin = "%s/usr/sbin/kadmin.local" % self.krb_prefix
self.kdb5_util = "%s/usr/sbin/kdb5_util" % self.krb_prefix
self.krb5kdc = "%s/usr/sbin/krb5kdc" % self.krb_prefix
self.kdcconf = "%s/var/kerberos/krb5kdc/kdc.conf" % self.krb_prefix
self.kdcpid = "%s/var/run/krb5kdc.pid" % self.krb_prefix
self.krb5conf = "%s/etc/krb5.conf" % (self.krb_prefix)
self.krb5confrealm = ("%s/etc/krb5.conf.d/%s" %
(self.krb_prefix,
self.realm.lower().replace('.', '-')))
self.krb_master_password = password_generate()
# Should we write this to a file?
self.krb_env = {}
if debug is True:
self.krb_env['KRB5_TRACE'] = '/tmp/krb_lib389.trace'
def _prepare_ds(self, general, slapd, backends):
self.log.info("Validate installation settings ...")
assert_c(general['defaults'] is not None,
"Configuration defaults in section [general] not found")
self.log.debug("PASSED: using config settings %s" %
general['defaults'])
# Validate our arguments.
assert_c(slapd['user'] is not None,
"Configuration user in section [slapd] not found")
# check the user exists
assert_c(pwd.getpwnam(slapd['user']),
"user %s not found on system" % slapd['user'])
slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid
assert_c(slapd['group'] is not None,
"Configuration group in section [slapd] not found")
assert_c(grp.getgrnam(slapd['group']),
"group %s not found on system" % slapd['group'])
slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid
# check this group exists
# Check that we are running as this user / group, or that we are root.
assert_c(
os.geteuid() == 0 or getpass.getuser() == slapd['user'],
"Not running as user root or %s, may not have permission to continue"
% slapd['user'])
self.log.debug("PASSED: user / group checking")
assert_c(
general['full_machine_name'] is not None,
"Configuration full_machine_name in section [general] not found")
assert_c(
general['strict_host_checking'] is not None,
"Configuration strict_host_checking in section [general] not found"
)
if general['strict_host_checking'] is True:
# Check it resolves with dns
assert_c(
socket.gethostbyname(general['full_machine_name']),
"Strict hostname check failed. Check your DNS records for %s" %
general['full_machine_name'])
self.log.debug("PASSED: Hostname strict checking")
assert_c(slapd['prefix'] is not None,
"Configuration prefix in section [slapd] not found")
if (slapd['prefix'] != ""):
assert_c(os.path.exists(slapd['prefix']),
"Prefix location '%s' not found" % slapd['prefix'])
self.log.debug("PASSED: prefix checking")
# We need to know the prefix before we can do the instance checks
assert_c(slapd['instance_name'] is not None,
"Configuration instance_name in section [slapd] not found")
assert_c(
len(slapd['instance_name']) <= 80,
"Server identifier should not be longer than 80 symbols")
assert_c(all(ord(c) < 128 for c in slapd['instance_name']),
"Server identifier can not contain non ascii characters")
assert_c(' ' not in slapd['instance_name'],
"Server identifier can not contain a space")
assert_c(
slapd['instance_name'] != 'admin',
"Server identifier \"admin\" is reserved, please choose a different identifier"
)
# Check that valid characters are used
safe = re.compile(r'^[:\w@_-]+$').search
assert_c(
bool(safe(slapd['instance_name'])),
"Server identifier has invalid characters, please choose a different value"
)
# Check if the instance exists or not.
# Should I move this import? I think this prevents some recursion
from lib389 import DirSrv
ds = DirSrv(verbose=self.verbose)
ds.containerised = self.containerised
ds.prefix = slapd['prefix']
insts = ds.list(serverid=slapd['instance_name'])
assert_c(
len(insts) == 0, "Another instance named '%s' may already exist" %
slapd['instance_name'])
self.log.debug("PASSED: instance checking")
assert_c(slapd['root_dn'] is not None,
"Configuration root_dn in section [slapd] not found")
# Assert this is a valid DN
assert_c(is_a_dn(slapd['root_dn']),
"root_dn in section [slapd] is not a well formed LDAP DN")
assert_c(
slapd['root_password'] is not None
and slapd['root_password'] != '',
"Configuration attribute 'root_password' in section [slapd] not found"
)
if len(slapd['root_password']) < 8:
raise ValueError(
"root_password must be at least 8 characters long")
# Check if pre-hashed or not.
# !!!!!!!!!!!!!!
# Right now, the way that rootpw works on ns-slapd works, it force hashes the pw
# see https://fedorahosted.org/389/ticket/48859
if not re.match('^([A-Z0-9]+).*$', slapd['root_password']):
# We need to hash it. Call pwdhash-bin.
# slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix'])
pass
else:
pass
# Create a random string
# Hash it.
# This will be our temporary rootdn password so that we can do
# live mods and setup rather than static ldif manipulations.
self._raw_secure_password = password_generate()
self._secure_password = password_hash(self._raw_secure_password,
bin_dir=slapd['bin_dir'])
self.log.debug("INFO: temp root password set to %s" %
self._raw_secure_password)
self.log.debug("PASSED: root user checking")
assert_c(slapd['port'] is not None,
"Configuration port in section [slapd] not found")
if self.containerised:
if slapd['port'] <= 1024:
self.log.warning(
"WARNING: slapd port %s may not work without NET_BIND_SERVICE in containers"
% slapd['port'])
if slapd['secure_port'] <= 1024:
self.log.warning(
"WARNING: slapd secure_port %s may not work without NET_BIND_SERVICE in containers"
% slapd['secure_port'])
assert_c(
socket_check_open('::1', slapd['port']) is False,
"port %s is already in use, or missing NET_BIND_SERVICE" %
slapd['port'])
# We enable secure port by default.
assert_c(slapd['secure_port'] is not None,
"Configuration secure_port in section [slapd] not found")
assert_c(
socket_check_open('::1', slapd['secure_port']) is False,
"secure_port %s is already in use, or missing NET_BIND_SERVICE" %
slapd['secure_port'])
self.log.debug("PASSED: network avaliability checking")
# Make assertions of the paths?
# Make assertions of the backends?
# First fix some compat shenanigans. I hate legacy ...
for be in backends:
for k in BACKEND_PROPNAME_TO_ATTRNAME:
if k in be:
be[BACKEND_PROPNAME_TO_ATTRNAME[k]] = be[k]
del (be[k])
for be in backends:
assert_c('nsslapd-suffix' in be)
assert_c('cn' in be)
def _generate_noise(self, fpath):
noise = password_generate(256)
with open(fpath, 'w') as f:
f.write(noise)
def _generate_noise(self, fpath):
noise = password_generate(256)
with open(fpath, 'w') as f:
f.write(noise)
def _prepare_ds(self, general, slapd, backends):
assert(general['defaults'] is not None)
if self.verbose:
self.log.info("PASSED: using config settings %s" % general['defaults'])
# Validate our arguments.
assert(slapd['user'] is not None)
# check the user exists
assert(pwd.getpwnam(slapd['user']))
slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid
assert(slapd['group'] is not None)
assert(grp.getgrnam(slapd['group']))
slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid
# check this group exists
# Check that we are running as this user / group, or that we are root.
assert(os.geteuid() == 0 or getpass.getuser() == slapd['user'])
if self.verbose:
self.log.info("PASSED: user / group checking")
assert(general['full_machine_name'] is not None)
assert(general['strict_host_checking'] is not None)
if general['strict_host_checking'] is True:
# Check it resolves with dns
assert(socket.gethostbyname(general['full_machine_name']))
if self.verbose:
self.log.info("PASSED: Hostname strict checking")
assert(slapd['prefix'] is not None)
if (slapd['prefix'] != ""):
assert(os.path.exists(slapd['prefix']))
if self.verbose:
self.log.info("PASSED: prefix checking")
# We need to know the prefix before we can do the instance checks
assert(slapd['instance_name'] is not None)
# Check if the instance exists or not.
# Should I move this import? I think this prevents some recursion
from lib389 import DirSrv
ds = DirSrv(verbose=self.verbose)
ds.containerised = self.containerised
ds.prefix = slapd['prefix']
insts = ds.list(serverid=slapd['instance_name'])
assert(len(insts) == 0)
if self.verbose:
self.log.info("PASSED: instance checking")
assert(slapd['root_dn'] is not None)
# Assert this is a valid DN
assert(is_a_dn(slapd['root_dn']))
assert(slapd['root_password'] is not None)
# Check if pre-hashed or not.
# !!!!!!!!!!!!!!
# Right now, the way that rootpw works on ns-slapd works, it force hashes the pw
# see https://fedorahosted.org/389/ticket/48859
if not re.match('^\{[A-Z0-9]+\}.*$', slapd['root_password']):
# We need to hash it. Call pwdhash-bin.
# slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix'])
pass
else:
pass
# Create a random string
# Hash it.
# This will be our temporary rootdn password so that we can do
# live mods and setup rather than static ldif manipulations.
self._raw_secure_password = password_generate()
self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir'])
if self.verbose:
self.log.info("PASSED: root user checking")
assert(slapd['port'] is not None)
assert(socket_check_open('::1', slapd['port']) is False)
assert(slapd['secure_port'] is not None)
assert(socket_check_open('::1', slapd['secure_port']) is False)
if self.verbose:
self.log.info("PASSED: network avaliability checking")
def _prepare_ds(self, general, slapd, backends):
assert_c(general['defaults'] is not None, "Configuration defaults in section [general] not found")
if self.verbose:
self.log.info("PASSED: using config settings %s" % general['defaults'])
# Validate our arguments.
assert_c(slapd['user'] is not None, "Configuration user in section [slapd] not found")
# check the user exists
assert_c(pwd.getpwnam(slapd['user']), "user %s not found on system" % slapd['user'])
slapd['user_uid'] = pwd.getpwnam(slapd['user']).pw_uid
assert_c(slapd['group'] is not None, "Configuration group in section [slapd] not found")
assert_c(grp.getgrnam(slapd['group']), "group %s not found on system" % slapd['group'])
slapd['group_gid'] = grp.getgrnam(slapd['group']).gr_gid
# check this group exists
# Check that we are running as this user / group, or that we are root.
assert_c(os.geteuid() == 0 or getpass.getuser() == slapd['user'], "Not running as user root or %s, may not have permission to continue" % slapd['user'])
if self.verbose:
self.log.info("PASSED: user / group checking")
assert_c(general['full_machine_name'] is not None, "Configuration full_machine_name in section [general] not found")
assert_c(general['strict_host_checking'] is not None, "Configuration strict_host_checking in section [general] not found")
if general['strict_host_checking'] is True:
# Check it resolves with dns
assert_c(socket.gethostbyname(general['full_machine_name']), "Strict hostname check failed. Check your DNS records for %s" % general['full_machine_name'])
if self.verbose:
self.log.info("PASSED: Hostname strict checking")
assert_c(slapd['prefix'] is not None, "Configuration prefix in section [slapd] not found")
if (slapd['prefix'] != ""):
assert_c(os.path.exists(slapd['prefix']), "Prefix location '%s' not found" % slapd['prefix'])
if self.verbose:
self.log.info("PASSED: prefix checking")
# We need to know the prefix before we can do the instance checks
assert_c(slapd['instance_name'] is not None, "Configuration instance_name in section [slapd] not found")
# Check if the instance exists or not.
# Should I move this import? I think this prevents some recursion
from lib389 import DirSrv
ds = DirSrv(verbose=self.verbose)
ds.containerised = self.containerised
ds.prefix = slapd['prefix']
insts = ds.list(serverid=slapd['instance_name'])
assert_c(len(insts) == 0, "Another instance named '%s' may already exist" % slapd['instance_name'])
if self.verbose:
self.log.info("PASSED: instance checking")
assert_c(slapd['root_dn'] is not None, "Configuration root_dn in section [slapd] not found")
# Assert this is a valid DN
assert_c(is_a_dn(slapd['root_dn']), "root_dn in section [slapd] is not a well formed LDAP DN")
assert_c(slapd['root_password'] is not None, "Configuration root_password in section [slapd] not found")
# Check if pre-hashed or not.
# !!!!!!!!!!!!!!
# Right now, the way that rootpw works on ns-slapd works, it force hashes the pw
# see https://fedorahosted.org/389/ticket/48859
if not re.match('^\{[A-Z0-9]+\}.*$', slapd['root_password']):
# We need to hash it. Call pwdhash-bin.
# slapd['root_password'] = password_hash(slapd['root_password'], prefix=slapd['prefix'])
pass
else:
pass
# Create a random string
# Hash it.
# This will be our temporary rootdn password so that we can do
# live mods and setup rather than static ldif manipulations.
self._raw_secure_password = password_generate()
self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir'])
if self.verbose:
self.log.info("INFO: temp root password set to %s" % self._raw_secure_password)
self.log.info("PASSED: root user checking")
assert_c(slapd['port'] is not None, "Configuration port in section [slapd] not found")
assert_c(socket_check_open('::1', slapd['port']) is False, "port %s is already in use" % slapd['port'])
# We enable secure port by default.
assert_c(slapd['secure_port'] is not None, "Configuration secure_port in section [slapd] not found")
assert_c(socket_check_open('::1', slapd['secure_port']) is False, "secure_port %s is already in use" % slapd['secure_port'])
if self.verbose:
self.log.info("PASSED: network avaliability checking")
