websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
contrib/RHEL4/Makefile.am Normal file
View File

@@ -0,0 +1,13 @@
NULL =
sbin_SCRIPTS = \
ipa-client-setup \
$(NULL)
EXTRA_DIST = \
$(sbin_SCRIPTS) \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in

55
contrib/RHEL4/configure.ac Normal file
View File

@@ -0,0 +1,55 @@
AC_PREREQ(2.59)
AC_INIT([ipa-client],
[0.99.0],
[http://www.freeipa.org/])
AM_INIT_AUTOMAKE([foreign])
AC_SUBST(VERSION)
dnl ---------------------------------------------------------------------------
dnl - Check for Python
dnl ---------------------------------------------------------------------------
AC_MSG_NOTICE([Checking for Python])
have_python=no
AM_PATH_PYTHON([2.3])
if test "x$PYTHON" = "x" ; then
AC_MSG_ERROR([Python not found])
fi
dnl ---------------------------------------------------------------------------
dnl - Set the data install directory since we don't use pkgdatadir
dnl ---------------------------------------------------------------------------
IPA_DATA_DIR="$datadir/ipa"
AC_SUBST(IPA_DATA_DIR)
dnl ---------------------------------------------------------------------------
dnl Finish
dnl ---------------------------------------------------------------------------
# Files
AC_CONFIG_FILES([
Makefile
])
AC_OUTPUT
echo "
IPA client $VERSION
========================
prefix: ${prefix}
exec_prefix: ${exec_prefix}
libdir: ${libdir}
bindir: ${bindir}
sbindir: ${sbindir}
sysconfdir: ${sysconfdir}
localstatedir: ${localstatedir}
datadir: ${datadir}
source code location: ${srcdir}
Maintainer mode: ${USE_MAINTAINER_MODE}
"

356
contrib/RHEL4/ipa-client-setup Normal file
View File

@@ -0,0 +1,356 @@
#! /usr/bin/python -E
# Authors: Simo Sorce <ssorce@redhat.com>
# Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
VERSION = "%prog .1"
import sys
import os
import string
import shutil
import socket
from ipapython.ipa_log_manager import *
from optparse import OptionParser
import ipachangeconf
import ldap
from ldap import LDAPError
from ipapython.dn import DN
class ipaserver:
def __init__(self, server):
self.server = server
self.realm = None
self.domain = None
self.basedn = None
def getServerName(self):
return str(self.server)
def getDomainName(self):
return str(self.domain)
def getRealmName(self):
return str(self.realm)
def getBaseDN(self):
return str(self.basedn)
def check(self):
lret = []
lres = []
lattr = ""
linfo = ""
lrealms = []
i = 0
#now verify the server is really an IPA server
try:
root_logger.debug("Init ldap with: ldap://"+self.server+":389")
lh = ldap.initialize("ldap://"+self.server+":389")
lh.simple_bind_s("","")
root_logger.debug("Search rootdse")
lret = lh.search_s("", ldap.SCOPE_BASE, "(objectClass=*)")
for lattr in lret[0][1]:
if lattr.lower() == "namingcontexts":
self.basedn = lret[0][1][lattr][0]
root_logger.debug("Search for (info=*) in "+self.basedn+"(base)")
lret = lh.search_s(self.basedn, ldap.SCOPE_BASE, "(info=IPA*)")
if not lret:
return False
root_logger.debug("Found: "+str(lret))
for lattr in lret[0][1]:
if lattr.lower() == "info":
linfo = lret[0][1][lattr][0].lower()
break
if not linfo:
return False
#search and return known realms
root_logger.debug("Search for (objectClass=krbRealmContainer) in "+self.basedn+"(sub)")
lret = lh.search_s(str(DN(('cn', 'kerberos'), self.basedn)),
ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)")
if not lret:
#something very wrong
return False
root_logger.debug("Found: "+str(lret))
for lres in lret:
for lattr in lres[1]:
if lattr.lower() == "cn":
lrealms.append(lres[1][lattr][0])
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
return False
else:
self.realm = lrealms[0]
self.domain = lrealms[0].lower()
return True
except LDAPError, err:
#no good
root_logger.error("Ldap Error: "+str(err))
return False
ntp_conf = """# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server $SERVER
#broadcast 192.168.1.255 key 42 # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 key 42 # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 key 42 # manycast client
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
"""
ntp_sysconfig = """# Drop root to id 'ntp:ntp' by default.
OPTIONS="-x -u ntp:ntp -p /var/run/ntpd.pid"
# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=yes
# Additional options for ntpdate
NTPDATE_OPTIONS=""
"""
def config_ntp(server_fqdn):
nc = string.replace(ntp_conf, "$SERVER", server_fqdn)
shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
fd = open("/etc/ntp.conf", "w")
fd.write(nc)
fd.close()
shutil.copy("/etc/sysconfig/ntpd", "/etc/sysconfig/ntpd.ipasave")
fd = open("/etc/sysconfig/ntpd", "w")
fd.write(ntp_sysconfig)
fd.close()
# Set the ntpd to start on boot
os.system("/sbin/chkconfig ntpd on")
# Restart ntpd
os.system("/sbin/service ntpd restart")
def parse_options():
parser = OptionParser(version=VERSION)
parser.add_option("--server", dest="server", help="IPA server")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("-U", "--unattended", dest="unattended",
action="store_true",
help="unattended installation never prompts the user")
parser.add_option("-N", "--no-ntp", action="store_false",
help="do not configure ntp", default=True, dest="conf_ntp")
options, args = parser.parse_args()
if not options.server:
parser.error("must provide an IPA server name with --server")
return options
def ask_for_confirmation(message):
yesno = raw_input(message + " [y/N]: ")
if not yesno or yesno.lower()[0] != "y":
return False
print "\n"
return True
def logging_setup(options):
standard_logging_setup('ipaclient-install.log', debug=options.debug)
def main():
options = parse_options()
logging_setup(options)
dnsok = True
ipasrv = ipaserver(options.server)
ret = ipasrv.check()
if ret == False:
print "Failed to verify that ["+options.server+"] is an IPA Server, aborting!"
return -1
print "IPA Server verified."
print "Realm: "+ipasrv.getRealmName()
print "DNS Domain: "+ipasrv.getDomainName()
print "IPA Server: "+ipasrv.getServerName()
print "BaseDN: "+ipasrv.getBaseDN()
print "\n"
if not options.unattended and not ask_for_confirmation("Continue to configure the system with these values?"):
return 1
# Configure ipa.conf
ipaconf = ipachangeconf.IPAChangeConf("IPA Installer")
ipaconf.setOptionAssignment(" = ")
ipaconf.setSectionNameDelimiters(("[","]"))
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
{'name':'empty', 'type':'empty'}]
#[global]
defopts = [{'name':'xmlrpc_uri', 'type':'option', 'value':'https://%s/ipa/xml' % ipasrv.getServerName()},
{'name':'realm', 'type':'option', 'value':ipasrv.getRealmName()}]
opts.append({'name':'global', 'type':'section', 'value':defopts})
opts.append({'name':'empty', 'type':'empty'})
ipaconf.newConf("/etc/ipa/default.conf", opts)
# Configure ldap.conf
ldapconf = ipachangeconf.IPAChangeConf("IPA Installer")
ldapconf.setOptionAssignment(" ")
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
{'name':'empty', 'type':'empty'},
{'name':'ldap_version', 'type':'option', 'value':'3'},
{'name':'base', 'type':'option', 'value':ipasrv.getBaseDN()},
{'name':'empty', 'type':'empty'},
{'name':'nss_base_passwd', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), ipasrv.getBaseDN()))+'?sub'},
{'name':'nss_base_group', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), ipasrv.getBaseDN()))+'?sub'},
{'name':'nss_schema', 'type':'option', 'value':'rfc2307bis'},
{'name':'nss_map_attribute', 'type':'option', 'value':'uniqueMember member'},
{'name':'nss_initgroups_ignoreusers', 'type':'option', 'value':'root,dirsrv'},
{'name':'empty', 'type':'empty'},
{'name':'nss_reconnect_maxsleeptime', 'type':'option', 'value':'8'},
{'name':'nss_reconnect_sleeptime', 'type':'option', 'value':'1'},
{'name':'bind_timelimit', 'type':'option', 'value':'5'},
{'name':'timelimit', 'type':'option', 'value':'15'},
{'name':'empty', 'type':'empty'},
{'name':'uri', 'type':'option', 'value':'ldap://'+ipasrv.getServerName()},
{'name':'empty', 'type':'empty'}]
try:
ldapconf.newConf("/etc/ldap.conf", opts)
except Exception, e:
print "Configuration failed: " + str(e)
return 1
if not "" == ipasrv.getRealmName():
#Configure krb5.conf
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment(" = ")
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
{'name':'empty', 'type':'empty'}]
#[libdefaults]
libopts = [{'name':'default_realm', 'type':'option', 'value':ipasrv.getRealmName()}]
libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
opts.append({'name':'empty', 'type':'empty'})
#[realms]
kropts =[{'name':'kdc', 'type':'option', 'value':ipasrv.getServerName()+':88'},
{'name':'master_kdc', 'type':'option', 'value':ipasrv.getServerName()+':88'},
{'name':'admin_server', 'type':'option', 'value':ipasrv.getServerName()+':749'},
{'name':'default_domain', 'type':'option', 'value':ipasrv.getDomainName()}]
ropts = [{'name':ipasrv.getRealmName(), 'type':'subsection', 'value':kropts}]
opts.append({'name':'realms', 'type':'section', 'value':ropts})
opts.append({'name':'empty', 'type':'empty'})
#[domain_realm]
dropts = [{'name':'.'+ipasrv.getDomainName(), 'type':'option', 'value':ipasrv.getRealmName()},
{'name':ipasrv.getDomainName(), 'type':'option', 'value':ipasrv.getRealmName()}]
opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
opts.append({'name':'empty', 'type':'empty'})
#[appdefaults]
pamopts = [{'name':'debug', 'type':'option', 'value':'false'},
{'name':'ticket_lifetime', 'type':'option', 'value':'36000'},
{'name':'renew_lifetime', 'type':'option', 'value':'36000'},
{'name':'forwardable', 'type':'option', 'value':'true'},
{'name':'krb4_convert', 'type':'option', 'value':'false'}]
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
krbconf.newConf("/etc/krb5.conf", opts);
#Modify nsswitch to add nss_ldap
os.system("/usr/sbin/authconfig --enableldap --kickstart")
#Modify pam to add pam_krb5
os.system("/usr/sbin/authconfig --enablekrb5 --kickstart")
if options.conf_ntp:
config_ntp(ipasrv.getServerName())
print "Client configuration complete."
return 0
sys.exit(main())

54
contrib/RHEL4/ipa-client.spec Normal file
View File

@@ -0,0 +1,54 @@
Name: ipa-client
Version: 1.0.0
Release: 1%{?dist}
Summary: IPA client Setup script for RHEL-4
Group: System Environment/Base
License: GPLv2
URL: http://www.freeipa.org
Source0: %{name}-%{version}.tgz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
#BuildRequires: python-devel
Requires: python
Requires: python-ldap
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
%description
IPA is a server for identity, policy, and audit.
The client package provide install and configuration scripts for RHEL-4 clients.
%prep
%setup -q
%configure --prefix=/usr
%build
make
%install
rm -rf %{buildroot}
%{__python} setup.py install --no-compile --root=%{buildroot}
%makeinstall \
SBINDIR=$RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/ipa
install -m644 ipa.conf $RPM_BUILD_ROOT%{_sysconfdir}/ipa/ipa.conf
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_sbindir}/ipa-client-setup
%{python_sitelib}/ipachangeconf.py*
%config(noreplace) %{_sysconfdir}/ipa/ipa.conf
%changelog
* Thu Apr 3 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
- Version bump for release
* Mon Mar 25 2008 Simo Sorce <ssorce@redhat.com> - 0.99.0-1
- First RHEL-4 release

3
contrib/RHEL4/ipa.conf Normal file
View File

@@ -0,0 +1,3 @@
[defaults]
# realm = EXAMPLE.COM
# server = ipa.example.com

458
contrib/RHEL4/ipachangeconf.py Normal file
View File

@@ -0,0 +1,458 @@
#
# ipachangeconf - configuration file manipulation classes and functions
# partially based on authconfig code
# Copyright (c) 1999-2007 Red Hat, Inc.
# Author: Simo Sorce <ssorce@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import fcntl
import os
import string
import time
import shutil
def openLocked(filename, perms):
fd = -1
try:
fd = os.open(filename, os.O_RDWR | os.O_CREAT, perms)
fcntl.lockf(fd, fcntl.LOCK_EX)
except OSError, (errno, strerr):
if fd != -1:
try:
os.close(fd)
except OSError:
pass
raise IOError(errno, strerr)
return os.fdopen(fd, "r+")
#TODO: add subsection as a concept
# (ex. REALM.NAME = { foo = x bar = y } )
#TODO: put section delimiters as separating element of the list
# so that we can process multiple sections in one go
#TODO: add a comment all but provided options as a section option
class IPAChangeConf:
def __init__(self, name):
self.progname = name
self.indent = ("","","")
self.assign = (" = ","=")
self.dassign = self.assign[0]
self.comment = ("#",)
self.dcomment = self.comment[0]
self.eol = ("\n",)
self.deol = self.eol[0]
self.sectnamdel = ("[","]")
self.subsectdel = ("{","}")
def setProgName(self, name):
self.progname = name
def setIndent(self, indent):
if type(indent) is tuple:
self.indent = indent
elif type(indent) is str:
self.indent = (indent, )
else:
raise ValueError, 'Indent must be a list of strings'
def setOptionAssignment(self, assign):
if type(assign) is tuple:
self.assign = assign
else:
self.assign = (assign, )
self.dassign = self.assign[0]
def setCommentPrefix(self, comment):
if type(comment) is tuple:
self.comment = comment
else:
self.comment = (comment, )
self.dcomment = self.comment[0]
def setEndLine(self, eol):
if type(eol) is tuple:
self.eol = eol
else:
self.eol = (eol, )
self.deol = self.eol[0]
def setSectionNameDelimiters(self, delims):
self.sectnamdel = delims
def setSubSectionDelimiters(self, delims):
self.subsectdel = delims
def matchComment(self, line):
for v in self.comment:
if line.lstrip().startswith(v):
return line.lstrip()[len(v):]
return False
def matchEmpty(self, line):
if line.strip() == "":
return True
return False
def matchSection(self, line):
cl = "".join(line.strip().split()).lower()
if len(self.sectnamdel) != 2:
return False
if not cl.startswith(self.sectnamdel[0]):
return False
if not cl.endswith(self.sectnamdel[1]):
return False
return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])]
def matchSubSection(self, line):
if self.matchComment(line):
return False
parts = line.split(self.dassign, 1)
if len(parts) < 2:
return False
if parts[1].strip() == self.subsectdel[0]:
return parts[0].strip()
return False
def matchSubSectionEnd(self, line):
if self.matchComment(line):
return False
if line.strip() == self.subsectdel[1]:
return True
return False
def getSectionLine(self, section):
if len(self.sectnamdel) != 2:
return section
return self.sectnamdel[0]+section+self.sectnamdel[1]+self.deol
def dump(self, options, level=0):
output = ""
if level >= len(self.indent):
level = len(self.indent)-1
for o in options:
if o['type'] == "section":
output += self.sectnamdel[0]+o['name']+self.sectnamdel[1]+self.deol
output += self.dump(o['value'], level+1)
continue
if o['type'] == "subsection":
output += self.indent[level]+o['name']+self.dassign+self.subsectdel[0]+self.deol
output += self.dump(o['value'], level+1)
output += self.indent[level]+self.subsectdel[1]+self.deol
continue
if o['type'] == "option":
output += self.indent[level]+o['name']+self.dassign+o['value']+self.deol
continue
if o['type'] == "comment":
output += self.dcomment+o['value']+self.deol
continue
if o['type'] == "empty":
output += self.deol
continue
raise SyntaxError, 'Unknown type: ['+o['type']+']'
return output
def parseLine(self, line):
if self.matchEmpty(line):
return {'name':'empty', 'type':'empty'}
value = self.matchComment(line)
if value:
return {'name':'comment', 'type':'comment', 'value':value.rstrip()} #pylint: disable=E1103
parts = line.split(self.dassign, 1)
if len(parts) < 2:
raise SyntaxError, 'Syntax Error: Unknown line format'
return {'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()}
def findOpts(self, opts, type, name, exclude_sections=False):
num = 0
for o in opts:
if o['type'] == type and o['name'] == name:
return (num, o)
if exclude_sections and (o['type'] == "section" or o['type'] == "subsection"):
return (num, None)
num += 1
return (num, None)
def commentOpts(self, inopts, level = 0):
opts = []
if level >= len(self.indent):
level = len(self.indent)-1
for o in inopts:
if o['type'] == 'section':
no = self.commentOpts(o['value'], level+1)
val = self.dcomment+self.sectnamdel[0]+o['name']+self.sectnamdel[1]
opts.append({'name':'comment', 'type':'comment', 'value':val})
for n in no:
opts.append(n)
continue
if o['type'] == 'subsection':
no = self.commentOpts(o['value'], level+1)
val = self.indent[level]+o['name']+self.dassign+self.subsectdel[0]
opts.append({'name':'comment', 'type':'comment', 'value':val})
for n in no:
opts.append(n)
val = self.indent[level]+self.subsectdel[1]
opts.append({'name':'comment', 'type':'comment', 'value':val})
continue
if o['type'] == 'option':
val = self.indent[level]+o['name']+self.dassign+o['value']
opts.append({'name':'comment', 'type':'comment', 'value':val})
continue
if o['type'] == 'comment':
opts.append(o)
continue
if o['type'] == 'empty':
opts.append({'name':'comment', 'type':'comment', 'value':''})
continue
raise SyntaxError, 'Unknown type: ['+o['type']+']'
return opts
def mergeOld(self, oldopts, newopts):
opts = []
for o in oldopts:
if o['type'] == "section" or o['type'] == "subsection":
(num, no) = self.findOpts(newopts, o['type'], o['name'])
if not no:
opts.append(o)
continue
if no['action'] == "set":
mo = self.mergeOld(o['value'], no['value'])
opts.append({'name':o['name'], 'type':o['type'], 'value':mo})
continue
if no['action'] == "comment":
co = self.commentOpts(o['value'])
for c in co:
opts.append(c)
continue
if no['action'] == "remove":
continue
raise SyntaxError, 'Unknown action: ['+no['action']+']'
if o['type'] == "comment" or o['type'] == "empty":
opts.append(o)
continue
if o['type'] == "option":
(num, no) = self.findOpts(newopts, 'option', o['name'], True)
if not no:
opts.append(o)
continue
if no['action'] == 'comment' or no['action'] == 'remove':
if no['value'] != None and o['value'] != no['value']:
opts.append(o)
continue
if no['action'] == 'comment':
opts.append({'name':'comment', 'type':'comment',
'value':self.dcomment+o['name']+self.dassign+o['value']})
continue
if no['action'] == 'set':
opts.append(no)
continue
raise SyntaxError, 'Unknown action: ['+o['action']+']'
raise SyntaxError, 'Unknown type: ['+o['type']+']'
return opts
def mergeNew(self, opts, newopts):
cline = 0
for no in newopts:
if no['type'] == "section" or no['type'] == "subsection":
(num, o) = self.findOpts(opts, no['type'], no['name'])
if not o:
if no['action'] == 'set':
opts.append(no)
continue
if no['action'] == "set":
self.mergeNew(o['value'], no['value'])
continue
cline = num+1
continue
if no['type'] == "option":
(num, o) = self.findOpts(opts, no['type'], no['name'], True)
if not o:
if no['action'] == 'set':
opts.append(no)
continue
cline = num+1
continue
if no['type'] == "comment" or no['type'] == "empty":
opts.insert(cline, no)
cline += 1
continue
raise SyntaxError, 'Unknown type: ['+no['type']+']'
def merge(self, oldopts, newopts):
#Use a two pass strategy
#First we create a new opts tree from oldopts removing/commenting
# the options as indicated by the contents of newopts
#Second we fill in the new opts tree with options as indicated
# in the newopts tree (this is becaus eentire (sub)sections may
# exist in the newopts that do not exist in oldopts)
opts = self.mergeOld(oldopts, newopts)
self.mergeNew(opts, newopts)
return opts
#TODO: Make parse() recursive?
def parse(self, f):
opts = []
sectopts = []
section = None
subsectopts = []
subsection = None
curopts = opts
fatheropts = opts
# Read in the old file.
for line in f:
# It's a section start.
value = self.matchSection(line)
if value:
if section is not None:
opts.append({'name':section, 'type':'section', 'value':sectopts})
sectopts = []
curopts = sectopts
fatheropts = sectopts
section = value
continue
# It's a subsection start.
value = self.matchSubSection(line)
if value:
if subsection is not None:
raise SyntaxError, 'nested subsections are not supported yet'
subsectopts = []
curopts = subsectopts
subsection = value
continue
value = self.matchSubSectionEnd(line)
if value:
if subsection is None:
raise SyntaxError, 'Unmatched end subsection terminator found'
fatheropts.append({'name':subsection, 'type':'subsection', 'value':subsectopts})
subsection = None
curopts = fatheropts
continue
# Copy anything else as is.
curopts.append(self.parseLine(line))
#Add last section if any
if len(sectopts) is not 0:
opts.append({'name':section, 'type':'section', 'value':sectopts})
return opts
# Write settings to configuration file
# file is a path
# options is a set of dictionaries in the form:
# [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}]
# section is a section name like 'global'
def changeConf(self, file, newopts):
autosection = False
savedsection = None
done = False
output = ""
f = None
try:
#Do not catch an unexisting file error, we want to fail in that case
shutil.copy2(file, file+".ipabkp")
f = openLocked(file, 0644)
oldopts = self.parse(f)
options = self.merge(oldopts, newopts)
output = self.dump(options)
# Write it out and close it.
f.seek(0)
f.truncate(0)
f.write(output)
finally:
try:
if f:
f.close()
except IOError:
pass
return True
# Write settings to new file, backup old
# file is a path
# options is a set of dictionaries in the form:
# [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}]
# section is a section name like 'global'
def newConf(self, file, options):
autosection = False
savedsection = None
done = False
output = ""
f = None
try:
try:
shutil.copy2(file, file+".ipabkp")
except IOError, err:
if err.errno == 2:
# The orign file did not exist
pass
f = openLocked(file, 0644)
# Trunkate
f.seek(0)
f.truncate(0)
output = self.dump(options)
f.write(output)
finally:
try:
if f:
f.close()
except IOError:
pass
return True

75
contrib/RHEL4/setup.py Normal file
View File

@@ -0,0 +1,75 @@
#!/usr/bin/python
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""FreeIPA python support library
FreeIPA is a server for identity, policy, and audit.
"""
DOCLINES = __doc__.split("\n")
import os
import sys
import distutils.sysconfig
CLASSIFIERS = """\
Development Status :: 4 - Beta
Intended Audience :: System Environment/Base
License :: GPL
Programming Language :: Python
Operating System :: POSIX
Operating System :: Unix
"""
# BEFORE importing distutils, remove MANIFEST. distutils doesn't properly
# update it when the contents of directories change.
if os.path.exists('MANIFEST'): os.remove('MANIFEST')
def setup_package():
from distutils.core import setup
old_path = os.getcwd()
local_path = os.path.dirname(os.path.abspath(sys.argv[0]))
os.chdir(local_path)
sys.path.insert(0,local_path)
try:
setup(
name = "ipa-client",
version = "0.99.0",
license = "GPL",
author = "Simo Sorce",
author_email = "ssorce@redhat.com",
maintainer = "freeIPA Developers",
maintainer_email = "freeipa-devel@redhat.com",
url = "http://www.freeipa.org/",
description = DOCLINES[0],
long_description = "\n".join(DOCLINES[2:]),
download_url = "http://www.freeipa.org/page/Downloads",
classifiers=filter(None, CLASSIFIERS.split('\n')),
platforms = ["Linux"],
py_modules=['ipachangeconf']
)
finally:
del sys.path[0]
os.chdir(old_path)
return
if __name__ == '__main__':
setup_package()

36
contrib/nssciphersuite/README.txt
View File

@@ -1,36 +0,0 @@
Cipher suite for mod_nss
------------------------
The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
creates a list of secure cipher suites for TLS. The script filters out
insecure, obsolete and slow ciphers according to some rules.
As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
key exchange. https://www.ssllabs.com/ gives a 'A' grade.
Note:
No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.
# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
# enabled cipher suites:
# TLS_RSA_WITH_AES_128_CBC_SHA256
# TLS_RSA_WITH_AES_256_CBC_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# TLS_RSA_WITH_AES_128_GCM_SHA256
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_GCM_SHA384
# TLS_RSA_WITH_AES_256_CBC_SHA
#
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha

147
contrib/nssciphersuite/nssciphersuite.py
View File

@@ -1,147 +0,0 @@
#!/usr/bin/python3
#
# Authors:
# Christian Heimes <cheimes@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Copyright (C) 2016 Red Hat, Inc.
# All rights reserved.
#
"""Generate safe NSSCipherSuite stanza for mod_nss
"""
from __future__ import print_function
import operator
import re
from urllib.request import urlopen # pylint: disable=no-name-in-module
SOURCE = "https://git.fedorahosted.org/cgit/mod_nss.git/plain/nss_engine_cipher.c"
CIPHER_RE = re.compile(
r'\s*\{'
r'\"(?P<name>\w+)\",\s*'
r'(?P<num>(TLS|SSL)_\w+),\s*'
r'\"(?P<openssl_name>[\w-]+)\",\s*'
r'(?P<attr>[\w|]+),\s*'
r'(?P<version>\w+),\s*'
r'(?P<strength>\w+),\s*'
r'(?P<bits>\d+),\s*'
r'(?P<alg_bits>\d+)'
)
DISABLED_CIPHERS = {
# ciphers without encryption or authentication
'SSL_eNULL', 'SSL_aNULL',
# MD5 is broken
# SHA-1 is still required as PRF algorithm for TLSv1.0
'SSL_MD5',
# RC2 and RC4 stream ciphers are broken.
'SSL_RC2', 'SSL_RC4',
# DES is broken and Triple DES is too weak.
'SSL_DES', 'SSL_3DES',
# DSA is problematic.
'SSL_DSS', 'SSL_aDSS',
# prefer AES over Camellia.
'SSL_CAMELLIA128', 'SSL_CAMELLIA256', 'SSL_CAMELLIA',
# non-ephemeral EC Diffie-Hellmann with fixed parameters are not
# used by common browser and are therefore irrelevant for HTTPS.
'kECDH', 'SSL_kECDHr', 'SSL_kECDHe'
}
WEAK_STRENGTH = {
'SSL_STRONG_NONE',
'SSL_EXPORT40',
'SSL_EXPORT56',
'SSL_LOW'
}
def parse_nss_engine_cipher(lines, encoding='utf-8'):
"""Parse nss_engine_cipher.c and get list of ciphers
:param lines: iterable or list of lines
:param encoding: default encoding
:return: list of cipher dicts
"""
ciphers = []
start = False
for line in lines:
if not isinstance(line, str):
line = line.decode(encoding)
if line.startswith('cipher_properties'):
start = True
elif not start:
continue
elif line.startswith('};'):
break
mo = CIPHER_RE.match(line)
if not mo:
continue
match = mo.groupdict()
match['attr'] = set(match['attr'].split('|'))
match['bits'] = int(match['bits'])
match['alg_bits'] = int(match['alg_bits'])
# some cipher elemets aren't flagged
for algo in ['SHA256', 'SHA384']:
if match['num'].endswith(algo):
match['attr'].add('SSL_{}'.format(algo))
# cipher block chaining isn't tracked
if '_CBC' in match['num']:
match['attr'].add('SSL_CBC')
if match['attr'].intersection(DISABLED_CIPHERS):
match['enabled'] = False
elif match['strength'] in WEAK_STRENGTH:
match['enabled'] = False
else:
match['enabled'] = True
# EECDH + AES-CBC and large hash functions is slow and not more secure
if (match['attr'].issuperset({'SSL_CBC', 'SSL_kEECDH'}) and
match['attr'].intersection({'SSL_SHA256', 'SSL_SHA384'})):
match['enabled'] = False
ciphers.append(match)
ciphers.sort(key=operator.itemgetter('name'))
return ciphers
def main():
with urlopen(SOURCE) as r:
ciphers = parse_nss_engine_cipher(r)
# with open('nss_engine_cipher.c') as f:
# ciphers = parse_nss_engine_cipher(f)
print("# disabled cipher attributes: {}".format(
', '.join(sorted(DISABLED_CIPHERS))))
print("# weak strength: {}".format(', '.join(sorted(WEAK_STRENGTH))))
print("# enabled cipher suites:")
suite = []
for cipher in ciphers:
if cipher['enabled']:
print("# {:36}".format(cipher['num']))
suite.append('+{}'.format(cipher['name']))
print()
print("NSSCipherSuite {}".format(','.join(suite)))
if __name__ == '__main__':
main()