websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ipaplatform/base/__init__.py Normal file
View File

@@ -0,0 +1,23 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module should contain generic default implementations and definitions
of all the objects that a platform module is expected to export.
'''

42
ipaplatform/base/constants.py Normal file
View File

@@ -0,0 +1,42 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This base platform module exports platform dependant constants.
'''
class BaseConstantsNamespace(object):
DS_USER = 'dirsrv'
DS_GROUP = 'dirsrv'
HTTPD_USER = "apache"
HTTPD_GROUP = "apache"
GSSPROXY_USER = "root"
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
KDCPROXY_USER = "kdcproxy"
NAMED_USER = "named"
NAMED_GROUP = "named"
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "OPTIONS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\""
ODS_USER = "ods"
ODS_GROUP = "ods"
# nfsd init variable used to enable kerberized NFS
SECURE_NFS_VAR = "SECURE_NFS"
SELINUX_BOOLEAN_ADTRUST = {
'samba_portmapper': 'on',
}
SELINUX_BOOLEAN_HTTPD = {
'httpd_can_network_connect': 'on',
'httpd_manage_ipa': 'on',
'httpd_run_ipa': 'on',
'httpd_dbus_sssd': 'on',
}
SSSD_USER = "sssd"
constants = BaseConstantsNamespace()

362
ipaplatform/base/paths.py Normal file
View File

@@ -0,0 +1,362 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This base platform module exports default filesystem paths.
'''
class BasePathNamespace(object):
BASH = "/bin/bash"
BIN_HOSTNAMECTL = "/bin/hostnamectl"
LS = "/bin/ls"
SH = "/bin/sh"
SYSTEMCTL = "/bin/systemctl"
TAR = "/bin/tar"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_DIRSRV = "/etc/dirsrv"
DS_KEYTAB = "/etc/dirsrv/ds.keytab"
ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
ETC_FEDORA_RELEASE = "/etc/fedora-release"
GROUP = "/etc/group"
ETC_HOSTNAME = "/etc/hostname"
HOSTS = "/etc/hosts"
ETC_HTTPD_DIR = "/etc/httpd"
HTTPD_ALIAS_DIR = "/etc/httpd/alias"
OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/httpd/conf.d/ipa-kdc-proxy.conf"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf"
HTTPD_IPA_REWRITE_CONF = "/etc/httpd/conf.d/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
IDMAPD_CONF = "/etc/idmapd.conf"
ETC_IPA = "/etc/ipa"
CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache"
IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache"
IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
IPA_CA_CRT = "/etc/ipa/ca.crt"
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/"
KRB5_CONF = "/etc/krb5.conf"
KRB5_KEYTAB = "/etc/krb5.keytab"
LDAP_CONF = "/etc/ldap.conf"
LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
NAMED_CONF = "/etc/named.conf"
NAMED_VAR_DIR = "/var/named"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
NAMED_ROOT_KEY = "/etc/named.root.key"
NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
NSSWITCH_CONF = "/etc/nsswitch.conf"
NTP_CONF = "/etc/ntp.conf"
NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml"
OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
PAM_LDAP_CONF = "/etc/pam_ldap.conf"
PASSWD = "/etc/passwd"
SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
NSS_DB_DIR = "/etc/pki/nssdb"
PKI_TOMCAT = "/etc/pki/pki-tomcat"
PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
ETC_REDHAT_RELEASE = "/etc/redhat-release"
RESOLV_CONF = "/etc/resolv.conf"
SAMBA_KEYTAB = "/etc/samba/samba.keytab"
SMB_CONF = "/etc/samba/smb.conf"
LIMITS_CONF = "/etc/security/limits.conf"
SSH_CONFIG_DIR = "/etc/ssh"
SSH_CONFIG = "/etc/ssh/ssh_config"
SSHD_CONFIG = "/etc/ssh/sshd_config"
SSSD_CONF = "/etc/sssd/sssd.conf"
SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
ETC_SYSCONFIG_DIR = "/etc/sysconfig"
ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/sysconfig/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/sysconfig/ipa-ods-exporter"
SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc"
SYSCONFIG_NAMED = "/etc/sysconfig/named"
SYSCONFIG_NFS = "/etc/sysconfig/nfs"
SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
SYSCONFIG_ODS = "/etc/sysconfig/ods"
SYSCONFIG_PKI = "/etc/sysconfig/pki"
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.service.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
ETC_TMPFILESD_DIRSRV = "/etc/tmpfiles.d/dirsrv-%s.conf"
DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key"
HOME_DIR = "/home"
PROC_FIPS_ENABLED = "/proc/sys/crypto/fips_enabled"
ROOT_IPA_CACHE = "/root/.ipa_cache"
ROOT_PKI = "/root/.pki"
DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
RA_AGENT_PEM = "/var/lib/ipa/ra-agent.pem"
RA_AGENT_KEY = "/var/lib/ipa/ra-agent.key"
CACERT_P12 = "/root/cacert.p12"
ROOT_IPA_CSR = "/root/ipa.csr"
NAMED_PID = "/run/named/named.pid"
NOLOGIN = "/sbin/nologin"
SBIN_REBOOT = "/sbin/reboot"
SBIN_RESTORECON = "/sbin/restorecon"
SBIN_SERVICE = "/sbin/service"
TMP = "/tmp"
TMP_CA_P12 = "/tmp/ca.p12"
TMP_KRB5CC = "/tmp/krb5cc_%d"
USR_DIR = "/usr"
CERTMONGER_COMMAND_TEMPLATE = "/usr/libexec/ipa/certmonger/%s"
PKCS12EXPORT = "/usr/bin/PKCS12Export"
CERTUTIL = "/usr/bin/certutil"
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
GPG = "/usr/bin/gpg"
GPG_AGENT = "/usr/bin/gpg-agent"
IPA_GETCERT = "/usr/bin/ipa-getcert"
KDESTROY = "/usr/bin/kdestroy"
KINIT = "/usr/bin/kinit"
BIN_KVNO = "/usr/bin/kvno"
LDAPMODIFY = "/usr/bin/ldapmodify"
LDAPPASSWD = "/usr/bin/ldappasswd"
MODUTIL = "/usr/bin/modutil"
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
SSLGET = "/usr/bin/sslget"
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
BIN_CURL = "/usr/bin/curl"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
LIB_FIREFOX = "/usr/lib/firefox"
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
LIB64_FIREFOX = "/usr/lib64/firefox"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
CERTMONGER_DOGTAG_SUBMIT = "/usr/libexec/certmonger/dogtag-submit"
IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
HTTPD = "/usr/sbin/httpd"
IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
NAMED = "/usr/sbin/named"
NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
NTPD = "/usr/sbin/ntpd"
PKIDESTROY = "/usr/sbin/pkidestroy"
PKISPAWN = "/usr/sbin/pkispawn"
PKI = "/usr/bin/pki"
REMOVE_DS_PL = "/usr/sbin/remove-ds.pl"
RESTORECON = "/usr/sbin/restorecon"
SELINUXENABLED = "/usr/sbin/selinuxenabled"
SETSEBOOL = "/usr/sbin/setsebool"
SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
IPA_HTML_DIR = "/usr/share/ipa/html"
CA_CRT = "/usr/share/ipa/html/ca.crt"
KRB_CON = "/usr/share/ipa/html/krb.con"
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
DICT_WORDS = "/usr/share/dict/words"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5."
CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem"
KRB5KDC_KADM5_ACL = "/var/kerberos/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/var/kerberos/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf"
KDC_CERT = "/var/kerberos/krb5kdc/kdc.crt"
KDC_KEY = "/var/kerberos/krb5kdc/kdc.key"
VAR_LIB = "/var/lib"
AUTHCONFIG_LAST = "/var/lib/authconfig/last"
VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal"
CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
VAR_LIB_DIRSRV = "/var/lib/dirsrv"
DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
VAR_LIB_IPA = "/var/lib/ipa"
IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
IPA_BACKUP_DIR = "/var/lib/ipa/backup"
IPA_DNSSEC_DIR = "/var/lib/ipa/dnssec"
IPA_KASP_DB_BACKUP = "/var/lib/ipa/ipa-kasp.db.backup"
DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
IPA_CA_CSR = "/var/lib/ipa/ca.csr"
PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
SYSRESTORE = "/var/lib/ipa/sysrestore"
STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
VAR_LIB_PKI_DIR = "/var/lib/pki"
VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias"
VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
CASIGNEDLOGCERT_CFG = (
"/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
KRACERT_P12 = "/root/kracert.p12"
SAMBA_DIR = "/var/lib/samba/"
SSSD_DB = "/var/lib/sss/db"
SSSD_MC_GROUP = "/var/lib/sss/mc/group"
SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
VAR_LOG_AUDIT = "/var/log/audit/audit.log"
DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
VAR_LOG_HTTPD_DIR = "/var/log/httpd"
VAR_LOG_HTTPD_ERROR = "/var/log/httpd/error_log"
IPABACKUP_LOG = "/var/log/ipabackup.log"
IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
IPARESTORE_LOG = "/var/log/iparestore.log"
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
KADMIND_LOG = "/var/log/kadmind.log"
KRB5KDC_LOG = "/var/log/krb5kdc.log"
MESSAGES = "/var/log/messages"
VAR_LOG_PKI_DIR = "/var/log/pki/"
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
TOMCAT_CA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/ca/archive"
TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
TOMCAT_KRA_DIR = "/var/log/pki/pki-tomcat/kra"
TOMCAT_KRA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/kra/archive"
TOMCAT_KRA_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/kra/signedAudit"
LOG_SECURE = "/var/log/secure"
VAR_LOG_SSSD_DIR = "/var/log/sssd"
NAMED_RUN = "/var/named/data/named.run"
VAR_OPENDNSSEC_DIR = "/var/opendnssec"
OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
IPA_CCACHES = "/var/run/ipa/ccaches"
HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/ca-bundle.pem"
KDC_CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
SVC_LIST_FILE = "/var/run/ipa/services.list"
KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
BAK2DB = '/usr/sbin/bak2db'
DB2BAK = '/usr/sbin/db2bak'
KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
CERTMONGER = '/usr/sbin/certmonger'
NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
IPA_CUSTODIA_KEYS = '/etc/ipa/custodia/server.keys'
IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
IF_INET6 = '/proc/net/if_inet6'
AUTHCONFIG = None
IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade'
paths = BasePathNamespace()

517
ipaplatform/base/services.py Normal file
View File

@@ -0,0 +1,517 @@
# Author: Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
'''
This base module contains default implementations of IPA interface for
interacting with system services.
'''
import os
import json
import time
import collections
import warnings
import six
from ipapython import ipautil
from ipaplatform.paths import paths
# Canonical names of services as IPA wants to see them. As we need to have
# *some* naming, set them as in Red Hat distributions. Actual implementation
# should make them available through knownservices.<name> and take care of
# re-mapping internally, if needed
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy']
# The common ports for these services. This is used to wait for the
# service to become available.
wellknownports = {
'dirsrv': [389], # only used if the incoming instance name is blank
'pki-tomcatd@pki-tomcat.service': [8080, 8443],
'pki-tomcat': [8080, 8443],
'pki-tomcatd': [8080, 8443], # used if the incoming instance name is blank
}
SERVICE_POLL_INTERVAL = 0.1 # seconds
class KnownServices(collections.Mapping):
"""
KnownServices is an abstract class factory that should give out instances
of well-known platform services. Actual implementation must create these
instances as its own attributes on first access (or instance creation)
and cache them.
"""
def __init__(self, d):
self.__d = d
def __getitem__(self, key):
return self.__d[key]
def __iter__(self):
return iter(self.__d)
def __len__(self):
return len(self.__d)
def __call__(self):
return six.itervalues(self.__d)
def __getattr__(self, name):
try:
return self.__d[name]
except KeyError:
raise AttributeError(name)
class PlatformService(object):
"""
PlatformService abstracts out external process running on the system
which is possible to administer (start, stop, check status, etc).
"""
def __init__(self, service_name, api=None):
# pylint: disable=ipa-forbidden-import
import ipalib # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
self.service_name = service_name
if api is not None:
self.api = api
else:
self.api = ipalib.api
warnings.warn(
"{s.__class__.__name__}('{s.service_name}', api=None) "
"is deprecated.".format(s=self),
RuntimeWarning, stacklevel=2)
def start(self, instance_name="", capture_output=True, wait=True,
update_service_list=True):
"""
When a service is started record the fact in a special file.
This allows ipactl stop to always stop all services that have
been started via ipa tools
"""
if not update_service_list:
return
svc_list = []
try:
with open(paths.SVC_LIST_FILE, 'r') as f:
svc_list = json.load(f)
except Exception:
# not fatal, may be the first service
pass
if self.service_name not in svc_list:
svc_list.append(self.service_name)
with open(paths.SVC_LIST_FILE, 'w') as f:
json.dump(svc_list, f)
return
def stop(self, instance_name="", capture_output=True,
update_service_list=True):
"""
When a service is stopped remove it from the service list file.
"""
if not update_service_list:
return
svc_list = []
try:
with open(paths.SVC_LIST_FILE, 'r') as f:
svc_list = json.load(f)
except Exception:
# not fatal, may be the first service
pass
while self.service_name in svc_list:
svc_list.remove(self.service_name)
with open(paths.SVC_LIST_FILE, 'w') as f:
json.dump(svc_list, f)
return
def reload_or_restart(self, instance_name="", capture_output=True,
wait=True):
return
def restart(self, instance_name="", capture_output=True, wait=True):
return
def is_running(self, instance_name="", wait=True):
return False
def is_installed(self):
return False
def is_enabled(self, instance_name=""):
return False
def is_masked(self, instance_name=""):
return False
def enable(self, instance_name=""):
return
def disable(self, instance_name=""):
return
def mask(self, instance_name=""):
return
def unmask(self, instance_name=""):
return
def install(self, instance_name=""):
return
def remove(self, instance_name=""):
return
class SystemdService(PlatformService):
SYSTEMD_SRV_TARGET = "%s.target.wants"
def __init__(self, service_name, systemd_name, api=None):
super(SystemdService, self).__init__(service_name, api=api)
self.systemd_name = systemd_name
self.lib_path = os.path.join(paths.LIB_SYSTEMD_SYSTEMD_DIR,
self.systemd_name)
self.lib_path_exists = None
def service_instance(self, instance_name, operation=None):
if self.lib_path_exists is None:
self.lib_path_exists = os.path.exists(self.lib_path)
elements = self.systemd_name.split("@")
# Make sure the correct DS instance is returned
if elements[0] == 'dirsrv' and not instance_name:
return ('dirsrv@%s.service'
% str(self.api.env.realm.replace('.', '-')))
# Short-cut: if there is already exact service name, return it
if self.lib_path_exists and instance_name:
if len(elements) == 1:
# service name is like pki-tomcatd.target or krb5kdc.service
return self.systemd_name
if len(elements) > 1 and elements[1][0] != '.':
# Service name is like pki-tomcatd@pki-tomcat.service
# and that file exists
return self.systemd_name
if len(elements) > 1:
# We have dynamic service
if instance_name:
# Instanciate dynamic service
return "%s@%s.service" % (elements[0], instance_name)
else:
# No instance name, try with target
tgt_name = "%s.target" % (elements[0])
srv_lib = os.path.join(paths.LIB_SYSTEMD_SYSTEMD_DIR, tgt_name)
if os.path.exists(srv_lib):
return tgt_name
return self.systemd_name
def parse_variables(self, text, separator=None):
"""
Parses 'systemctl show' output and returns a dict[variable]=value
Arguments: text -- 'systemctl show' output as string
separator -- optional (defaults to None), what separates
the key/value pairs in the text
"""
def splitter(x, separator=None):
if len(x) > 1:
y = x.split(separator)
return (y[0], y[-1])
return (None, None)
return dict(splitter(x, separator=separator) for x in text.split("\n"))
def wait_for_open_ports(self, instance_name=""):
"""
If this is a service we need to wait for do so.
"""
ports = None
if instance_name in wellknownports:
ports = wellknownports[instance_name]
else:
elements = self.systemd_name.split("@")
if elements[0] in wellknownports:
ports = wellknownports[elements[0]]
if ports:
ipautil.wait_for_open_ports('localhost', ports,
self.api.env.startup_timeout)
def stop(self, instance_name="", capture_output=True):
instance = self.service_instance(instance_name)
args = [paths.SYSTEMCTL, "stop", instance]
# The --ignore-dependencies switch is used to avoid possible
# deadlock during the shutdown transaction. For more details, see
# https://fedorahosted.org/freeipa/ticket/3729#comment:1 and
# https://bugzilla.redhat.com/show_bug.cgi?id=973331#c11
if instance == "ipa-otpd.socket":
args.append("--ignore-dependencies")
ipautil.run(args, skip_output=not capture_output)
update_service_list = getattr(self.api.env, 'context',
None) in ['ipactl', 'installer']
super(SystemdService, self).stop(
instance_name,
update_service_list=update_service_list)
def start(self, instance_name="", capture_output=True, wait=True):
ipautil.run([paths.SYSTEMCTL, "start",
self.service_instance(instance_name)],
skip_output=not capture_output)
update_service_list = getattr(self.api.env, 'context',
None) in ['ipactl', 'installer']
if wait and self.is_running(instance_name):
self.wait_for_open_ports(self.service_instance(instance_name))
super(SystemdService, self).start(
instance_name,
update_service_list=update_service_list)
def _restart_base(self, instance_name, operation, capture_output=True,
wait=False):
ipautil.run([paths.SYSTEMCTL, operation,
self.service_instance(instance_name)],
skip_output=not capture_output)
if wait and self.is_running(instance_name):
self.wait_for_open_ports(self.service_instance(instance_name))
def reload_or_restart(self, instance_name="", capture_output=True,
wait=True):
self._restart_base(instance_name, "reload-or-restart",
capture_output, wait)
def restart(self, instance_name="", capture_output=True, wait=True):
self._restart_base(instance_name, "restart",
capture_output, wait)
def is_running(self, instance_name="", wait=True):
instance = self.service_instance(instance_name, 'is-active')
while True:
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-active", instance],
capture_output=True
)
except ipautil.CalledProcessError as e:
if e.returncode == 3 and 'activating' in str(e.output):
time.sleep(SERVICE_POLL_INTERVAL)
continue
return False
else:
# activating
if result.returncode == 3 and 'activating' in result.output:
time.sleep(SERVICE_POLL_INTERVAL)
continue
# active
if result.returncode == 0:
return True
# not active
return False
def is_installed(self):
try:
result = ipautil.run(
[paths.SYSTEMCTL, "list-unit-files", "--full"],
capture_output=True)
if result.returncode != 0:
return False
else:
svar = self.parse_variables(result.output)
if not self.service_instance("") in svar:
# systemd doesn't show the service
return False
except ipautil.CalledProcessError:
return False
return True
def is_enabled(self, instance_name=""):
enabled = True
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-enabled",
self.service_instance(instance_name)])
if result.returncode != 0:
enabled = False
except ipautil.CalledProcessError:
enabled = False
return enabled
def is_masked(self, instance_name=""):
masked = False
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-enabled",
self.service_instance(instance_name)],
capture_output=True)
if result.returncode == 1 and result.output == 'masked':
masked = True
except ipautil.CalledProcessError:
pass
return masked
def enable(self, instance_name=""):
if self.lib_path_exists is None:
self.lib_path_exists = os.path.exists(self.lib_path)
elements = self.systemd_name.split("@")
l = len(elements)
if self.lib_path_exists and (l > 1 and elements[1][0] != '.'):
# There is explicit service unit supporting this instance,
# follow normal systemd enabler
self.__enable(instance_name)
return
if self.lib_path_exists and (l == 1):
# There is explicit service unit which does not support
# the instances, ignore instance
self.__enable()
return
if len(instance_name) > 0 and l > 1:
# New instance, we need to do following:
# 1. Make /etc/systemd/system/<service>.target.wants/
# if it is not there
# 2. Link /etc/systemd/system/<service>.target.wants/
# <service>@<instance_name>.service to
# /lib/systemd/system/<service>@.service
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.SYSTEMD_SRV_TARGET % (elements[0]))
srv_lnk = os.path.join(srv_tgt,
self.service_instance(instance_name))
try:
if not os.path.isdir(srv_tgt):
os.mkdir(srv_tgt)
os.chmod(srv_tgt, 0o755)
if os.path.exists(srv_lnk):
# Remove old link
os.unlink(srv_lnk)
if not os.path.exists(srv_lnk):
# object does not exist _or_ is a broken link
if not os.path.islink(srv_lnk):
# if it truly does not exist, make a link
os.symlink(self.lib_path, srv_lnk)
else:
# Link exists and it is broken, make new one
os.unlink(srv_lnk)
os.symlink(self.lib_path, srv_lnk)
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
except Exception:
pass
else:
self.__enable(instance_name)
def disable(self, instance_name=""):
elements = self.systemd_name.split("@")
if instance_name != "" and len(elements) > 1:
# Remove instance, we need to do following:
# Remove link from /etc/systemd/system/<service>.target.wants/
# <service>@<instance_name>.service
# to /lib/systemd/system/<service>@.service
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.SYSTEMD_SRV_TARGET % (elements[0]))
srv_lnk = os.path.join(srv_tgt,
self.service_instance(instance_name))
try:
if os.path.isdir(srv_tgt):
if os.path.islink(srv_lnk):
os.unlink(srv_lnk)
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
except Exception:
pass
else:
try:
ipautil.run([paths.SYSTEMCTL, "disable",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def mask(self, instance_name=""):
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, self.service_instance(instance_name))
if os.path.exists(srv_tgt):
os.unlink(srv_tgt)
try:
ipautil.run([paths.SYSTEMCTL, "mask",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def unmask(self, instance_name=""):
try:
ipautil.run([paths.SYSTEMCTL, "unmask",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def __enable(self, instance_name=""):
try:
ipautil.run([paths.SYSTEMCTL, "enable",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def install(self):
self.enable()
def remove(self):
self.disable()
# Objects below are expected to be exported by platform module
def base_service_class_factory(name, api=None):
raise NotImplementedError
service = base_service_class_factory
knownservices = KnownServices({})
# System may support more time&date services. FreeIPA supports ntpd only, other
# services will be disabled during IPA installation
timedate_services = ['ntpd', 'chronyd']

227
ipaplatform/base/tasks.py Normal file
View File

@@ -0,0 +1,227 @@
# Authors:
# Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2011-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains default platform-specific implementations of system tasks.
'''
import logging
from pkg_resources import parse_version
from ipaplatform.paths import paths
from ipapython import ipautil
logger = logging.getLogger(__name__)
class BaseTaskNamespace(object):
def restore_context(self, filepath):
"""
Restore SELinux security context on the given filepath.
No return value expected.
"""
raise NotImplementedError()
def backup_hostname(self, fstore, statestore):
"""
Backs up the current hostname in the statestore (so that it can be
restored by the restore_hostname platform task).
No return value expected.
"""
raise NotImplementedError()
def reload_systemwide_ca_store(self):
"""
Reloads the systemwide CA store.
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
"""
Adds CA certificates from 'ca_certs' to the systemwide CA store
(if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def remove_ca_certs_from_systemwide_ca_store(self):
"""
Removes IPA CA certificates from the systemwide CA store
(if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def get_svc_list_file(self):
"""
Returns the path to the IPA service list file.
"""
return paths.SVC_LIST_FILE
def check_selinux_status(self):
"""
Checks if SELinux is available on the platform. If it is, this task
also makes sure that restorecon tool is available.
If SELinux is available, but restorcon tool is not installed, raises
an RuntimeError, which suggest installing the package containing
restorecon and rerunning the installation.
"""
raise NotImplementedError()
def check_ipv6_stack_enabled(self):
"""Check whether IPv6 kernel module is loaded"""
raise NotImplementedError()
def restore_hostname(self, fstore, statestore):
"""
Restores the original hostname as backed up in the
backup_hostname platform task.
"""
raise NotImplementedError()
def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed,
was_sssd_configured):
"""
Restores the pre-ipa-client configuration that was modified by the
following platform tasks:
modify_nsswitch_pam_stack
modify_pam_to_use_krb5
"""
raise NotImplementedError()
def set_nisdomain(self, nisdomain):
"""
Sets the NIS domain name to 'nisdomain'.
"""
raise NotImplementedError()
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
"""
If sssd flag is true, configure pam and nsswtich so that SSSD is used
for retrieving user information and authentication.
Otherwise, configure pam and nsswitch to leverage pure LDAP.
"""
raise NotImplementedError()
def modify_pam_to_use_krb5(self, statestore):
"""
Configure pam stack to allow kerberos authentication.
"""
raise NotImplementedError()
def backup_auth_configuration(self, path):
"""
Create backup of access control configuration.
:param path: store the backup here. This will be passed to
restore_auth_configuration as well.
"""
raise NotImplementedError()
def restore_auth_configuration(self, path):
"""
Restore backup of access control configuration.
:param path: restore the backup from here.
"""
raise NotImplementedError()
def set_selinux_booleans(self, required_settings, backup_func=None):
"""Set the specified SELinux booleans
:param required_settings: A dictionary mapping the boolean names
to desired_values.
The desired value can be 'on' or 'off',
or None to leave the setting unchanged.
:param backup_func: A function called for each boolean with two
arguments: the name and the previous value
If SELinux is disabled, return False; on success returns True.
If setting the booleans fails,
an ipapython.errors.SetseboolError is raised.
"""
raise NotImplementedError()
@staticmethod
def parse_ipa_version(version):
"""
:param version: textual version
:return: object implementing proper __cmp__ method for version compare
"""
return parse_version(version)
def set_hostname(self, hostname):
"""
Set hostname for the system
No return value expected, raise CalledProcessError when error occurred
"""
raise NotImplementedError()
def configure_httpd_service_ipa_conf(self):
"""Configure httpd service to work with IPA"""
raise NotImplementedError()
def configure_http_gssproxy_conf(self, ipauser):
raise NotImplementedError()
def remove_httpd_service_ipa_conf(self):
"""Remove configuration of httpd service of IPA"""
raise NotImplementedError()
def is_fips_enabled(self):
return False
def add_user_to_group(self, user, group):
logger.debug('Adding user %s to group %s', user, group)
args = [paths.USERMOD, '-a', '-G', group, user]
try:
ipautil.run(args)
logger.debug('Done adding user to group')
except ipautil.CalledProcessError as e:
logger.debug('Failed to add user to group: %s', e)
tasks = BaseTaskNamespace()