def update_pki_admin_password(self):
ldap = ldap2(shared_instance=False)
ldap.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
dn = DN('uid=admin', 'ou=people', 'o=ipaca')
ldap.modify_password(dn, self.dirman_password)
ldap.disconnect()
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False, validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
suffix = ipautil.realm_to_suffix(api.env.realm)
try:
conn = ldap2(shared_instance=False, base_dn=suffix)
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
dn, entry_attrs = conn.get_ipa_config()
conn.disconnect()
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError(
"Unable to connect to LDAP server %s" % api.env.host)
except errors.DatabaseError, e:
raise admintool.ScriptError(e.desc)
def run(self):
api.bootstrap(in_server=True)
api.finalize()
conn = ldap2()
try:
ccache = krbV.default_context().default_ccache()
conn.connect(ccache=ccache)
except (krbV.Krb5Error, errors.ACIError):
raise admintool.ScriptError(
"Unable to connect to LDAP! Did you kinit?")
try:
# Parse tokens
for keypkg in self.doc.getKeyPackages():
try:
api.Command.otptoken_add(keypkg.id,
no_qrcode=True,
**keypkg.options)
except Exception as e:
self.log.warn("Error adding token: %s", e)
else:
self.log.info("Added token: %s", keypkg.id)
keypkg.remove()
finally:
conn.disconnect()
# Write out the XML file without the tokens that succeeded.
self.doc.save(self.output)
def run(self):
api.bootstrap(in_server=True)
api.finalize()
conn = ldap2(api)
try:
ccache = krbV.default_context().default_ccache()
conn.connect(ccache=ccache)
except (krbV.Krb5Error, errors.ACIError):
raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
try:
# Parse tokens
for keypkg in self.doc.getKeyPackages():
try:
api.Command.otptoken_add(keypkg.id, no_qrcode=True, **keypkg.options)
except Exception as e:
self.log.warn("Error adding token: %s", e)
else:
self.log.info("Added token: %s", keypkg.id)
keypkg.remove()
finally:
conn.disconnect()
# Write out the XML file without the tokens that succeeded.
self.doc.save(self.output)
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()
ds_base_dn = options.get('basedn')
if ds_base_dn is not None:
assert isinstance(ds_base_dn, DN)
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
cacert = None
if options.get('cacertfile') is not None:
# store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name
# start TLS connection
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
cacert=cacert)
tmp_ca_cert_f.close()
else:
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
# check whether the compat plugin is enabled
if not options.get('compat'):
try:
ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
if not ds_base_dn:
# retrieve base DN from remote LDAP server
entries, _truncated = ds_ldap.find_entries(
'', ['namingcontexts', 'defaultnamingcontext'], DN(''),
ds_ldap.SCOPE_BASE, size_limit=-1, time_limit=0,
)
if 'defaultnamingcontext' in entries[0]:
ds_base_dn = DN(entries[0]['defaultnamingcontext'][0])
assert isinstance(ds_base_dn, DN)
else:
try:
ds_base_dn = DN(entries[0]['namingcontexts'][0])
assert isinstance(ds_base_dn, DN)
except (IndexError, KeyError) as e:
raise Exception(str(e))
# migrate!
(migrated, failed) = self.migrate(
ldap, config, ds_ldap, ds_base_dn, options
)
return dict(result=migrated, failed=failed, enabled=True, compat=True)
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()
ds_base_dn = options.get('basedn')
if ds_base_dn is not None:
assert isinstance(ds_base_dn, DN)
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
cacert = None
if options.get('cacertfile') is not None:
#store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name
#start TLS connection
ds_ldap.connect(bind_dn=options['binddn'],
bind_pw=bindpw,
tls_cacertfile=cacert)
tmp_ca_cert_f.close()
else:
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
#check whether the compat plugin is enabled
if not options.get('compat'):
try:
ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
if not ds_base_dn:
# retrieve base DN from remote LDAP server
entries, truncated = ds_ldap.find_entries(
'',
['namingcontexts', 'defaultnamingcontext'],
DN(''),
ds_ldap.SCOPE_BASE,
size_limit=-1,
time_limit=0,
)
if 'defaultnamingcontext' in entries[0]:
ds_base_dn = DN(entries[0]['defaultnamingcontext'][0])
assert isinstance(ds_base_dn, DN)
else:
try:
ds_base_dn = DN(entries[0]['namingcontexts'][0])
assert isinstance(ds_base_dn, DN)
except (IndexError, KeyError), e:
raise StandardError(str(e))
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def update_pki_admin_password(self):
ldap = ldap2(api)
ldap.connect(
bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password
)
dn = DN('uid=admin', 'ou=people', 'o=ipaca')
ldap.modify_password(dn, self.dirman_password)
ldap.disconnect()
def test_find_orphan_automember_rules(self, hostgroup1):
""" Remove hostgroup1, find and remove obsolete automember rules. """
# Remove hostgroup1
hostgroup1.ensure_missing()
# Test rebuild (is failing)
# rebuild fails if 389-ds is older than 1.4.0.22 where unmembering
# feature was implemented: https://pagure.io/389-ds-base/issue/50077
if not have_ldap2:
pytest.skip('server plugin not available')
ldap = ldap2(api)
ldap.connect()
rootdse = ldap.get_entry(DN(''), ['vendorVersion'])
version = rootdse.single_value.get('vendorVersion')
# The format of vendorVersion is the following:
# 389-Directory/1.3.8.4 B2019.037.1535
# Extract everything between 389-Directory/ and ' B'
mo = re.search(r'389-Directory/(.*) B', version)
vendor_version = parse_version(mo.groups()[0])
expected_failure = vendor_version < parse_version('1.4.0.22')
try:
api.Command['automember_rebuild'](type=u'hostgroup')
except errors.DatabaseError:
rebuild_failure = True
else:
rebuild_failure = False
if expected_failure != rebuild_failure:
pytest.fail("unexpected result for automember_rebuild with "
"an orphan automember rule")
# Find obsolete automember rules
result = api.Command['automember_find_orphans'](type=u'hostgroup')
assert result['count'] == 1
# Find and remove obsolete automember rules
result = api.Command['automember_find_orphans'](type=u'hostgroup',
remove=True)
assert result['count'] == 1
# Find obsolete automember rules
result = api.Command['automember_find_orphans'](type=u'hostgroup')
assert result['count'] == 0
# Test rebuild (may not be failing)
try:
api.Command['automember_rebuild'](type=u'hostgroup')
except errors.DatabaseError:
assert False
# Final cleanup of automember rule if it still exists
with raises_exact(
errors.NotFound(reason=u'%s: Automember rule not found' %
hostgroup1.cn)):
api.Command['automember_del'](hostgroup1.cn, type=u'hostgroup')
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()[1]
ds_base_dn = options.get('basedn')
if ds_base_dn is not None:
assert isinstance(ds_base_dn, DN)
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
cacert = None
if options.get('cacertfile') is not None:
#store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name
#start TLS connection
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
tls_cacertfile=cacert)
tmp_ca_cert_f.close()
else:
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
#check whether the compat plugin is enabled
if not options.get('compat'):
try:
(dn,check_compat) = ldap.get_entry(_compat_dn)
assert isinstance(dn, DN)
if check_compat is not None and \
check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
if not ds_base_dn:
# retrieve base DN from remote LDAP server
entries, truncated = ds_ldap.find_entries(
'', ['namingcontexts', 'defaultnamingcontext'], DN(''),
ds_ldap.SCOPE_BASE, size_limit=-1, time_limit=0,
)
if 'defaultnamingcontext' in entries[0][1]:
ds_base_dn = DN(entries[0][1]['defaultnamingcontext'][0])
assert isinstance(ds_base_dn, DN)
else:
try:
ds_base_dn = DN(entries[0][1]['namingcontexts'][0])
assert isinstance(ds_base_dn, DN)
except (IndexError, KeyError), e:
raise StandardError(str(e))
def test_anonymous(self):
"""
Test an anonymous LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
dn = api.env.basedn
entry_attrs = self.conn.get_entry(dn, ['associateddomain'])
domain = entry_attrs.single_value['associateddomain']
assert domain == api.env.domain
def test_anonymous(self):
"""
Test an anonymous LDAP bind using ldap2
"""
self.conn = ldap2(api, ldap_uri=self.ldapuri)
self.conn.connect()
dn = api.env.basedn
entry_attrs = self.conn.get_entry(dn, ['associateddomain'])
domain = entry_attrs.single_value['associateddomain']
assert domain == api.env.domain
def test_anonymous(self):
"""
Test an anonymous LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
dn = api.env.basedn
entry_attrs = self.conn.get_entry(dn, ['associateddomain'])
domain = entry_attrs.single_value['associateddomain']
assert domain == api.env.domain
def test_anonymous(self):
"""
Test an anonymous LDAP bind using ldap2
"""
self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
self.conn.connect()
dn = api.env.basedn
entry_attrs = self.conn.get_entry(dn, ['associateddomain'])
domain = entry_attrs.single_value['associateddomain']
assert domain == api.env.domain
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial_number
assert serial is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial_number
assert serial is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api, ldap_uri=self.ldapuri)
self.conn.connect()
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial
assert serial is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
self.conn = ldap2(api, ldap_uri=self.ldapuri)
self.conn.connect()
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.DatabaseError, e:
if e.desc == 'Inappropriate authentication':
raise nose.SkipTest("Only executed as root")
def test_anonymous(self):
"""
Test an anonymous LDAP bind using ldap2
"""
self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
self.conn.connect()
(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
self.conn = ldap2(api)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise unittest.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def ldapentry_setup(self, request):
self.ldapuri = api.env.ldap_uri
self.conn = ldap2(api)
self.conn.connect(autobind=AUTOBIND_DISABLED)
self.entry = self.conn.make_entry(self.dn1, cn=self.cn1)
def fin():
if self.conn and self.conn.isconnected():
self.conn.disconnect()
request.addfinalizer(fin)
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
self.conn = ldap2(api)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()[1]
ds_base_dn = options.get('basedn')
if ds_base_dn is not None:
assert isinstance(ds_base_dn, DN)
# check if migration mode is enabled
if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE':
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
#check whether the compat plugin is enabled
if not options.get('compat'):
try:
(dn, check_compat) = ldap.get_entry(_compat_dn,
normalize=False)
assert isinstance(dn, DN)
if check_compat is not None and \
check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
return dict(result={},
failed={},
enabled=True,
compat=False)
except errors.NotFound:
pass
if not ds_base_dn:
# retrieve base DN from remote LDAP server
(entries, truncated) = ds_ldap.find_entries(
'',
['namingcontexts', 'defaultnamingcontext'],
DN(''),
_ldap.SCOPE_BASE,
size_limit=-1,
time_limit=0,
)
if 'defaultnamingcontext' in entries[0][1]:
ds_base_dn = DN(entries[0][1]['defaultnamingcontext'][0])
assert isinstance(ds_base_dn, DN)
else:
try:
ds_base_dn = DN(entries[0][1]['namingcontexts'][0])
assert isinstance(ds_base_dn, DN)
except (IndexError, KeyError), e:
raise StandardError(str(e))
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
installutils.realm_to_serverid(realm_name)
)
try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri,
base_dn=suffix)
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
except errors.ExecutionError, e:
root_logger.critical("Could not connect to the Directory Server "
"on %s" % realm_name)
raise e
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
if not ipautil.file_exists(self.ccache):
raise nose.SkipTest('Missing ccache %s' % self.ccache)
self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
self.conn.connect(ccache='FILE:%s' % self.ccache)
(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
if not ipautil.file_exists(self.ccache):
raise nose.SkipTest("Missing ccache %s" % self.ccache)
self.conn = ldap2(api, ldap_uri=self.ldapuri)
self.conn.connect(ccache="FILE:%s" % self.ccache)
entry_attrs = self.conn.get_entry(self.dn, ["usercertificate"])
cert = entry_attrs.get("usercertificate")
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_GSSAPI(self):
"""
Test a GSSAPI LDAP bind using ldap2
"""
if not ipautil.file_exists(self.ccache):
raise nose.SkipTest('Missing ccache %s' % self.ccache)
self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
self.conn.connect(ccache='FILE:%s' % self.ccache)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def execute(self, ldapuri, bindpw, **options):
ldap = self.api.Backend.ldap2
self.normalize_options(options)
config = ldap.get_ipa_config()
ds_base_dn = options.get("basedn")
if ds_base_dn is not None:
assert isinstance(ds_base_dn, DN)
# check if migration mode is enabled
if config.get("ipamigrationenabled", ("FALSE",))[0] == "FALSE":
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
cacert = None
if options.get("cacertfile") is not None:
# store CA cert into file
tmp_ca_cert_f = write_tmp_file(options["cacertfile"])
cacert = tmp_ca_cert_f.name
# start TLS connection
ds_ldap.connect(bind_dn=options["binddn"], bind_pw=bindpw, tls_cacertfile=cacert)
tmp_ca_cert_f.close()
else:
ds_ldap.connect(bind_dn=options["binddn"], bind_pw=bindpw)
# check whether the compat plugin is enabled
if not options.get("compat"):
try:
ldap.get_entry(DN(("cn", "compat"), (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
if not ds_base_dn:
# retrieve base DN from remote LDAP server
entries, truncated = ds_ldap.find_entries(
"", ["namingcontexts", "defaultnamingcontext"], DN(""), ds_ldap.SCOPE_BASE, size_limit=-1, time_limit=0
)
if "defaultnamingcontext" in entries[0]:
ds_base_dn = DN(entries[0]["defaultnamingcontext"][0])
assert isinstance(ds_base_dn, DN)
else:
try:
ds_base_dn = DN(entries[0]["namingcontexts"][0])
assert isinstance(ds_base_dn, DN)
except (IndexError, KeyError), e:
raise StandardError(str(e))
def test_topologyplugin(self):
supplier = REPL_PLUGIN_NAME_TEMPLATE % 'supplier'
pluginattrs = {
u'nsslapd-pluginPath': [u'libtopology'],
u'nsslapd-pluginVendor': [u'freeipa'],
u'cn': [u'IPA Topology Configuration'],
u'nsslapd-plugin-depends-on-named': [supplier, u'ldbm database'],
u'nsslapd-topo-plugin-shared-replica-root': [u'dc=example,dc=com'],
u'nsslapd-pluginVersion': [u'1.0'],
u'nsslapd-topo-plugin-shared-config-base':
[u'cn=ipa,cn=etc,dc=example,dc=com'],
u'nsslapd-pluginDescription': [u'ipa-topology-plugin'],
u'nsslapd-pluginEnabled': [u'on'],
u'nsslapd-pluginId': [u'ipa-topology-plugin'],
u'objectClass': [u'top', u'nsSlapdPlugin', u'extensibleObject'],
u'nsslapd-topo-plugin-startup-delay': [u'20'],
u'nsslapd-topo-plugin-shared-binddngroup': [
u'cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com'
],
u'nsslapd-pluginType': [u'object'],
u'nsslapd-pluginInitfunc': [u'ipa_topo_init']
}
variable_attrs = {
u'nsslapd-topo-plugin-shared-replica-root',
u'nsslapd-topo-plugin-shared-config-base',
u'nsslapd-topo-plugin-shared-binddngroup'
}
# Now eliminate keys that have domain-dependent values.
checkvalues = set(pluginattrs.keys()) - variable_attrs
topoplugindn = DN(('cn', 'IPA Topology Configuration'),
('cn', 'plugins'), ('cn', 'config'))
pwfile = os.path.join(api.env.dot_ipa, ".dmpw")
with io.open(pwfile, "r") as f:
dm_password = f.read().rstrip()
self.conn = ldap2(api)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
entry = self.conn.get_entry(topoplugindn)
assert (set(entry.keys()) == set(pluginattrs.keys()))
# Handle different names for replication plugin
key = 'nsslapd-plugin-depends-on-named'
plugin_dependencies = entry[key]
if supplier not in plugin_dependencies:
mm = REPL_PLUGIN_NAME_TEMPLATE % 'master'
pluginattrs[key] = [mm, 'ldbm database']
for i in checkvalues:
assert (set(pluginattrs[i]) == set(entry[i]))
def get_ra_cert():
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
api.finalize()
base_dn = DN(('uid', 'ipara'), ('ou', 'people'), ('o', 'ipaca'))
conn = ldap2.ldap2(api)
conn.connect()
entry = conn.get_entry(base_dn, ['description', 'usercertificate'])
description = entry['description'][0]
usercertificate = entry['usercertificate'][0]
serial_number = description.split(';')[1]
return int(serial_number), usercertificate
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
self.conn = ldap2(api)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial_number
assert serial is not None
def test_simple(self):
"""
Test a simple LDAP bind using ldap2
"""
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
if ipautil.file_exists(pwfile):
with open(pwfile, "r") as fp:
dm_password = fp.read().rstrip()
else:
raise nose.SkipTest("No directory manager password in %s" % pwfile)
self.conn = ldap2(api)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
self.conn = ldap2(api, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % api.env.realm.replace(".", "-")
self.conn = ldap2(api, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ["usercertificate"])
cert = entry_attrs.get("usercertificate")
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_autobind(self):
"""
Test an autobind LDAP bind using ldap2
"""
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
self.conn = ldap2(api, ldap_uri=ldapuri)
try:
self.conn.connect(autobind=True)
except errors.ACIError:
raise nose.SkipTest("Only executed as root")
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial
assert serial is not None
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
installutils.realm_to_serverid(realm_name))
try:
conn = ldap2(api, ldap_uri=ldapuri)
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
except errors.ExecutionError as e:
root_logger.critical("Could not connect to the Directory Server "
"on %s" % realm_name)
raise e
entry_attrs = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)]
conn.update_entry(entry_attrs)
conn.disconnect()
def test_simple(self):
"""
Test a simple LDAP bind using ldap2
"""
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
if os.path.isfile(pwfile):
with open(pwfile, "r") as fp:
dm_password = fp.read().rstrip()
else:
pytest.skip("No directory manager password in %s" % pwfile)
self.conn = ldap2(api)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')[0]
assert cert.serial_number is not None
def test_use(self, test_smb_svc):
"""
Try to use the service keytab to regenerate ipaNTHash value
"""
# Step 1. Extend objectclass to allow ipaNTHash attribute
# We cannot verify write access to objectclass
with use_keytab(test_smb_svc.name, self.keytabname) as conn:
entry = conn.get_entry(test_smb_svc.dn, ['objectclass'])
entry['objectclass'].extend(['ipaNTUserAttrs'])
try:
conn.update_entry(entry)
except errors.ACIError:
assert ('No correct ACI to the allow ipaNTUserAttrs '
'for SMB service' in "failure")
# Step 2. With ipaNTUserAttrs in place, we can ask to regenerate
# ipaNTHash value. We can also verify it is possible to write to
# ipaNTHash attribute while being an SMB service
with use_keytab(test_smb_svc.name, self.keytabname) as conn:
assert conn.can_write(test_smb_svc.dn, 'ipaNTHash') is True
entry = conn.get_entry(test_smb_svc.dn, ['ipaNTHash'])
entry['ipanthash'] = b'MagicRegen'
try:
conn.update_entry(entry)
except errors.ACIError:
assert ("No correct ACI to the ipaNTHash for SMB service"
in "failure")
except errors.EmptyResult:
assert "No arcfour-hmac in Kerberos keys" in "failure"
except errors.DatabaseError:
# Most likely ipaNTHash already existed -- we either get
# OPERATIONS_ERROR or UNWILLING_TO_PERFORM, both map to
# the same DatabaseError class.
assert "LDAP Entry corruption after generation" in "failure"
# Update succeeded, now we have either MagicRegen (broken) or
# a real NT hash in the entry. However, we can only retrieve it as
# a cn=Directory Manager. When bind_dn is None, ldap2.connect() wil
# default to cn=Directory Manager.
conn = ldap2(api)
conn.connect(bind_dn=None,
bind_pw=self.dm_password,
autobind=ipaldap.AUTOBIND_DISABLED)
entry = conn.retrieve(test_smb_svc.dn, ['ipaNTHash'])
ipanthash = entry.single_value.get('ipanthash')
conn.disconnect()
assert ipanthash is not b'MagicRegen', 'LDBM backend entry corruption'
def use_keytab(principal, keytab):
try:
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
krbcontext = krbV.default_context()
principal = str(principal)
keytab = krbV.Keytab(name=keytab, context=krbcontext)
principal = krbV.Principal(name=principal, context=krbcontext)
os.environ['KRB5CCNAME'] = ccache_file
ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal)
ccache.init(principal)
ccache.init_creds_keytab(keytab=keytab, principal=principal)
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri, base_dn=api.env.basedn)
conn.connect(ccache=ccache)
conn.disconnect()
except krbV.Krb5Error, e:
raise StandardError('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal.name, keytab, str(e)))
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
installutils.realm_to_serverid(realm_name)
)
try:
conn = ldap2(api, ldap_uri=ldapuri)
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
except errors.ExecutionError as e:
root_logger.critical("Could not connect to the Directory Server "
"on %s" % realm_name)
raise e
entry_attrs = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)]
conn.update_entry(entry_attrs)
conn.disconnect()
def __create_kra_agent(self):
"""
Create KRA agent, assign a certificate, and add the user to
the appropriate groups for accessing KRA services.
"""
# get ipaCert certificate
with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
cert_data = ipa_nssdb.get_cert("ipaCert")
cert = x509.load_certificate(cert_data, x509.DER)
# connect to KRA database
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
conn.connect(autobind=True)
# create ipakra user with ipaCert certificate
user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
entry = conn.make_entry(
user_dn,
objectClass=[
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'cmsuser'
],
uid=["ipakra"],
sn=["IPA KRA User"],
cn=["IPA KRA User"],
usertype=["undefined"],
userCertificate=[cert_data],
description=[
'2;%s;%s;%s' %
(cert.serial_number,
DN(('CN', 'Certificate Authority'),
self.subject_base), DN(
('CN', 'IPA RA'), self.subject_base))
])
conn.add_entry(entry)
# add ipakra user to Data Recovery Manager Agents group
group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
conn.disconnect()
def use_keytab(principal, keytab):
with private_ccache() as ccache_file:
try:
old_principal = getattr(context, 'principal', None)
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file, 'client_keytab': keytab}
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(ccache=ccache_file,
autobind=ipaldap.AUTOBIND_DISABLED)
yield conn
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise Exception('Unable to bind to LDAP. Error initializing '
'principal %s in %s: %s' %
(principal, keytab, str(e)))
finally:
setattr(context, 'principal', old_principal)
def use_keytab(principal, keytab):
try:
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file,
'client_keytab': keytab}
os.environ['KRB5CCNAME'] = ccache_file
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise StandardError('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
finally:
os.environ.pop('KRB5CCNAME', None)
if tmpdir:
shutil.rmtree(tmpdir)
def use_keytab(principal, keytab):
try:
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file,
'client_keytab': keytab}
os.environ['KRB5CCNAME'] = ccache_file
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
finally:
os.environ.pop('KRB5CCNAME', None)
if tmpdir:
shutil.rmtree(tmpdir)
def test_simple(self):
"""
Test a simple LDAP bind using ldap2
"""
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
if ipautil.file_exists(pwfile):
fp = open(pwfile, "r")
dm_password = fp.read().rstrip()
fp.close()
else:
raise nose.SkipTest("No directory manager password in %s" % pwfile)
self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
def test_simple(self):
"""
Test a simple LDAP bind using ldap2
"""
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
if ipautil.file_exists(pwfile):
with open(pwfile, "r") as fp:
dm_password = fp.read().rstrip()
else:
raise nose.SkipTest("No directory manager password in %s" % pwfile)
self.conn = ldap2(api)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
cert = cert[0]
serial = x509.load_certificate(cert, x509.DER).serial_number
assert serial is not None
def wait_automember_rebuild():
"""Wait for an asynchronous automember rebuild to finish
Lookup the rebuild taskid and then loop until it is finished.
If no task is found assume that the task is already finished.
"""
if not have_ldap2:
raise unittest.SkipTest('server plugin not available')
ldap = ldap2(api)
ldap.connect()
# give the task a chance to start
time.sleep(1)
try:
task_entries, unused = ldap.find_entries(
base_dn=REBUILD_TASK_CONTAINER,
filter='(&(!(nstaskexitcode=0))(scope=*))')
except errors.NotFound:
# either it's done already or it never started
return
# we run these serially so there should be only one at a time
assert len(task_entries) == 1
task_dn = task_entries[0].dn
start_time = time.time()
while True:
try:
task = ldap.get_entry(task_dn)
except errors.NotFound:
# not likely but let's hope the task disappered because it's
# finished
break
if 'nstaskexitcode' in task:
# a non-zero exit code means something broke
assert task.single_value['nstaskexitcode'] == '0'
break
time.sleep(1)
# same arbitrary wait time as hardcoded in automember plugin
assert time.time() < (start_time + 60)
def __create_kra_agent(self):
"""
Create KRA agent, assign a certificate, and add the user to
the appropriate groups for accessing KRA services.
"""
# get ipaCert certificate
with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
cert_data = ipa_nssdb.get_cert("ipaCert")
cert = x509.load_certificate(cert_data, x509.DER)
# connect to KRA database
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % server_id
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
conn.connect(autobind=True)
# create ipakra user with ipaCert certificate
user_dn = DN(("uid", "ipakra"), ("ou", "people"), self.basedn)
entry = conn.make_entry(
user_dn,
objectClass=["top", "person", "organizationalPerson", "inetOrgPerson", "cmsuser"],
uid=["ipakra"],
sn=["IPA KRA User"],
cn=["IPA KRA User"],
usertype=["undefined"],
userCertificate=[cert_data],
description=[
"2;%s;%s;%s"
% (
cert.serial_number,
DN(("CN", "Certificate Authority"), self.subject_base),
DN(("CN", "IPA RA"), self.subject_base),
)
],
)
conn.add_entry(entry)
# add ipakra user to Data Recovery Manager Agents group
group_dn = DN(("cn", "Data Recovery Manager Agents"), ("ou", "groups"), self.basedn)
conn.add_entry_to_group(user_dn, group_dn, "uniqueMember")
conn.disconnect()
def test_topologyplugin(self):
pluginattrs = {
u'nsslapd-pluginPath': [u'libtopology'],
u'nsslapd-pluginVendor': [u'freeipa'],
u'cn': [u'IPA Topology Configuration'],
u'nsslapd-plugin-depends-on-named':
[u'Multimaster Replication Plugin', u'ldbm database'],
u'nsslapd-topo-plugin-shared-replica-root': [u'dc=example,dc=com'],
u'nsslapd-pluginVersion': [u'1.0'],
u'nsslapd-topo-plugin-shared-config-base':
[u'cn=ipa,cn=etc,dc=example,dc=com'],
u'nsslapd-pluginDescription': [u'ipa-topology-plugin'],
u'nsslapd-pluginEnabled': [u'on'],
u'nsslapd-pluginId': [u'ipa-topology-plugin'],
u'objectClass': [u'top', u'nsSlapdPlugin', u'extensibleObject'],
u'nsslapd-topo-plugin-startup-delay': [u'20'],
u'nsslapd-topo-plugin-shared-binddngroup':
[u'cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com'],
u'nsslapd-pluginType': [u'object'],
u'nsslapd-pluginInitfunc': [u'ipa_topo_init']
}
variable_attrs = {u'nsslapd-topo-plugin-shared-replica-root',
u'nsslapd-topo-plugin-shared-config-base',
u'nsslapd-topo-plugin-shared-binddngroup'}
# Now eliminate keys that have domain-dependent values.
checkvalues = set(pluginattrs.keys()) - variable_attrs
topoplugindn = DN(('cn', 'IPA Topology Configuration'),
('cn', 'plugins'),
('cn', 'config'))
pwfile = os.path.join(api.env.dot_ipa, ".dmpw")
if ipautil.file_exists(pwfile):
with open(pwfile, "r") as f:
dm_password = f.read().rstrip()
else:
raise nose.SkipTest("No directory manager password in %s" % pwfile)
self.conn = ldap2(api)
self.conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
entry = self.conn.get_entry(topoplugindn)
assert(set(entry.keys()) == set(pluginattrs.keys()))
for i in checkvalues:
assert(pluginattrs[i] == entry[i])
def ldap_connect(self):
conn = ldap2(api)
password = self.options.password
if not password:
try:
conn.connect()
except (gssapi.exceptions.GSSError, errors.ACIError):
pass
else:
return conn
password = installutils.read_password(
"Directory Manager", confirm=False, validate=False)
if password is None:
raise admintool.ScriptError(
"Directory Manager password required")
conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
return conn
def set_automember_process_modify_ops(value):
"""Configure the auto member plugin to process modifyOps
Set the value for the attribute autoMemberProcessModifyOps of the entry
cn=Auto Membership Plugin,cn=plugins,cn=config.
:param value: can be either on or off
"""
if not have_ldap2:
raise unittest.SkipTest('server plugin not available')
ldap = ldap2(api)
ldap.connect()
plugin_entry = ldap.get_entry(
DN("cn=Auto Membership Plugin,cn=plugins,cn=config"))
plugin_entry['autoMemberProcessModifyOps'] = value
try:
ldap.update_entry(plugin_entry)
except errors.EmptyModlist:
pass
# Requires a 389-ds restart
dashed_domain = api.env.realm.replace(".", "-")
cmd = ['systemctl', 'restart', 'dirsrv@{}'.format(dashed_domain)]
run(cmd)
def ldap_connect(self):
conn = ldap2()
password = self.options.password
if not password:
try:
ccache = krbV.default_context().default_ccache()
conn.connect(ccache=ccache)
except (krbV.Krb5Error, errors.ACIError):
pass
else:
return conn
password = installutils.read_password(
"Directory Manager", confirm=False, validate=False)
if password is None:
raise admintool.ScriptError(
"Directory Manager password required")
conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
return conn
def __create_kra_agent(self):
"""
Create KRA agent, assign a certificate, and add the user to
the appropriate groups for accessing KRA services.
"""
# get RA agent certificate
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
cert_data = cert.public_bytes(x509.Encoding.DER)
# connect to KRA database
conn = ldap2.ldap2(api)
conn.connect(autobind=True)
# create ipakra user with RA agent certificate
user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
entry = conn.make_entry(
user_dn,
objectClass=[
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'cmsuser'
],
uid=["ipakra"],
sn=["IPA KRA User"],
cn=["IPA KRA User"],
usertype=["undefined"],
userCertificate=[cert_data],
description=[
'2;%s;%s;%s' % (cert.serial_number, DN(
self.subject), DN(('CN', 'IPA RA'), self.subject_base))
])
conn.add_entry(entry)
# add ipakra user to Data Recovery Manager Agents group
group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
conn.disconnect()
def set_automember_process_modify_ops(value):
"""Configure the auto member plugin to process modifyOps
Set the value for the attribute autoMemberProcessModifyOps of the entry
cn=Auto Membership Plugin,cn=plugins,cn=config.
:param value: can be either on or off
"""
if not have_ldap2:
raise unittest.SkipTest('server plugin not available')
ldap = ldap2(api)
ldap.connect()
plugin_entry = ldap.get_entry(
DN("cn=Auto Membership Plugin,cn=plugins,cn=config"))
plugin_entry['autoMemberProcessModifyOps'] = value
try:
ldap.update_entry(plugin_entry)
except errors.EmptyModlist:
pass
# Requires a 389-ds restart
dashed_domain = api.env.realm.replace(".", "-")
cmd = ['systemctl', 'restart', 'dirsrv@{}'.format(dashed_domain)]
run(cmd)
