def ldap_connect(self):
# If DM password is provided, we use it
# If autobind was requested, attempt autobind when root and ldapi
# If autobind was disabled or not succeeded, go with GSSAPI
# LDAPI can be used with either autobind or GSSAPI
# LDAPI requires realm to be set
try:
if self.ldapi:
if not self.realm:
raise errors.NotFound(reason="realm is missing for %s" %
(self))
conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
else:
conn = ipaldap.IPAdmin(self.fqdn, port=389)
if self.dm_password:
conn.do_simple_bind(bindpw=self.dm_password)
elif self.autobind in [AUTO, ENABLED]:
if os.getegid() == 0 and self.ldapi:
try:
# autobind
pw_name = pwd.getpwuid(os.geteuid()).pw_name
conn.do_external_bind(pw_name)
except errors.NotFound, e:
if self.autobind == AUTO:
# Fall back
conn.do_sasl_gssapi_bind()
else:
# autobind was required and failed, raise
# exception that it failed
raise e
else:
conn.do_sasl_gssapi_bind()
else:
def execute(self, **options):
# We need an IPAdmin connection to the backend
self.log.debug("Start replication agreement exclude list update task")
conn = ipaldap.IPAdmin(api.env.host, ldapi=True, realm=api.env.realm)
conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
repl = replication.ReplicationManager(api.env.realm,
api.env.host,
None,
conn=conn)
entries = repl.find_replication_agreements()
self.log.debug("Found %d agreement(s)", len(entries))
for replica in entries:
self.log.debug(replica.getValue('description'))
self._update_attr(repl,
replica,
'nsDS5ReplicatedAttributeList',
replication.EXCLUDES,
template=EXCLUDE_TEMPLATE)
self._update_attr(repl,
replica,
'nsDS5ReplicatedAttributeListTotal',
replication.TOTAL_EXCLUDES,
template=EXCLUDE_TEMPLATE)
self._update_attr(repl, replica, 'nsds5ReplicaStripAttrs',
replication.STRIP_ATTRS)
self.log.debug("Done updating agreements")
return (False, False, []) # No restart, no apply now, no updates
def setUp(self):
fqdn = installutils.get_fqdn()
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
if ipautil.file_exists(pwfile):
fp = open(pwfile, "r")
self.dm_password = fp.read().rstrip()
fp.close()
else:
raise nose.SkipTest("No directory manager password")
self.updater = LDAPUpdate(dm_password=self.dm_password,
sub_dict={},
live_run=True)
self.ld = ipaldap.IPAdmin(fqdn)
self.ld.do_simple_bind(bindpw=self.dm_password)
if ipautil.file_exists("0_reset.update"):
self.testdir = "./"
elif ipautil.file_exists("tests/test_install/0_reset.update"):
self.testdir = "./tests/test_install/"
else:
raise nose.SkipTest("Unable to find test update files")
self.container_dn = DN(
self.updater._template_str('cn=test, cn=accounts, $SUFFIX'))
self.user_dn = DN(
self.updater._template_str(
'uid=tuser, cn=test, cn=accounts, $SUFFIX'))
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None):
"""
Test whether the dns container exists.
"""
def object_exists(dn): # FIXME, this should be a IPAdmin/ldap2 method so it can be shared
"""
Test whether the given object exists in LDAP.
"""
assert isinstance(dn, DN)
try:
conn.search_ext_s(dn, ldap.SCOPE_BASE)
except ldap.NO_SUCH_OBJECT:
return False
else:
return True
assert isinstance(suffix, DN)
try:
# At install time we may need to use LDAPI to avoid chicken/egg
# issues with SSL certs and truting CAs
if ldapi:
conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm)
else:
conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=service.CACERT)
if dm_password:
conn.do_simple_bind(bindpw=dm_password)
else:
conn.do_sasl_gssapi_bind()
except ldap.SERVER_DOWN:
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
ret = object_exists(DN(('cn', 'dns'), suffix))
conn.unbind_s()
return ret
def create_connection(self):
if self.online:
if self.ldapi:
self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
else:
self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'],
ldapi=False,
realm=self.realm)
try:
if self.dm_password:
self.conn.do_simple_bind(binddn=DN(
('cn', 'directory manager')),
bindpw=self.dm_password)
elif os.getegid() == 0:
try:
# autobind
self.conn.do_external_bind(self.pw_name)
except errors.NotFound:
# Fall back
self.conn.do_sasl_gssapi_bind()
else:
self.conn.do_sasl_gssapi_bind()
except ldap.LOCAL_ERROR, e:
raise RuntimeError('%s' % e.args[0].get('info', '').strip())
def init_memberof(self):
if not self.run_init_memberof:
return
self._ldap_mod("memberof-task.ldif", self.sub_dict)
# Note, keep dn in sync with dn in install/share/memberof-task.ldif
dn = DN(('cn', 'IPA install %s' % self.sub_dict["TIME"]),
('cn', 'memberof task'), ('cn', 'tasks'), ('cn', 'config'))
root_logger.debug("Waiting for memberof task to complete.")
conn = ipaldap.IPAdmin(self.fqdn)
if self.dm_password:
conn.simple_bind_s(DN(('cn', 'directory manager')),
self.dm_password)
else:
conn.do_sasl_gssapi_bind()
conn.checkTask(dn, dowait=True)
conn.unbind()
def __init__(self,
dm_password,
sub_dict={},
live_run=True,
online=True,
ldapi=False,
plugins=False):
'''
:parameters:
dm_password
Directory Manager password
sub_dict
substitution dictionary
live_run
Apply the changes or just test
online
Do an online LDAP update or use an experimental LDIF updater
ldapi
Bind using ldapi. This assumes autobind is enabled.
plugins
execute the pre/post update plugins
Data Structure Example:
-----------------------
dn_by_rdn_count = {
3: 'cn=config,dc=example,dc=com':
4: 'cn=bob,ou=people,dc=example,dc=com',
}
all_updates = {
'dn': 'cn=config,dc=example,dc=com':
{
'dn': 'cn=config,dc=example,dc=com',
'default': ['attr1':default1'],
'updates': ['action:attr1:value1',
'action:attr2:value2]
},
'dn': 'cn=bob,ou=people,dc=example,dc=com':
{
'dn': 'cn=bob,ou=people,dc=example,dc=com',
'default': ['attr3':default3'],
'updates': ['action:attr3:value3',
'action:attr4:value4],
}
}
The default and update lists are "dispositions"
'''
log_mgr.get_logger(self, True)
self.sub_dict = sub_dict
self.live_run = live_run
self.dm_password = dm_password
self.conn = None
self.modified = False
self.online = online
self.ldapi = ldapi
self.plugins = plugins
self.pw_name = pwd.getpwuid(os.geteuid()).pw_name
self.realm = None
suffix = None
if sub_dict.get("REALM"):
self.realm = sub_dict["REALM"]
else:
krbctx = krbV.default_context()
try:
self.realm = krbctx.default_realm
suffix = ipautil.realm_to_suffix(self.realm)
except krbV.Krb5Error:
self.realm = None
suffix = None
if suffix is not None:
assert isinstance(suffix, DN)
domain = ipautil.get_domain_name()
libarch = self._identify_arch()
fqdn = installutils.get_fqdn()
if fqdn is None:
raise RuntimeError("Unable to determine hostname")
fqhn = fqdn # Save this for the sub_dict variable
if self.ldapi:
fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join(
self.realm.split("."))
if not self.sub_dict.get("REALM") and self.realm is not None:
self.sub_dict["REALM"] = self.realm
if not self.sub_dict.get("FQDN"):
self.sub_dict["FQDN"] = fqhn
if not self.sub_dict.get("DOMAIN"):
self.sub_dict["DOMAIN"] = domain
if not self.sub_dict.get("SUFFIX") and suffix is not None:
self.sub_dict["SUFFIX"] = suffix
if not self.sub_dict.get("ESCAPED_SUFFIX"):
self.sub_dict["ESCAPED_SUFFIX"] = str(suffix)
if not self.sub_dict.get("LIBARCH"):
self.sub_dict["LIBARCH"] = libarch
if not self.sub_dict.get("TIME"):
self.sub_dict["TIME"] = int(time.time())
if not self.sub_dict.get("DOMAIN") and domain is not None:
self.sub_dict["DOMAIN"] = domain
if online:
# Try out the connection/password
try:
conn = ipaldap.IPAdmin(fqdn,
ldapi=self.ldapi,
realm=self.realm)
if self.dm_password:
conn.do_simple_bind(binddn=DN(('cn', 'directory manager')),
bindpw=self.dm_password)
elif os.getegid() == 0:
try:
# autobind
conn.do_external_bind(self.pw_name)
except errors.NotFound:
# Fall back
conn.do_sasl_gssapi_bind()
else:
conn.do_sasl_gssapi_bind()
conn.unbind()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
raise RuntimeError("Unable to connect to LDAP server %s" %
fqdn)
except ldap.INVALID_CREDENTIALS:
raise RuntimeError(
"The password provided is incorrect for LDAP server %s" %
fqdn)
except ldap.LOCAL_ERROR, e:
raise RuntimeError('%s' % e.args[0].get('info', '').strip())
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name,
nssdir=dirname,
subject_base=self.subject_base)
if self.pkcs12_info:
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
# We only handle one server cert
nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
else:
nickname = "Server-Cert"
cadb = certs.CertDB(self.realm_name,
host_name=self.fqdn,
subject_base=self.subject_base)
if self.self_signed_ca:
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
self.dercert = dsdb.create_server_cert("Server-Cert",
self.fqdn, cadb)
dsdb.track_server_cert("Server-Cert", self.principal,
dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
dsdb.create_pin_file()
else:
# FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert('ipaCert', False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
self.dercert = dsdb.create_server_cert("Server-Cert",
self.fqdn, cadb)
dsdb.track_server_cert("Server-Cert", self.principal,
dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
dsdb.create_pin_file()
conn = ipaldap.IPAdmin(self.fqdn)
conn.simple_bind_s(DN(('cn', 'directory manager')), self.dm_password)
mod = [
(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers",
"-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
+tls_rsa_export1024_with_des_cbc_sha")
]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = ipaldap.Entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')))
entry.setValues("objectclass", "top", "nsEncryptionModule")
entry.setValues("cn", "RSA")
entry.setValues("nsSSLPersonalitySSL", nickname)
entry.setValues("nsSSLToken", "internal (software)")
entry.setValues("nsSSLActivation", "on")
conn.addEntry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)