websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.3.1

Browse Source
This commit is contained in:
Mario Fetka
2021-08-10 02:37:58 +02:00
parent a791de49a2
commit 2f177da8f2
2056 changed files with 421730 additions and 1668138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
ipaserver/install/odsexporterinstance.py
View File

@@ -2,9 +2,6 @@
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
from __future__ import absolute_import
import logging
import os
import pwd
import grp
@@ -13,30 +10,36 @@ import ldap
from ipaserver.install import service
from ipaserver.install import installutils
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipapython import directivesetter
from ipapython import ipautil
from ipapython import sysrestore, ipautil, ipaldap
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform import services
from ipalib import errors, api
logger = logging.getLogger(__name__)
class ODSExporterInstance(service.Service):
def __init__(self, fstore=None):
super(ODSExporterInstance, self).__init__(
"ipa-ods-exporter",
def __init__(self, fstore=None, dm_password=None, ldapi=False,
start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
service.Service.__init__(
self, "ipa-ods-exporter",
service_desc="IPA OpenDNSSEC exporter daemon",
fstore=fstore,
keytab=paths.IPA_ODS_EXPORTER_KEYTAB,
service_prefix=u'ipa-ods-exporter'
dm_password=dm_password,
ldapi=ldapi,
autobind=autobind,
start_tls=start_tls
)
self.dm_password = dm_password
self.ods_uid = None
self.ods_gid = None
self.enable_if_exists = False
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
suffix = ipautil.dn_attribute_property('_suffix')
def create_instance(self, fqdn, realm_name):
@@ -48,9 +51,11 @@ class ODSExporterInstance(service.Service):
try:
self.stop()
except Exception:
except:
pass
# get a connection to the DS
self.ldap_connect()
# checking status step must be first
self.step("checking status", self.__check_dnssec_status)
self.step("setting up DNS Key Exporter", self.__setup_key_exporter)
@@ -61,6 +66,8 @@ class ODSExporterInstance(service.Service):
self.start_creation()
def __check_dnssec_status(self):
ods_enforcerd = services.knownservices.ods_enforcerd
try:
self.ods_uid = pwd.getpwnam(constants.ODS_USER).pw_uid
except KeyError:
@@ -74,13 +81,13 @@ class ODSExporterInstance(service.Service):
def __enable(self):
try:
self.ldap_configure('DNSKeyExporter', self.fqdn, None,
self.suffix)
self.ldap_enable('DNSKeyExporter', self.fqdn, self.dm_password,
self.suffix)
except errors.DuplicateEntry:
logger.error("DNSKeyExporter service already exists")
root_logger.error("DNSKeyExporter service already exists")
def __setup_key_exporter(self):
directivesetter.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER,
installutils.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
@@ -88,41 +95,41 @@ class ODSExporterInstance(service.Service):
def __setup_principal(self):
assert self.ods_uid is not None
for f in [paths.IPA_ODS_EXPORTER_CCACHE, self.keytab]:
for f in [paths.IPA_ODS_EXPORTER_CCACHE, paths.IPA_ODS_EXPORTER_KEYTAB]:
try:
os.remove(f)
except OSError:
pass
installutils.kadmin_addprinc(self.principal)
dns_exporter_principal = "ipa-ods-exporter/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(dns_exporter_principal)
# Store the keytab on disk
installutils.create_keytab(paths.IPA_ODS_EXPORTER_KEYTAB,
self.principal)
p = self.move_service(self.principal)
installutils.create_keytab(paths.IPA_ODS_EXPORTER_KEYTAB, dns_exporter_principal)
p = self.move_service(dns_exporter_principal)
if p is None:
# the service has already been moved, perhaps we're doing a DNS reinstall
dns_exporter_principal_dn = DN(
('krbprincipalname', self.principal),
('krbprincipalname', dns_exporter_principal),
('cn', 'services'), ('cn', 'accounts'), self.suffix)
else:
dns_exporter_principal_dn = p
# Make sure access is strictly reserved to the ods user
os.chmod(self.keytab, 0o440)
os.chown(self.keytab, 0, self.ods_gid)
os.chmod(paths.IPA_ODS_EXPORTER_KEYTAB, 0o440)
os.chown(paths.IPA_ODS_EXPORTER_KEYTAB, 0, self.ods_gid)
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
('cn', 'pbac'), self.suffix)
mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)]
try:
api.Backend.ldap2.modify_s(dns_group, mod)
self.admin_conn.modify_s(dns_group, mod)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as e:
logger.critical("Could not modify principal's %s entry: %s",
dns_exporter_principal_dn, str(e))
root_logger.critical("Could not modify principal's %s entry: %s"
% (dns_exporter_principal_dn, str(e)))
raise
# limit-free connection
@@ -132,10 +139,10 @@ class ODSExporterInstance(service.Service):
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
try:
api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod)
self.admin_conn.modify_s(dns_exporter_principal_dn, mod)
except Exception as e:
logger.critical("Could not set principal's %s LDAP limits: %s",
dns_exporter_principal_dn, str(e))
root_logger.critical("Could not set principal's %s LDAP limits: %s"
% (dns_exporter_principal_dn, str(e)))
raise
def __disable_signerd(self):
@@ -153,8 +160,10 @@ class ODSExporterInstance(service.Service):
self.start()
def remove_service(self):
dns_exporter_principal = ("ipa-ods-exporter/%s@%s" % (self.fqdn,
self.realm))
try:
api.Command.service_del(self.principal)
api.Command.service_del(dns_exporter_principal)
except errors.NotFound:
pass
@@ -186,5 +195,5 @@ class ODSExporterInstance(service.Service):
if signerd_running:
signerd_service.start()
installutils.remove_keytab(self.keytab)
installutils.remove_keytab(paths.IPA_ODS_EXPORTER_KEYTAB)
installutils.remove_ccache(ccache_path=paths.IPA_ODS_EXPORTER_CCACHE)