def configure(self, opts, changes): if opts['form'] != 'yes': return confopts = { 'instanceurl': opts['instanceurl'], 'service': opts['form_service'] } tmpl = Template(CONF_TEMPLATE) hunk = tmpl.substitute(**confopts) with open(opts['httpd_conf'], 'a') as httpd_conf: httpd_conf.write(hunk) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'form' po.wipe_data() po.wipe_config_values() # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # for selinux enabled platforms, ignore if it fails just report try: subprocess.call( ['/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['openid'] != 'yes': return proto = 'https' if opts['secure'].lower() == 'no': proto = 'http' url = '%s://%s%s/openid/' % (proto, opts['hostname'], opts['instanceurl']) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'openid' po.wipe_data() po.wipe_config_values() config = { 'endpoint url': url, 'identity url template': '%sid/%%(username)s' % url, 'database url': opts['openid_dburi'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'openid' }, 'enabled extensions': opts['openid_extensions'] } po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['form'] != 'yes': return confopts = {'instance': opts['instance'], 'service': opts['form_service']} tmpl = Template(CONF_TEMPLATE) hunk = tmpl.substitute(**confopts) with open(opts['httpd_conf'], 'a') as httpd_conf: httpd_conf.write(hunk) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'form' po.wipe_data() po.wipe_config_values() # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # for selinux enabled platforms, ignore if it fails just report try: subprocess.call(['/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['openid'] != 'yes': return proto = 'https' if opts['secure'].lower() == 'no': proto = 'http' url = '%s://%s/%s/openid/' % ( proto, opts['hostname'], opts['instance']) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'openid' po.wipe_data() po.wipe_config_values() config = {'endpoint url': url, 'identity url template': '%sid/%%(username)s' % url, 'database url': opts['openid_dburi'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'openid'}, 'enabled extensions': opts['openid_extensions']} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['saml2'] != 'yes': return # Check storage path is present or create it path = os.path.join(opts['data_dir'], 'saml2') if not os.path.exists(path): os.makedirs(path, 0o700) # Use the same cert for signing and ecnryption for now cert = Certificate(path) cert.generate('idp', opts['hostname']) # Generate Idp Metadata proto = 'https' if opts['secure'].lower() == 'no': proto = 'http' url = '%s://%s%s' % (proto, opts['hostname'], opts['instanceurl']) validity = int(opts['saml2_metadata_validity']) meta = IdpMetadataGenerator(url, cert, timedelta(validity)) if 'gssapi' in opts and opts['gssapi'] == 'yes': meta.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS) meta.output(os.path.join(path, 'metadata.xml')) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'saml2' po.wipe_data() po.wipe_config_values() config = { 'idp storage path': path, 'idp metadata file': 'metadata.xml', 'idp certificate file': cert.cert, 'idp key file': cert.key, 'idp nameid salt': uuid.uuid4().hex, 'idp metadata validity': opts['saml2_metadata_validity'], 'session database url': opts['saml2_session_dburl'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'saml2.sessions.db' } } po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # Fixup permissions so only the ipsilon user can read these files files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes): if opts['fas'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'fas' po.wipe_data() po.wipe_config_values() # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['testauth'] != 'yes': return logging.debug(self.pargs) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'testauth' po.wipe_data() # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['info_nss'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'nss' po.wipe_data() po.wipe_config_values() # Update global config to add info plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['saml2'] != 'yes': return # Check storage path is present or create it path = os.path.join(opts['data_dir'], 'saml2') if not os.path.exists(path): os.makedirs(path, 0700) # Use the same cert for signing and ecnryption for now cert = Certificate(path) cert.generate('idp', opts['hostname']) # Generate Idp Metadata proto = 'https' if opts['secure'].lower() == 'no': proto = 'http' url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance']) validity = int(opts['saml2_metadata_validity']) meta = IdpMetadataGenerator(url, cert, timedelta(validity)) if 'gssapi' in opts and opts['gssapi'] == 'yes': meta.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS) meta.output(os.path.join(path, 'metadata.xml')) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'saml2' po.wipe_data() po.wipe_config_values() config = {'idp storage path': path, 'idp metadata file': 'metadata.xml', 'idp certificate file': cert.cert, 'idp key file': cert.key, 'idp nameid salt': uuid.uuid4().hex, 'idp metadata validity': opts['saml2_metadata_validity'], 'session database url': opts['saml2_session_dburl'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'saml2.sessions.db'}} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # Fixup permissions so only the ipsilon user can read these files files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes): if opts["openidc"] != "yes": return path = os.path.join(opts["data_dir"], "openidc") if not os.path.exists(path): os.makedirs(path, 0700) keyfile = os.path.join(path, "openidc.key") keyid = int(time.time()) keyset = JWKSet() # We generate one RSA2048 signing key rsasig = JWK(generate="RSA", size=2048, use="sig", kid="%s-sig" % keyid) keyset.add(rsasig) # We generate one RSA2048 encryption key rsasig = JWK(generate="RSA", size=2048, use="enc", kid="%s-enc" % keyid) keyset.add(rsasig) with open(keyfile, "w") as m: m.write(keyset.export()) proto = "https" url = "%s://%s/%s/openidc/" % (proto, opts["hostname"], opts["instance"]) subject_salt = uuid.uuid4().hex if opts["openidc_subject_salt"]: subject_salt = opts["openidc_subject_salt"] # Add configuration data to database po = PluginObject(*self.pargs) po.name = "openidc" po.wipe_data() po.wipe_config_values() config = { "endpoint url": url, "database url": opts["openidc_dburi"] or opts["database_url"] % {"datadir": opts["data_dir"], "dbname": "openidc"}, "enabled extensions": opts["openidc_extensions"], "idp key file": keyfile, "idp sig key id": "%s-sig" % keyid, "idp subject salt": subject_salt, } po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['info_ldap'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'ldap' po.wipe_data() po.wipe_config_values() config = dict() if 'info_ldap_server_url' in opts: config['server url'] = opts['info_ldap_server_url'] elif 'ldap_server_url' in opts: config['server url'] = opts['ldap_server_url'] if 'info_ldap_bind_dn' in opts: config['bind dn'] = opts['info_ldap_bind_dn'] if 'info_ldap_bind_pwd' in opts: config['bind password'] = opts['info_ldap_bind_pwd'] if 'info_ldap_user_dn_template' in opts: config['user dn template'] = opts['info_ldap_user_dn_template'] elif 'ldap_bind_dn_template' in opts: config['user dn template'] = opts['ldap_bind_dn_template'] if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']: config['tls'] = opts['info_ldap_tls_level'] elif 'ldap_tls_level' in opts and opts['ldap_tls_level']: config['tls'] = opts['ldap_tls_level'] else: config['tls'] = 'Demand' if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']: config['base dn'] = opts['info_ldap_base_dn'] elif 'ldap_base_dn' in opts and opts['ldap_base_dn']: config['base dn'] = opts['ldap_base_dn'] po.save_plugin_config(config) # Update global config to add info plugin po.is_enabled = True po.save_enabled_state() # For selinux enabled platforms permit httpd to connect to ldap, # ignore if it fails try: subprocess.call(['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['info_ldap'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'ldap' po.wipe_data() po.wipe_config_values() config = dict() if 'info_ldap_server_url' in opts: config['server url'] = opts['info_ldap_server_url'] elif 'ldap_server_url' in opts: config['server url'] = opts['ldap_server_url'] if 'info_ldap_bind_dn' in opts: config['bind dn'] = opts['info_ldap_bind_dn'] if 'info_ldap_bind_pwd' in opts: config['bind password'] = opts['info_ldap_bind_pwd'] if 'info_ldap_user_dn_template' in opts: config['user dn template'] = opts['info_ldap_user_dn_template'] elif 'ldap_bind_dn_template' in opts: config['user dn template'] = opts['ldap_bind_dn_template'] if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']: config['tls'] = opts['info_ldap_tls_level'] elif 'ldap_tls_level' in opts and opts['ldap_tls_level']: config['tls'] = opts['ldap_tls_level'] else: config['tls'] = 'Demand' if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']: config['base dn'] = opts['info_ldap_base_dn'] elif 'ldap_base_dn' in opts and opts['ldap_base_dn']: config['base dn'] = opts['ldap_base_dn'] po.save_plugin_config(config) # Update global config to add info plugin po.is_enabled = True po.save_enabled_state() # For selinux enabled platforms permit httpd to connect to ldap, # ignore if it fails try: subprocess.call( ['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['authz_spgroup'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'spgroup' po.wipe_data() po.wipe_config_values() config = dict() if 'authz_spgroup_prefix' in opts: config['prefix'] = opts['authz_spgroup_prefix'] if 'authz_spgroup_suffix' in opts: config['suffix'] = opts['authz_spgroup_suffix'] po.save_plugin_config(config) # Update global config to add spgroup plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['persona'] != 'yes': return # Check storage path is present or create it path = os.path.join(opts['data_dir'], 'persona') if not os.path.exists(path): os.makedirs(path, 0o700) keyfile = os.path.join(path, 'persona.key') exponent = 0x10001 key = M2Crypto.RSA.gen_key(2048, exponent) key.save_key(keyfile, cipher=None) key_n = 0 for c in key.n[4:]: key_n = (key_n*256) + ord(c) wellknown = dict() wellknown['authentication'] = ('%s/persona/SignIn/' % opts['instanceurl']) wellknown['provisioning'] = '%s/persona/' % opts['instanceurl'] wellknown['public-key'] = {'algorithm': 'RS', 'e': str(exponent), 'n': str(key_n)} with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f: f.write(json.dumps(wellknown)) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'persona' po.wipe_data() po.wipe_config_values() config = {'issuer domain': opts['hostname'], 'idp key file': keyfile, 'allowed domains': opts['hostname']} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # Fixup permissions so only the ipsilon user can read these files files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes): if opts['info_fas'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'fas' po.wipe_data() po.wipe_config_values() config = dict() if 'info_fas_bind_username' in opts: config['Bind Username'] = opts['info_fas_bind_username'] if 'info_fas_bind_password' in opts: config['Bind Password'] = opts['info_fas_bind_password'] po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['persona'] != 'yes': return # Check storage path is present or create it path = os.path.join(opts['data_dir'], 'persona') if not os.path.exists(path): os.makedirs(path, 0700) keyfile = os.path.join(path, 'persona.key') exponent = 0x10001 key = M2Crypto.RSA.gen_key(2048, exponent) key.save_key(keyfile, cipher=None) key_n = 0 for c in key.n[4:]: key_n = (key_n*256) + ord(c) wellknown = dict() wellknown['authentication'] = '/%s/persona/SignIn/' % opts['instance'] wellknown['provisioning'] = '/%s/persona/' % opts['instance'] wellknown['public-key'] = {'algorithm': 'RS', 'e': str(exponent), 'n': str(key_n)} with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f: f.write(json.dumps(wellknown)) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'persona' po.wipe_data() po.wipe_config_values() config = {'issuer domain': opts['hostname'], 'idp key file': keyfile, 'allowed domains': opts['hostname']} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # Fixup permissions so only the ipsilon user can read these files files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes): if opts['testauth'] != 'yes': return logging.debug(self.pargs) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'testauth' po.wipe_data() po.wipe_config_values() config = dict() if opts['testauth_groups'] is not None: cherrypy.log( 'testauth_groups is %s (%s)' % (opts['testauth_groups'], type(opts['testauth_groups']))) config['groups'] = opts['testauth_groups'] po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['pam'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'pam' po.wipe_data() po.wipe_config_values() config = {'service name': opts['pam_service']} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # for selinux enabled platforms, ignore if it fails just report try: subprocess.call(['/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on', 'httpd_tmp_exec=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['pam'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'pam' po.wipe_data() po.wipe_config_values() config = {'service name': opts['pam_service']} po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # for selinux enabled platforms, ignore if it fails just report try: subprocess.call([ '/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on', 'httpd_tmp_exec=on' ]) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['info_sssd'] != 'yes': return configured = 0 try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() except Exception as e: # pylint: disable=broad-except # Unable to read existing SSSD config so it is probably not # configured. logging.info('Loading SSSD config failed: %s', e) return False if not opts['info_sssd_domain']: domains = sssdconfig.list_domains() else: domains = opts['info_sssd_domain'] changes['domains'] = {} for domain in domains: changes['domains'][domain] = {} try: sssd_domain = sssdconfig.get_domain(domain) except SSSDConfig.NoDomainError: logging.info('No SSSD domain %s', domain) continue else: try: changes['domains'][domain] = { 'ldap_user_extra_attrs': # noqa (pep8 E126) sssd_domain.get_option('ldap_user_extra_attrs') } except SSSDConfig.NoOptionError: pass sssd_domain.set_option('ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)) sssdconfig.save_domain(sssd_domain) configured += 1 logging.info("Configured SSSD domain %s", domain) if configured == 0: logging.info('No SSSD domains configured') return False changes['ifp'] = {} try: sssdconfig.new_service('ifp') changes['ifp']['new'] = True except SSSDConfig.ServiceAlreadyExists: changes['ifp']['new'] = False sssdconfig.activate_service('ifp') ifp = sssdconfig.get_service('ifp') if not changes['ifp']['new']: try: changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids') except SSSDConfig.NoOptionError: pass try: changes['ifp']['user_attributes'] = ifp.get_option( 'user_attributes') except SSSDConfig.NoOptionError: pass ifp.set_option('allowed_uids', 'ipsilon, root') ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS)) sssdconfig.save_service(ifp) sssdconfig.write(SSSD_CONF) # for selinux enabled platforms, ignore if it fails just report try: subprocess.call( ['/usr/sbin/setsebool', '-P', 'httpd_dbus_sssd=on']) except Exception: # pylint: disable=broad-except pass try: subprocess.call(['/sbin/service', 'sssd', 'restart']) except Exception: # pylint: disable=broad-except pass # Give SSSD a chance to restart time.sleep(5) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'sssd' po.wipe_data() po.wipe_config_values() config = {'preconfigured': 'True'} po.save_plugin_config(config) # Update global config to add info plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts['openidc'] != 'yes': return path = os.path.join(opts['data_dir'], 'openidc') if not os.path.exists(path): os.makedirs(path, 0o700) keyfile = os.path.join(path, 'openidc.key') keyid = int(time.time()) keyset = JWKSet() # We generate one RSA2048 signing key rsasig = JWK(generate='RSA', size=2048, use='sig', kid='%s-sig' % keyid) keyset.add(rsasig) # We generate one RSA2048 encryption key rsasig = JWK(generate='RSA', size=2048, use='enc', kid='%s-enc' % keyid) keyset.add(rsasig) with open(keyfile, 'w') as m: m.write(keyset.export()) proto = 'https' url = '%s://%s%s/openidc/' % (proto, opts['hostname'], opts['instanceurl']) subject_salt = uuid.uuid4().hex if opts['openidc_subject_salt']: subject_salt = opts['openidc_subject_salt'] # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'openidc' po.wipe_data() po.wipe_config_values() config = { 'endpoint url': url, 'database url': opts['openidc_dburi'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'openidc' }, 'static database url': opts['openidc_static_dburi'] or opts['database_url'] % { 'datadir': opts['data_dir'], 'dbname': 'openidc.static' }, 'enabled extensions': opts['openidc_extensions'], 'idp key file': keyfile, 'idp sig key id': '%s-sig' % keyid, 'idp subject salt': subject_salt } po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state()
def configure(self, opts, changes): if opts["ldap"] != "yes": return # Add configuration data to database po = PluginObject(*self.pargs) po.name = "ldap" po.wipe_data() po.wipe_config_values() config = dict() if "ldap_server_url" in opts: config["server url"] = opts["ldap_server_url"] else: logging.error("LDAP Server URL is required") return False if "ldap_bind_dn_template" in opts: try: opts["ldap_bind_dn_template"] % {"username": "******"} except KeyError: logging.error("Bind DN template does not contain %(username)s") return False except ValueError as e: logging.error("Invalid syntax in Bind DN template: %s ", e) return False config["bind dn template"] = opts["ldap_bind_dn_template"] if "ldap_tls_level" in opts and opts["ldap_tls_level"] is not None: config["tls"] = opts["ldap_tls_level"] else: config["tls"] = "Demand" if "ldap_base_dn" in opts and opts["ldap_base_dn"] is not None: config["base dn"] = opts["ldap_base_dn"] test_dn = config["base dn"] else: # default set in the config object test_dn = "dc=example,dc=com" # Test the LDAP connection anonymously try: lh = ldap_connect(config["server url"], config["tls"]) lh.simple_bind_s("", "") lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=["objectclasses"]) except ldap.INSUFFICIENT_ACCESS: logging.warn("Anonymous access not allowed, continuing") except ldap.UNWILLING_TO_PERFORM: # probably minSSF issue logging.warn("LDAP server unwilling to perform, expect issues") except ldap.SERVER_DOWN: logging.warn("LDAP server is down") except ldap.NO_SUCH_OBJECT: logging.error("Base DN not found") return False except ldap.LDAPError as e: logging.error(e) return False po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # For selinux enabled platforms permit httpd to connect to ldap, # ignore if it fails try: subprocess.call(["/usr/sbin/setsebool", "-P", "httpd_can_connect_ldap=on"]) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['ldap'] != 'yes': return # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'ldap' po.wipe_data() po.wipe_config_values() config = dict() if 'ldap_server_url' in opts: config['server url'] = opts['ldap_server_url'] else: logging.error('LDAP Server URL is required') return False if 'ldap_bind_dn_template' in opts: try: opts['ldap_bind_dn_template'] % {'username': '******'} except KeyError: logging.error('Bind DN template does not contain %(username)s') return False except ValueError as e: logging.error('Invalid syntax in Bind DN template: %s ', e) return False config['bind dn template'] = opts['ldap_bind_dn_template'] if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None: config['tls'] = opts['ldap_tls_level'] else: config['tls'] = 'Demand' if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None: config['base dn'] = opts['ldap_base_dn'] test_dn = config['base dn'] else: # default set in the config object test_dn = 'dc=example,dc=com' # Test the LDAP connection anonymously try: lh = ldap_connect(config['server url'], config['tls']) lh.simple_bind_s('', '') lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=['objectclasses']) except ldap.INSUFFICIENT_ACCESS: logging.warn('Anonymous access not allowed, continuing') except ldap.UNWILLING_TO_PERFORM: # probably minSSF issue logging.warn('LDAP server unwilling to perform, expect issues') except ldap.SERVER_DOWN: logging.warn('LDAP server is down') except ldap.NO_SUCH_OBJECT: logging.error('Base DN not found') return False except ldap.LDAPError as e: logging.error(e) return False po.save_plugin_config(config) # Update global config to add login plugin po.is_enabled = True po.save_enabled_state() # For selinux enabled platforms permit httpd to connect to ldap, # ignore if it fails try: subprocess.call( ['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on']) except Exception: # pylint: disable=broad-except pass
def configure(self, opts, changes): if opts['info_sssd'] != 'yes': return configured = 0 confopts = {'instance': opts['instance']} tmpl = Template(CONF_TEMPLATE) hunk = tmpl.substitute(**confopts) with open(opts['httpd_conf'], 'a') as httpd_conf: httpd_conf.write(hunk) try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() except Exception as e: # pylint: disable=broad-except # Unable to read existing SSSD config so it is probably not # configured. logging.info('Loading SSSD config failed: %s', e) return False if not opts['info_sssd_domain']: domains = sssdconfig.list_domains() else: domains = opts['info_sssd_domain'] changes['domains'] = {} for domain in domains: changes['domains'][domain] = {} try: sssd_domain = sssdconfig.get_domain(domain) except SSSDConfig.NoDomainError: logging.info('No SSSD domain %s', domain) continue else: try: changes['domains'][domain] = { 'ldap_user_extra_attrs': sssd_domain.get_option('ldap_user_extra_attrs')} except SSSDConfig.NoOptionError: pass sssd_domain.set_option( 'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS) ) sssdconfig.save_domain(sssd_domain) configured += 1 logging.info("Configured SSSD domain %s", domain) if configured == 0: logging.info('No SSSD domains configured') return False changes['ifp'] = {} try: sssdconfig.new_service('ifp') changes['ifp']['new'] = True except SSSDConfig.ServiceAlreadyExists: changes['ifp']['new'] = False sssdconfig.activate_service('ifp') ifp = sssdconfig.get_service('ifp') if not changes['ifp']['new']: try: changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids') except SSSDConfig.NoOptionError: pass try: changes['ifp']['user_attributes'] = ifp.get_option( 'user_attributes') except SSSDConfig.NoOptionError: pass ifp.set_option('allowed_uids', 'apache, root') ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS)) sssdconfig.save_service(ifp) sssdconfig.write(SSSD_CONF) # for selinux enabled platforms, ignore if it fails just report try: subprocess.call(['/usr/sbin/setsebool', '-P', 'httpd_dbus_sssd=on']) except Exception: # pylint: disable=broad-except pass try: subprocess.call(['/sbin/service', 'sssd', 'restart']) except Exception: # pylint: disable=broad-except pass # Give SSSD a chance to restart time.sleep(5) # Add configuration data to database po = PluginObject(*self.pargs) po.name = 'sssd' po.wipe_data() po.wipe_config_values() config = {'preconfigured': 'True'} po.save_plugin_config(config) # Update global config to add info plugin po.is_enabled = True po.save_enabled_state()