websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Upstream version 4.12.4

Browse Source
This commit is contained in:
geos_one
2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
ipaplatform/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -69,6 +69,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -126,7 +128,7 @@ am__can_run_installinfo = \
esac
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.python.am
$(top_srcdir)/Makefile.python.am README.md
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -147,6 +149,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -160,8 +164,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -169,6 +175,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -181,9 +188,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -192,6 +202,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -251,6 +263,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -259,9 +273,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -300,8 +317,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -347,6 +366,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -403,7 +423,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -468,8 +487,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -631,3 +650,10 @@ override.py: override.py.in $(top_builddir)/$(CONFIG_STATUS)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

5
ipaplatform/_importhook.py
View File

@@ -21,10 +21,11 @@ class IpaMetaImporter:
def __init__(self, platform):
self.platform = platform
def find_module(self, fullname, path=None):
def find_spec(self, fullname, path=None, target=None):
"""Meta importer hook"""
if fullname in self.modules:
return self
module = self.load_module(fullname)
return module.__spec__
return None
def load_module(self, fullname):

126
ipaplatform/base/constants.py
View File

@@ -5,33 +5,130 @@
'''
This base platform module exports platform dependant constants.
'''
import grp
import os
import pwd
import sys
class _Entity(str):
__slots__ = ("_entity", )
def __new__(cls, name):
# if 'name' is already an instance of cls, return identical name
if isinstance(name, cls):
return name
else:
return super().__new__(cls, name)
def __init__(self, name):
super().__init__()
self._entity = None
def __str__(self):
return super().__str__()
def __repr__(self):
return f'<{self.__class__.__name__} "{self!s}">'
class User(_Entity):
__slots__ = ()
@property
def entity(self):
"""User information struct
:return: pwd.struct_passwd instance
"""
entity = self._entity
if entity is None:
try:
self._entity = entity = pwd.getpwnam(self)
except KeyError:
raise ValueError(f"user '{self!s}' not found") from None
return entity
@property
def uid(self):
"""Numeric user id (int)
"""
return self.entity.pw_uid
@property
def pgid(self):
"""Primary group id (int)"""
return self.entity.pw_gid
def chown(self, path, gid=None, **kwargs):
"""chown() file by path or file descriptor
gid defaults to user's primary gid. Use -1 to keep gid.
"""
if gid is None:
gid = self.pgid
elif isinstance(gid, Group):
gid = gid.gid
os.chown(path, self.uid, gid, **kwargs)
class Group(_Entity):
__slots__ = ()
@property
def entity(self):
"""Group information
:return: grp.struct_group instance
"""
entity = self._entity
if entity is None:
try:
self._entity = entity = grp.getgrnam(self)
except KeyError:
raise ValueError(f"group '{self!s}' not found") from None
return entity
@property
def gid(self):
"""Numeric group id (int)
"""
return self.entity.gr_gid
def chgrp(self, path, **kwargs):
"""change group owner file by path or file descriptor
"""
os.chown(path, -1, self.gid, **kwargs)
class BaseConstantsNamespace:
IS_64BITS = sys.maxsize > 2 ** 32
DEFAULT_ADMIN_SHELL = '/bin/bash'
DEFAULT_SHELL = '/bin/sh'
DS_USER = 'dirsrv'
DS_GROUP = 'dirsrv'
HTTPD_USER = "apache"
HTTPD_GROUP = "apache"
GSSPROXY_USER = "root"
IPAAPI_USER = User("ipaapi")
IPAAPI_GROUP = Group("ipaapi")
DS_USER = User("dirsrv")
DS_GROUP = Group("dirsrv")
HTTPD_USER = User("apache")
HTTPD_GROUP = Group("apache")
GSSPROXY_USER = User("root")
IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
KDCPROXY_USER = "kdcproxy"
NAMED_USER = "named"
NAMED_GROUP = "named"
KDCPROXY_USER = User("kdcproxy")
NAMED_USER = User("named")
NAMED_GROUP = Group("named")
NAMED_DATA_DIR = "data/"
NAMED_OPTIONS_VAR = "OPTIONS"
NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
PKI_USER = User("pkiuser")
PKI_GROUP = Group("pkiuser")
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "OPTIONS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\""
ODS_USER = "ods"
ODS_GROUP = "ods"
ODS_USER = User("ods")
ODS_GROUP = Group("ods")
# nfsd init variable used to enable kerberized NFS
SECURE_NFS_VAR = "SECURE_NFS"
SELINUX_BOOLEAN_ADTRUST = {
@@ -54,6 +151,9 @@ class BaseConstantsNamespace:
'samba_share_nfs': 'on',
},
}
SELINUX_BOOLEAN_SSSD = {
'sssd_use_usb': 'on',
}
SELINUX_MCS_MAX = 1023
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
SELINUX_MLS_MAX = 15
@@ -68,7 +168,7 @@ class BaseConstantsNamespace:
"$sysadm_u:s0-s0:c0.c1023"
"$unconfined_u:s0-s0:c0.c1023"
)
SSSD_USER = "sssd"
SSSD_USER = User("sssd")
# WSGI module override, only used on Fedora
MOD_WSGI_PYTHON2 = None
MOD_WSGI_PYTHON3 = None

56
ipaplatform/base/paths.py
View File

@@ -26,15 +26,16 @@ import os
class BasePathNamespace:
BIN_HOSTNAMECTL = "/bin/hostnamectl"
CRYPTO_POLICY_OPENSSLCNF_FILE = None
ECHO = "/bin/echo"
FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
FIPS_MODE_SETUP = "/bin/fips-mode-setup"
GZIP = "/bin/gzip"
LS = "/bin/ls"
SYSTEMCTL = "/bin/systemctl"
SYSTEMD_RUN = "/bin/systemd-run"
SYSTEMD_DETECT_VIRT = "/usr/bin/systemd-detect-virt"
SYSTEMD_TMPFILES = "/usr/bin/systemd-tmpfiles"
SYSTEMD_TMPFILES = "/bin/systemd-tmpfiles"
TAR = "/bin/tar"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_FEDORA_RELEASE = "/etc/fedora-release"
GROUP = "/etc/group"
ETC_HOSTNAME = "/etc/hostname"
@@ -69,6 +70,8 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
IPA_SERVER_CONF = "/etc/ipa/server.conf"
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
@@ -83,12 +86,16 @@ class BasePathNamespace:
NAMED_CONF = "/etc/named.conf"
NAMED_CONF_BAK = "/etc/named.conf.ipa-backup"
NAMED_CUSTOM_CONF = "/etc/named/ipa-ext.conf"
NAMED_LOGGING_OPTIONS_CONF = "/etc/named/ipa-logging-ext.conf"
NAMED_CUSTOM_OPTIONS_CONF = "/etc/named/ipa-options-ext.conf"
NAMED_CONF_SRC = '/usr/share/ipa/bind.named.conf.template'
NAMED_CUSTOM_CONF_SRC = '/usr/share/ipa/bind.ipa-ext.conf.template'
NAMED_CUSTOM_OPTIONS_CONF_SRC = (
'/usr/share/ipa/bind.ipa-options-ext.conf.template'
)
NAMED_LOGGING_OPTIONS_CONF_SRC = (
"/usr/share/ipa/bind.ipa-logging-ext.conf.template"
)
NAMED_VAR_DIR = "/var/named"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
@@ -121,6 +128,11 @@ class BasePathNamespace:
PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt"
PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
PKI_TOMCAT_SERVER_XML = "/etc/pki/pki-tomcat/server.xml"
PKI_ACME_CONFIGSOURCES_CONF = "/etc/pki/pki-tomcat/acme/configsources.conf"
PKI_ACME_DATABASE_CONF = "/etc/pki/pki-tomcat/acme/database.conf"
PKI_ACME_ENGINE_CONF = "/etc/pki/pki-tomcat/acme/engine.conf"
PKI_ACME_ISSUER_CONF = "/etc/pki/pki-tomcat/acme/issuer.conf"
PKI_ACME_REALM_CONF = "/etc/pki/pki-tomcat/acme/realm.conf"
ETC_REDHAT_RELEASE = "/etc/redhat-release"
RESOLV_CONF = "/etc/resolv.conf"
SAMBA_KEYTAB = "/etc/samba/samba.keytab"
@@ -128,6 +140,8 @@ class BasePathNamespace:
LIMITS_CONF = "/etc/security/limits.conf"
SSH_CONFIG_DIR = "/etc/ssh"
SSH_CONFIG = "/etc/ssh/ssh_config"
SSH_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/ssh_ipa.conf.template"
SSH_IPA_CONFIG = "/etc/ssh/ssh_config.d/04-ipa.conf"
SSHD_CONFIG = "/etc/ssh/sshd_config"
SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf"
SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/sshd_ipa.conf.template"
@@ -186,7 +200,7 @@ class BasePathNamespace:
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
GPG2 = "/usr/bin/gpg2"
GPG2 = "/usr/bin/gpg"
GPG_CONF = "/usr/bin/gpgconf"
GPG_CONNECT_AGENT = "/usr/bin/gpg-connect-agent"
GPG_AGENT = "/usr/bin/gpg-agent"
@@ -208,10 +222,14 @@ class BasePathNamespace:
ODS_ENFORCER = "/usr/sbin/ods-enforcer"
ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
OPENSSL = "/usr/bin/openssl"
OPENSSL_DIR = "/etc/pki/tls"
OPENSSL_CERTS_DIR = "/etc/pki/tls/certs"
OPENSSL_PRIVATE_DIR = "/etc/pki/tls/private"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
SSLGET = "/usr/bin/sslget"
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
SSS_SSH_KNOWNHOSTS = "/usr/bin/sss_ssh_knownhosts"
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
@@ -233,6 +251,7 @@ class BasePathNamespace:
CERTMONGER_DOGTAG_SUBMIT = "/usr/libexec/certmonger/dogtag-submit"
IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
RNDC_KEY = "/etc/rndc.key"
LIBEXEC_IPA_DIR = "/usr/libexec/ipa"
IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
@@ -241,7 +260,8 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
@@ -253,8 +273,6 @@ class BasePathNamespace:
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
NAMED = "/usr/sbin/named"
NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
CHRONYC = "/usr/bin/chronyc"
CHRONYD = "/usr/sbin/chronyd"
PKIDESTROY = "/usr/sbin/pkidestroy"
@@ -263,6 +281,7 @@ class BasePathNamespace:
RESTORECON = "/usr/sbin/restorecon"
SELINUXENABLED = "/usr/sbin/selinuxenabled"
SETSEBOOL = "/usr/sbin/setsebool"
SEMODULE = "/usr/sbin/semodule"
SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd"
FONTS_DIR = "/usr/share/fonts"
@@ -307,6 +326,7 @@ class BasePathNamespace:
IPA_KASP_DB_BACKUP = "/var/lib/ipa/ipa-kasp.db.backup"
DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
DNSSEC_ENGINE_SOCK = "/run/opendnssec/engine.sock"
IPA_CA_CSR = "/var/lib/ipa/ca.csr"
IPA_CACERT_MANAGE = "/usr/sbin/ipa-cacert-manage"
IPA_CERTUPDATE = "/usr/sbin/ipa-certupdate"
@@ -330,9 +350,16 @@ class BasePathNamespace:
SSSD_DB = "/var/lib/sss/db"
SSSD_MC_GROUP = "/var/lib/sss/mc/group"
SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
SSSD_MC_INITGROUPS = "/var/lib/sss/mc/initgroups"
SSSD_MC_SID = "/var/lib/sss/mc/sid"
SSSD_PIPES = "/var/lib/sss/pipes"
SSSD_LDB = "/var/lib/sss/db/sssd.ldb"
SSSD_CONFIG_LDB = "/var/lib/sss/db/config.ldb"
SSSD_SECRETS = "/var/lib/sss/secrets/secrets.ldb"
SSSD_PUBCONF_DIR = "/var/lib/sss/pubconf"
SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
SSSD_KEYTABS_DIR = "/var/lib/sss/keytabs"
VAR_LOG_AUDIT = "/var/log/audit/audit.log"
VAR_LOG_HTTPD_DIR = "/var/log/httpd"
VAR_LOG_HTTPD_ERROR = "/var/log/httpd/error_log"
@@ -345,7 +372,10 @@ class BasePathNamespace:
IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
IPARESTORE_LOG = "/var/log/iparestore.log"
IPASERVER_ENABLESID_LOG = "/var/log/ipaserver-enable-sid.log"
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
IPASERVER_ADTRUST_INSTALL_LOG = "/var/log/ipaserver-adtrust-install.log"
IPASERVER_DNS_INSTALL_LOG = "/var/log/ipaserver-dns-install.log"
IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
@@ -371,7 +401,6 @@ class BasePathNamespace:
IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
VAR_RUN_DIRSRV_DIR = "/run/dirsrv"
IPA_CCACHES = "/run/ipa/ccaches"
HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/ca-bundle.pem"
KDC_CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
IPA_RENEWAL_LOCK = "/run/ipa/renewal.lock"
@@ -382,16 +411,21 @@ class BasePathNamespace:
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
CERTMONGER = '/usr/sbin/certmonger'
NETWORK_MANAGER_CONFIG = '/etc/NetworkManager/NetworkManager.conf'
NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
NETWORK_MANAGER_IPA_CONF = '/etc/NetworkManager/conf.d/zzz-ipa.conf'
SYSTEMD_RESOLVED_IPA_CONF = '/etc/systemd/resolved.conf.d/zzz-ipa.conf'
SYSTEMD_RESOLVED_CONF = '/etc/systemd/resolved.conf'
SYSTEMD_RESOLVED_CONF_DIR = '/etc/systemd/resolved.conf.d'
IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
IPA_CUSTODIA_KEYS = '/etc/ipa/custodia/server.keys'
IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia"
IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check"
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
IPA_MIGRATE_LOG = '/var/log/ipa-migrate.log'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
@@ -433,6 +467,12 @@ class BasePathNamespace:
LIBARCH = "64"
TDBTOOL = '/usr/bin/tdbtool'
SECRETS_TDB = '/var/lib/samba/private/secrets.tdb'
LETS_ENCRYPT_LOG = '/var/log/letsencrypt/letsencrypt.log'
IPA_CCACHE_SWEEPER_GSSPROXY_SOCK = (
"/var/lib/gssproxy/ipa_ccache_sweeper.sock"
)
PAM_CONFIG = None
PASSKEY_CHILD = '/usr/libexec/sssd/passkey_child'
def check_paths(self):
"""Check paths for missing files

13
ipaplatform/base/services.py
View File

@@ -37,12 +37,7 @@ from ipapython import ipautil
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
# pylint: disable=no-name-in-module, import-error
if six.PY3:
from collections.abc import Mapping
else:
from collections import Mapping
# pylint: enable=no-name-in-module, import-error
from collections.abc import Mapping
logger = logging.getLogger(__name__)
@@ -295,6 +290,10 @@ class SystemdService(PlatformService):
# https://bugzilla.redhat.com/show_bug.cgi?id=973331#c11
if instance == "ipa-otpd.socket":
args.append("--ignore-dependencies")
# ipa-ods-exporter is socket-activated, both the service and the
# socket have to be stopped
if instance == "ipa-ods-exporter.service":
args.append("ipa-ods-exporter.socket")
ipautil.run(args, skip_output=not capture_output)
@@ -539,4 +538,4 @@ knownservices = KnownServices({})
# System may support more time&date services. FreeIPA supports chrony only.
# Other services will be disabled during IPA installation
timedate_services = ['ntpd', 'chronyd']
timedate_services = ['ntpd', 'chronyd', 'systemd-timesyncd']

50
ipaplatform/base/tasks.py
View File

@@ -200,7 +200,7 @@ class BaseTaskNamespace:
raise NotImplementedError()
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
sudo=True):
sudo=True, subid=False):
"""
If sssd flag is true, configure pam and nsswitch so that SSSD is used
for retrieving user information and authentication.
@@ -336,7 +336,11 @@ class BaseTaskNamespace:
from ipaplatform.services import knownservices
confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
os.makedirs(confd, exist_ok=True)
if not os.path.isdir(confd):
os.mkdir(confd)
# owned by root, readable by systemd-resolve user
os.chmod(confd, 0o755)
self.restore_context(confd, force=True)
cfg = RESOLVE1_IPA_CONF.format(
searchdomains=" ".join(searchdomains)
@@ -345,6 +349,10 @@ class BaseTaskNamespace:
os.fchmod(f.fileno(), 0o644)
f.write(cfg)
self.restore_context(
paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
)
knownservices["systemd-resolved"].reload_or_restart()
def unconfigure_dns_resolver(self, fstore=None):
@@ -361,6 +369,7 @@ class BaseTaskNamespace:
os.unlink(paths.SYSTEMD_RESOLVED_IPA_CONF)
knownservices["systemd-resolved"].reload_or_restart()
ipautil.remove_directory(paths.SYSTEMD_RESOLVED_CONF_DIR)
def configure_pkcs11_modules(self, fstore):
"""Disable p11-kit modules
@@ -464,43 +473,6 @@ class BaseTaskNamespace:
fstore, 'sudoers', ['sss'],
default_value=['files'])
def enable_ldap_automount(self, statestore):
"""
Point automount to ldap in nsswitch.conf.
This function is for non-SSSD setups only.
"""
conf = IPAChangeConf("IPA Installer")
conf.setOptionAssignment(':')
with open(paths.NSSWITCH_CONF, 'r') as f:
current_opts = conf.parse(f)
current_nss_value = conf.findOpts(
current_opts, name='automount', type='option'
)[1]
if current_nss_value is None:
# no automount database present
current_nss_value = False # None cannot be backed up
else:
current_nss_value = current_nss_value['value']
statestore.backup_state(
'ipa-client-automount-nsswitch', 'previous-automount',
current_nss_value
)
nss_value = ' files ldap'
opts = [
{
'name': 'automount',
'type': 'option',
'action': 'set',
'value': nss_value,
},
{'name': 'empty', 'type': 'empty'},
]
conf.changeConf(paths.NSSWITCH_CONF, opts)
logger.info("Configured %s", paths.NSSWITCH_CONF)
def disable_ldap_automount(self, statestore):
"""Disable automount using LDAP"""
if statestore.get_state(

17
ipaplatform/debian/constants.py
View File

@@ -9,22 +9,25 @@ This Debian family platform module exports platform dependant constants.
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.base.constants import BaseConstantsNamespace
from ipaplatform.base.constants import BaseConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class DebianConstantsNamespace(BaseConstantsNamespace):
HTTPD_USER = "www-data"
HTTPD_GROUP = "www-data"
NAMED_USER = "bind"
NAMED_GROUP = "bind"
HTTPD_USER = User("www-data")
HTTPD_GROUP = Group("www-data")
NAMED_USER = User("bind")
NAMED_GROUP = Group("bind")
NAMED_DATA_DIR = ""
NAMED_ZONE_COMMENT = "//"
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "NTPD_OPTS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\'"
ODS_USER = "opendnssec"
ODS_GROUP = "opendnssec"
ODS_USER = User("opendnssec")
ODS_GROUP = Group("opendnssec")
SECURE_NFS_VAR = "NEED_GSSD"
constants = DebianConstantsNamespace()

19
ipaplatform/debian/paths.py
View File

@@ -17,11 +17,8 @@ MULTIARCH = sysconfig.get_config_var('MULTIARCH')
class DebianPathNamespace(BasePathNamespace):
BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_HTTPD_DIR = "/etc/apache2"
HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
HTTPD_ALIAS_DIR = "/etc/apache2/ipa"
HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
@@ -36,13 +33,17 @@ class DebianPathNamespace(BasePathNamespace):
NAMED_CONF_BAK = "/etc/bind/named.conf.ipa-backup"
NAMED_CUSTOM_CONF = "/etc/bind/ipa-ext.conf"
NAMED_CUSTOM_OPTIONS_CONF = "/etc/bind/ipa-options-ext.conf"
NAMED_LOGGING_OPTIONS_CONF = "/etc/bind/ipa-logging-ext.conf"
NAMED_VAR_DIR = "/var/cache/bind"
NAMED_KEYTAB = "/etc/bind/named.keytab"
NAMED_KEYTAB = "/etc/bind/krb5.keytab"
NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
NAMED_ROOT_KEY = "/etc/bind/bind.keys"
NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
CHRONY_CONF = "/etc/chrony/chrony.conf"
OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
OPENSSL_DIR = "/usr/lib/ssl"
OPENSSL_CERTS_DIR = "/usr/lib/ssl/certs"
OPENSSL_PRIVATE_DIR = "/usr/lib/ssl/private"
ETC_DEBIAN_VERSION = "/etc/debian_version"
# Old versions of freeipa wrote all trusted certificates to a single
# file, which is not supported by ca-certificates.
@@ -59,7 +60,7 @@ class DebianPathNamespace(BasePathNamespace):
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
SYSCONFIG_NAMED = "/etc/default/bind9"
SYSCONFIG_NAMED = "/etc/default/named"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
@@ -70,7 +71,7 @@ class DebianPathNamespace(BasePathNamespace):
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
GSSAPI_SESSION_KEY = "/etc/apache2/ipa/ipasession.key"
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
@@ -78,8 +79,9 @@ class DebianPathNamespace(BasePathNamespace):
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
BIND_LDAP_SO = "/usr/lib/{0}/bind/ldap.so".format(MULTIARCH)
LIBARCH = "/{0}".format(MULTIARCH)
LIBSOFTHSM2_SO = "/usr/lib/softhsm/libsofthsm2.so"
LIBSOFTHSM2_SO = "/usr/lib/{0}/softhsm/libsofthsm2.so".format(MULTIARCH)
PAM_KRB5_SO = "/usr/lib/{0}/security/pam_krb5.so".format(MULTIARCH)
LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
LIBEXEC_CERTMONGER_DIR = "/usr/lib/certmonger"
@@ -117,6 +119,7 @@ class DebianPathNamespace(BasePathNamespace):
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia"
IPA_CUSTODIA_CHECK = "/usr/lib/ipa/ipa-custodia-check"
WSGI_PREFIX_DIR = "/run/apache2/wsgi"
paths = DebianPathNamespace()

6
ipaplatform/debian/services.py
View File

@@ -20,12 +20,14 @@ debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
debian_system_units['chronyd'] = 'chrony.service'
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
debian_system_units['named-regular'] = 'bind9.service'
debian_system_units['named-regular'] = 'named.service'
debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['named'] = debian_system_units['named-regular']
debian_system_units['ntpd'] = 'ntp.service'
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'

9
ipaplatform/debian/tasks.py
View File

@@ -42,7 +42,8 @@ class DebianTaskNamespace(RedHatTaskNamespace):
return True
@staticmethod
def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True):
def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True,
subid=False):
if mkhomedir:
try:
ipautil.run(["pam-auth-update",
@@ -202,11 +203,7 @@ Serial Number (hex): {cert.serial_number:#x}
return True
# Debian doesn't use authselect, so call enable/disable_ldap_automount
# from BaseTaskNamespace.
def enable_ldap_automount(self, statestore):
return BaseTaskNamespace.enable_ldap_automount(self, statestore)
# Debian doesn't use authselect, so call disable_ldap_automount
def disable_ldap_automount(self, statestore):
return BaseTaskNamespace.disable_ldap_automount(self, statestore)

9
ipaplatform/fedora/constants.py
View File

@@ -9,7 +9,9 @@ This Fedora base platform module exports platform related constants.
# Fallback to default constant definitions
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace
from ipaplatform.redhat.constants import (
RedHatConstantsNamespace, User, Group
)
from ipaplatform.osinfo import osinfo
# Fedora 28 and earlier use /etc/sysconfig/nfs
@@ -18,6 +20,9 @@ from ipaplatform.osinfo import osinfo
HAS_NFS_CONF = osinfo.version_number >= (30,)
__all__ = ("constants", "User", "Group")
class FedoraConstantsNamespace(RedHatConstantsNamespace):
# Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
# can't coexist. For Apache to load correct module.
@@ -27,4 +32,6 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
NAMED_OPENSSL_ENGINE = "pkcs11"
constants = FedoraConstantsNamespace()

4
ipaplatform/fedora/services.py
View File

@@ -29,6 +29,8 @@ from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
fedora_system_units['named'] = fedora_system_units['named-regular']
fedora_system_units['named-conflict'] = fedora_system_units['named-pkcs11']
# Service classes that implement Fedora-specific behaviour
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedHatService):
# of specified name
def fedora_service_class_factory(name, api=None):
if name in ['named', 'named-conflict']:
return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)

5
ipaplatform/fedora_container/constants.py
View File

@@ -3,7 +3,10 @@
#
"""Fedora container constants
"""
from ipaplatform.fedora.constants import FedoraConstantsNamespace
from ipaplatform.fedora.constants import FedoraConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class FedoraContainerConstantsNamespace(FedoraConstantsNamespace):

13
ipaplatform/fedora_container/paths.py
View File

@@ -20,11 +20,24 @@ class FedoraContainerPathNamespace(FedoraPathNamespace):
NAMED_CUSTOM_OPTIONS_CONF = data(
FedoraPathNamespace.NAMED_CUSTOM_OPTIONS_CONF
)
NAMED_LOGGING_OPTIONS_CONF = data(
FedoraPathNamespace.NAMED_LOGGING_OPTIONS_CONF
)
NSSWITCH_CONF = data(FedoraPathNamespace.NSSWITCH_CONF)
PKI_CONFIGURATION = data(FedoraPathNamespace.PKI_CONFIGURATION)
SAMBA_DIR = data(FedoraPathNamespace.SAMBA_DIR)
HTTPD_IPA_WSGI_MODULES_CONF = None
HTTPD_PASSWD_FILE_FMT = data(FedoraPathNamespace.HTTPD_PASSWD_FILE_FMT)
# In some contexts, filesystem mounts may be owned by unmapped users
# (e.g. "emptyDir" mounts in Kubernetes / OpenShift when using user
# namespaces). This causes systemd-tmpfiles(8) to fail, as a
# consequence of systemd's path processing routines which reject
# this scenario. Therefore we provide a way to substitute
# systemd-tmpfiles with a "clone" program.
#
SYSTEMD_TMPFILES = os.environ.get(
'IPA_TMPFILES_PROG', FedoraPathNamespace.SYSTEMD_TMPFILES)
paths = FedoraContainerPathNamespace()

2
ipaplatform/fedora_container/tasks.py
View File

@@ -13,7 +13,7 @@ logger = logging.getLogger(__name__)
class FedoraContainerTaskNamespace(FedoraTaskNamespace):
def modify_nsswitch_pam_stack(
self, sssd, mkhomedir, statestore, sudo=True
self, sssd, mkhomedir, statestore, sudo=True, subid=False
):
# freeipa-container images are preconfigured
# authselect select sssd with-sudo --force

15
ipaplatform/ipaplatform.egg-info/PKG-INFO
View File

@@ -1,16 +1,14 @@
Metadata-Version: 1.2
Metadata-Version: 2.1
Name: ipaplatform
Version: 4.8.10
Version: 4.12.4
Summary: FreeIPA platform
Home-page: https://www.freeipa.org/
Download-URL: https://www.freeipa.org/page/Downloads
Author: FreeIPA Developers
Author-email: freeipa-devel@lists.fedorahosted.org
Maintainer: FreeIPA Developers
Maintainer-email: freeipa-devel@redhat.com
License: GPLv3
Download-URL: https://www.freeipa.org/page/Downloads
Description: FreeIPA platform
Platform: Linux
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: System Administrators
@@ -27,3 +25,10 @@ Classifier: Topic :: Internet :: Name Service (DNS)
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
Requires-Python: >=3.6.0
License-File: ../COPYING
Requires-Dist: cffi
Requires-Dist: ipapython==4.12.4
Requires-Dist: pyasn1
Requires-Dist: six
FreeIPA platform

81
ipaplatform/ipaplatform.egg-info/SOURCES.txt
View File

@@ -9,7 +9,71 @@ services.py
setup.cfg
setup.py
tasks.py
./__init__.py
./_importhook.py
./constants.py
./osinfo.py
./override.py
./paths.py
./services.py
./tasks.py
../COPYING
./base/__init__.py
./base/constants.py
./base/paths.py
./base/services.py
./base/tasks.py
./debian/__init__.py
./debian/constants.py
./debian/paths.py
./debian/services.py
./debian/tasks.py
./fedora/__init__.py
./fedora/constants.py
./fedora/paths.py
./fedora/services.py
./fedora/tasks.py
./fedora_container/__init__.py
./fedora_container/constants.py
./fedora_container/paths.py
./fedora_container/services.py
./fedora_container/tasks.py
./nixos/__init__.py
./nixos/constants.py
./nixos/paths.py
./nixos/services.py
./nixos/tasks.py
./opencloudos/__init__.py
./opencloudos/constants.py
./opencloudos/paths.py
./opencloudos/services.py
./opencloudos/tasks.py
./redhat/__init__.py
./redhat/authconfig.py
./redhat/constants.py
./redhat/paths.py
./redhat/services.py
./redhat/tasks.py
./rhel/__init__.py
./rhel/constants.py
./rhel/paths.py
./rhel/services.py
./rhel/tasks.py
./rhel_container/__init__.py
./rhel_container/constants.py
./rhel_container/paths.py
./rhel_container/services.py
./rhel_container/tasks.py
./suse/__init__.py
./suse/constants.py
./suse/paths.py
./suse/services.py
./suse/tasks.py
./tencentos/__init__.py
./tencentos/constants.py
./tencentos/paths.py
./tencentos/services.py
./tencentos/tasks.py
base/__init__.py
base/constants.py
base/paths.py
@@ -35,6 +99,16 @@ ipaplatform.egg-info/SOURCES.txt
ipaplatform.egg-info/dependency_links.txt
ipaplatform.egg-info/requires.txt
ipaplatform.egg-info/top_level.txt
nixos/__init__.py
nixos/constants.py
nixos/paths.py
nixos/services.py
nixos/tasks.py
opencloudos/__init__.py
opencloudos/constants.py
opencloudos/paths.py
opencloudos/services.py
opencloudos/tasks.py
redhat/__init__.py
redhat/authconfig.py
redhat/constants.py
@@ -55,4 +129,9 @@ suse/__init__.py
suse/constants.py
suse/paths.py
suse/services.py
suse/tasks.py
suse/tasks.py
tencentos/__init__.py
tencentos/constants.py
tencentos/paths.py
tencentos/services.py
tencentos/tasks.py

2
ipaplatform/ipaplatform.egg-info/requires.txt
View File

@@ -1,4 +1,4 @@
cffi
ipapython==4.8.10
ipapython==4.12.4
pyasn1
six

18
ipaplatform/nixos/__init__.py Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
'''
This module contains Nixos specific platform files.
'''
import sys
import warnings
NAME = 'nixos'
if sys.version_info < (3, 6):
warnings.warn(
"Support for Python 2.7 and 3.5 is deprecated. Python version "
"3.6 or newer will be required in the next major release.",
category=DeprecationWarning
)

32
ipaplatform/nixos/constants.py Normal file
View File

@@ -0,0 +1,32 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
'''
This nixos base platform module exports platform related constants.
'''
# Fallback to default constant definitions
from __future__ import absolute_import
from ipaplatform.redhat.constants import (
RedHatConstantsNamespace, User, Group
)
HAS_NFS_CONF = True
__all__ = ("constants", "User", "Group")
class NixosConstantsNamespace(RedHatConstantsNamespace):
MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
NAMED_OPENSSL_ENGINE = "pkcs11"
constants = NixosConstantsNamespace()

24
ipaplatform/nixos/paths.py Normal file
View File

@@ -0,0 +1,24 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
from ipaplatform.fedora.paths import FedoraPathNamespace
# Note that we cannot use real paths, as they will be meaningless on nixos, as
# nixos stores all its packages in the nixstore under version/hash specific
# paths. The `@xxx@` are placeholders which will be instantiated to the correct
# nixstore paths at build time, by the nixpkgs freeipa derivation.
class NixOSPathNamespace(FedoraPathNamespace):
SBIN_IPA_JOIN = "@out@/bin/ipa-join"
IPA_GETCERT = "@out@/bin/ipa-getcert"
IPA_RMKEYTAB = "@out@/bin/ipa-rmkeytab"
IPA_GETKEYTAB = "@out@/bin/ipa-getkeytab"
NSUPDATE = "@bind@/bin/nsupdate"
BIN_CURL = "@curl@/bin/curl"
KINIT = "@kerberos@/bin/kinit"
KDESTROY = "@kerberos@/bin/kdestroy"
paths = NixOSPathNamespace()

46
ipaplatform/nixos/services.py Normal file
View File

@@ -0,0 +1,46 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
"""
Contains Nixos-specific service class implementations.
"""
from __future__ import absolute_import
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
nixos_system_units = redhat_services.redhat_system_units.copy()
nixos_system_units['named'] = nixos_system_units['named-regular']
nixos_system_units['named-conflict'] = nixos_system_units['named-pkcs11']
# Service classes that implement nixos-specific behaviour
class nixosService(redhat_services.RedHatService):
system_units = nixos_system_units
# Function that constructs proper nixos-specific server classes for services
# of specified name
def nixos_service_class_factory(name, api=None):
if name in ['named', 'named-conflict']:
return nixosService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
# Magicdict containing nixosService instances.
class NixosServices(redhat_services.RedHatServices):
def service_class_factory(self, name, api=None):
return nixos_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = redhat_services.timedate_services
service = nixos_service_class_factory
knownservices = NixosServices()

29
ipaplatform/nixos/tasks.py Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright (C) 2022 FreeIPA Contributors see COPYING for license
#
'''
This module contains default nixos-specific implementations of system tasks.
'''
from __future__ import absolute_import
from ipapython import directivesetter
from ipaplatform.redhat.tasks import RedHatTaskNamespace
from ipaplatform.paths import paths
class NixosTaskNamespace(RedHatTaskNamespace):
def configure_httpd_protocol(self):
# On nixos 31 and earlier DEFAULT crypto-policy has TLS 1.0 and 1.1
# enabled.
directivesetter.set_directive(
paths.HTTPD_SSL_CONF,
'SSLProtocol',
"all -SSLv3 -TLSv1 -TLSv1.1",
False
)
tasks = NixosTaskNamespace()

9
ipaplatform/opencloudos/__init__.py Normal file
View File

@@ -0,0 +1,9 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This module contains OpenCloudOS family-specific platform files.
"""
NAME = "opencloudos"

23
ipaplatform/opencloudos/constants.py Normal file
View File

@@ -0,0 +1,23 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This OpenCloudOS family base platform module exports platform related constants.
"""
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class OpenCloudOSConstantsNamespace(RedHatConstantsNamespace):
SECURE_NFS_VAR = None
NAMED_OPENSSL_ENGINE = "pkcs11"
constants = OpenCloudOSConstantsNamespace()

20
ipaplatform/opencloudos/paths.py Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This OpenCloudOS family base platform module exports default filesystem paths
as common in OpenCloudOS family-based systems.
"""
from __future__ import absolute_import
from ipaplatform.redhat.paths import RedHatPathNamespace
class OpenCloudOSPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
SYSCONFIG_NFS = "/etc/nfs.conf"
paths = OpenCloudOSPathNamespace()

51
ipaplatform/opencloudos/services.py Normal file
View File

@@ -0,0 +1,51 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
Contains OpenCloudOS family-specific service class implementations.
"""
from __future__ import absolute_import
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
opencloudos_system_units = redhat_services.redhat_system_units.copy()
opencloudos_system_units["named"] = opencloudos_system_units["named-regular"]
opencloudos_system_units["named-conflict"] = \
opencloudos_system_units["named-pkcs11"]
# Service classes that implement OpenCloudOS family-specific behaviour
class OpenCloudOSService(redhat_services.RedHatService):
system_units = opencloudos_system_units
# Function that constructs proper OpenCloudOS family-specific server classes
# for services of specified name
def opencloudos_service_class_factory(name, api=None):
if name in ["named", "named-conflict"]:
return OpenCloudOSService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
# Magicdict containing OpenCloudOSService instances.
class OpenCloudOSServices(redhat_services.RedHatServices):
def service_class_factory(self, name, api=None):
return opencloudos_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = redhat_services.timedate_services
service = opencloudos_service_class_factory
knownservices = OpenCloudOSServices()

19
ipaplatform/opencloudos/tasks.py Normal file
View File

@@ -0,0 +1,19 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This module contains default OpenCloudOS family-specific implementations of
system tasks.
"""
from __future__ import absolute_import
from ipaplatform.redhat.tasks import RedHatTaskNamespace
class OpenCloudOSTaskNamespace(RedHatTaskNamespace):
pass
tasks = OpenCloudOSTaskNamespace()

2
ipaplatform/osinfo.py
View File

@@ -218,7 +218,7 @@ class OSInfo(Mapping):
def container(self):
if self._container is not None:
return self._container
from ipaplatform.tasks import tasks
from ipaplatform.tasks import tasks # pylint: disable=cyclic-import
try:
self._container = tasks.detect_container()
except NotImplementedError:

14
ipaplatform/redhat/authconfig.py
View File

@@ -101,7 +101,8 @@ class RedHatAuthSelect(RedHatAuthToolBase):
features = output_items[1:]
return profile, features
def configure(self, sssd, mkhomedir, statestore, sudo=True):
def configure(self, sssd, mkhomedir, statestore, sudo=True,
subid=False):
# In the statestore, the following keys are used for the
# 'authselect' module:
# Old method:
@@ -121,6 +122,8 @@ class RedHatAuthSelect(RedHatAuthToolBase):
statestore.backup_state('authselect', 'mkhomedir', True)
if sudo:
cmd.append("with-sudo")
if subid:
cmd.append("with-subid")
cmd.append("--force")
cmd.append("--backup={}".format(backup_name))
@@ -129,7 +132,14 @@ class RedHatAuthSelect(RedHatAuthToolBase):
def unconfigure(
self, fstore, statestore, was_sssd_installed, was_sssd_configured
):
if not statestore.has_state('authselect') and was_sssd_installed:
# If the installation failed before doing the authselect part
# nothing to do here
complete = statestore.get_state('installation', 'complete')
if complete is not None and not complete and \
not statestore.has_state('authselect'):
return
if not statestore.has_state('authselect'):
logger.warning(
"WARNING: Unable to revert to the pre-installation state "
"('authconfig' tool has been deprecated in favor of "

5
ipaplatform/redhat/constants.py
View File

@@ -10,7 +10,10 @@ related constants for the Red Hat OS family-based systems.
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.base.constants import BaseConstantsNamespace
from ipaplatform.base.constants import BaseConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class RedHatConstantsNamespace(BaseConstantsNamespace):

3
ipaplatform/redhat/paths.py
View File

@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BasePathNamespace
class RedHatPathNamespace(BasePathNamespace):
CRYPTO_POLICY_OPENSSLCNF_FILE = (
'/etc/crypto-policies/back-ends/opensslcnf.config'
)
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64

1
ipaplatform/redhat/services.py
View File

@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
redhat_system_units['named-conflict'] = redhat_system_units['named-regular']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'

32
ipaplatform/redhat/tasks.py
View File

@@ -56,7 +56,7 @@ logger = logging.getLogger(__name__)
# /etc/pkcs11/modules override
# base filen ame, module, list of disabled-in
# base filename, module, list of disabled-in
# 'p11-kit-proxy' disables proxying of module, see man(5) pkcs11.conf
PKCS11_MODULES = [
('softhsm2', paths.LIBSOFTHSM2_SO, ['p11-kit-proxy']),
@@ -245,9 +245,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
f.writelines(content)
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
sudo=True):
sudo=True, subid=False):
auth_config = get_auth_tool()
auth_config.configure(sssd, mkhomedir, statestore, sudo)
auth_config.configure(sssd, mkhomedir, statestore, sudo, subid)
def is_nosssd_supported(self):
# The flag --no-sssd is not supported any more for rhel-based distros
@@ -513,15 +513,15 @@ class RedHatTaskNamespace(BaseTaskNamespace):
"""Tell systemd to reload config files"""
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
def configure_http_gssproxy_conf(self, ipaapi_user):
def configure_http_gssproxy_conf(self, ipauser):
ipautil.copy_template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
paths.GSSPROXY_CONF,
dict(
HTTP_KEYTAB=paths.HTTP_KEYTAB,
HTTP_CCACHE=paths.HTTP_CCACHE,
HTTPD_USER=constants.HTTPD_USER,
IPAAPI_USER=ipaapi_user,
IPAAPI_USER=ipauser,
SWEEPER_SOCKET=paths.IPA_CCACHE_SWEEPER_GSSPROXY_SOCK,
)
)
@@ -756,16 +756,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
"{}.module".format(name))
for name, _module, _disabled in PKCS11_MODULES)
def enable_ldap_automount(self, statestore):
"""
Point automount to ldap in nsswitch.conf.
This function is for non-SSSD setups only.
"""
super(RedHatTaskNamespace, self).enable_ldap_automount(statestore)
authselect_cmd = [paths.AUTHSELECT, "enable-feature",
"with-custom-automount"]
ipautil.run(authselect_cmd)
def enable_sssd_sudo(self, _fstore):
"""sudo enablement is handled by authselect"""
def disable_ldap_automount(self, statestore):
"""Disable ldap-based automount"""
@@ -773,6 +765,12 @@ class RedHatTaskNamespace(BaseTaskNamespace):
authselect_cmd = [paths.AUTHSELECT, "disable-feature",
"with-custom-automount"]
ipautil.run(authselect_cmd)
try:
ipautil.run(authselect_cmd)
except ipautil.CalledProcessError:
logger.info("Unable to disable with-custom-automount feature")
logger.info("It may happen if the configuration was done "
"using authconfig instead of authselect")
tasks = RedHatTaskNamespace()

11
ipaplatform/rhel/constants.py
View File

@@ -9,12 +9,19 @@ This RHEL base platform module exports platform related constants.
# Fallback to default constant definitions
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace
from ipaplatform.redhat.constants import (
RedHatConstantsNamespace, User, Group
)
from ipaplatform.osinfo import osinfo
# RHEL 7 and earlier use /etc/sysconfig/nfs
# RHEL 8 uses /etc/nfs.conf
HAS_NFS_CONF = osinfo.version_number >= (8,)
# RHEL 9 uses pkcs11 as openssl engine
HAS_PKCS11_OPENSSL_ENGINE = osinfo.version_number >= (9,)
__all__ = ("constants", "User", "Group")
class RHELConstantsNamespace(RedHatConstantsNamespace):
@@ -22,5 +29,7 @@ class RHELConstantsNamespace(RedHatConstantsNamespace):
IPA_DNS_PACKAGE_NAME = "ipa-server-dns"
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
if HAS_PKCS11_OPENSSL_ENGINE:
NAMED_OPENSSL_ENGINE = "pkcs11"
constants = RHELConstantsNamespace()

1
ipaplatform/rhel/paths.py
View File

@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'

6
ipaplatform/rhel/services.py
View File

@@ -24,11 +24,15 @@ Contains RHEL-specific service class implementations.
from __future__ import absolute_import
from ipaplatform.osinfo import osinfo
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
rhel_system_units = redhat_services.redhat_system_units.copy()
if osinfo.version_number >= (9,):
rhel_system_units['named'] = rhel_system_units['named-regular']
rhel_system_units['named-conflict'] = rhel_system_units['named-pkcs11']
# Service classes that implement RHEL-specific behaviour
@@ -41,6 +45,8 @@ class RHELService(redhat_services.RedHatService):
# of specified name
def rhel_service_class_factory(name, api=None):
if name in ['named', 'named-conflict']:
return RHELService(name, api)
return redhat_services.redhat_service_class_factory(name, api)

5
ipaplatform/rhel_container/constants.py
View File

@@ -3,7 +3,10 @@
#
"""RHEL container constants
"""
from ipaplatform.rhel.constants import RHELConstantsNamespace
from ipaplatform.rhel.constants import RHELConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class RHELContainerConstantsNamespace(RHELConstantsNamespace):

13
ipaplatform/rhel_container/paths.py
View File

@@ -20,11 +20,24 @@ class RHELContainerPathNamespace(RHELPathNamespace):
NAMED_CUSTOM_OPTIONS_CONF = data(
RHELPathNamespace.NAMED_CUSTOM_OPTIONS_CONF
)
NAMED_LOGGING_OPTIONS_CONF = data(
RHELPathNamespace.NAMED_LOGGING_OPTIONS_CONF
)
NSSWITCH_CONF = data(RHELPathNamespace.NSSWITCH_CONF)
PKI_CONFIGURATION = data(RHELPathNamespace.PKI_CONFIGURATION)
SAMBA_DIR = data(RHELPathNamespace.SAMBA_DIR)
HTTPD_IPA_WSGI_MODULES_CONF = None
HTTPD_PASSWD_FILE_FMT = data(RHELPathNamespace.HTTPD_PASSWD_FILE_FMT)
# In some contexts, filesystem mounts may be owned by unmapped users
# (e.g. "emptyDir" mounts in Kubernetes / OpenShift when using user
# namespaces). This causes systemd-tmpfiles(8) to fail, as a
# consequence of systemd's path processing routines which reject
# this scenario. Therefore we provide a way to substitute
# systemd-tmpfiles with a "clone" program.
#
SYSTEMD_TMPFILES = os.environ.get(
'IPA_TMPFILES_PROG', RHELPathNamespace.SYSTEMD_TMPFILES)
paths = RHELContainerPathNamespace()

2
ipaplatform/rhel_container/tasks.py
View File

@@ -13,7 +13,7 @@ logger = logging.getLogger(__name__)
class RHELContainerTaskNamespace(RHELTaskNamespace):
def modify_nsswitch_pam_stack(
self, sssd, mkhomedir, statestore, sudo=True
self, sssd, mkhomedir, statestore, sudo=True, subid=False
):
# freeipa-container images are preconfigured
# authselect select sssd with-sudo --force

5
ipaplatform/setup.py
View File

@@ -37,10 +37,13 @@ if __name__ == '__main__':
"ipaplatform.debian",
"ipaplatform.fedora",
"ipaplatform.fedora_container",
"ipaplatform.nixos",
"ipaplatform.redhat",
"ipaplatform.rhel",
"ipaplatform.rhel_container",
"ipaplatform.suse"
"ipaplatform.suse",
"ipaplatform.opencloudos",
"ipaplatform.tencentos"
],
install_requires=[
"cffi",

11
ipaplatform/suse/constants.py
View File

@@ -8,14 +8,17 @@ related constants for the SUSE OS family-based systems.
"""
# Fallback to default path definitions
from ipaplatform.base.constants import BaseConstantsNamespace
from ipaplatform.base.constants import BaseConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class SuseConstantsNamespace(BaseConstantsNamespace):
HTTPD_USER = "wwwrun"
HTTPD_GROUP = "www"
HTTPD_USER = User("wwwrun")
HTTPD_GROUP = Group("www")
# Don't have it yet
SSSD_USER = "root"
SSSD_USER = User("root")
TLS_HIGH_CIPHERS = None

6
ipaplatform/suse/paths.py
View File

@@ -27,8 +27,12 @@ class SusePathNamespace(BasePathNamespace):
HTTPD_PASSWORD_CONF = "/etc/apache2/ipa/password.conf"
NAMED_CUSTOM_CONF = "/etc/named.d/ipa-ext.conf"
NAMED_CUSTOM_OPTIONS_CONF = "/etc/named.d/ipa-options-ext.conf"
NAMED_LOGGING_OPTIONS_CONF = "/etc/named.d/ipa-logging-ext.conf"
NAMED_VAR_DIR = "/var/lib/named"
NAMED_MANAGED_KEYS_DIR = "/var/lib/named/dyn"
OPENSSL_DIR = "/etc/ssl"
OPENSSL_CERTS_DIR = "/etc/ssl/certs"
OPENSSL_PRIVATE_DIR = "/etc/ssl/private"
IPA_P11_KIT = "/etc/pki/trust/ipa.p11-kit"
# Those files are only here to be able to configure them, we copy those in
# rpm spec to fillupdir
@@ -82,7 +86,7 @@ class SusePathNamespace(BasePathNamespace):
KDESTROY = "/usr/lib/mit/bin/kdestroy"
BIN_KVNO = "/usr/lib/mit/bin/kvno"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
AUTHSELECT = "/usr/bin/authselect"
PAM_CONFIG = "/usr/sbin/pam-config"
paths = SusePathNamespace()

19
ipaplatform/suse/services.py
View File

@@ -17,7 +17,6 @@ suse_system_units = dict(
(x, "%s.service" % x) for x in base_services.wellknownservices
)
suse_system_units["httpd"] = "apache2.service"
suse_system_units["dirsrv"] = "dirsrv@.service"
suse_system_units["pki-tomcatd"] = "pki-tomcatd@pki-tomcat.service"
suse_system_units["pki_tomcatd"] = suse_system_units["pki-tomcatd"]
@@ -163,9 +162,25 @@ class SuseCAService(SuseService):
return False
# For services which have no SUSE counterpart
class SuseNoService(base_services.PlatformService):
def start(self):
pass
def stop(self):
pass
def restart(self):
pass
def disable(self):
pass
def suse_service_class_factory(name, api):
if name == "dirsrv":
return SuseDirectoryService(name, api)
if name == 'domainname':
return SuseNoService(name, api)
if name == "ipa":
return SuseIPAService(name, api)
if name in ("pki-tomcatd", "pki_tomcatd"):
@@ -189,6 +204,6 @@ class SuseServices(base_services.KnownServices):
super().__init__(services)
timedate_services = ["ntpd"]
timedate_services = base_services.timedate_services
service = suse_service_class_factory
knownservices = SuseServices()

77
ipaplatform/suse/tasks.py
View File

@@ -10,7 +10,9 @@ system tasks.
import logging
from ipaplatform.paths import paths
from ipaplatform.base.tasks import BaseTaskNamespace as BaseTask
from ipaplatform.redhat.tasks import RedHatTaskNamespace
from ipapython import ipautil
logger = logging.getLogger(__name__)
@@ -42,5 +44,80 @@ class SuseTaskNamespace(RedHatTaskNamespace):
def set_selinux_booleans(self, required_settings, backup_func=None):
return False # FIXME: Implement after libexec move
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
sudo=True, subid=False):
# pylint: disable=ipa-forbidden-import
from ipalib import sysrestore # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
logger.debug('Enabling SSSD in nsswitch')
BaseTask.configure_nsswitch_database(self, fstore, 'group',
['sss'], default_value=['compat'])
BaseTask.configure_nsswitch_database(self, fstore, 'passwd',
['sss'], default_value=['compat'])
BaseTask.configure_nsswitch_database(self, fstore, 'shadow',
['sss'], default_value=['compat'])
BaseTask.configure_nsswitch_database(self, fstore, 'netgroup',
['files','sss'], preserve=False,
default_value=['files','nis'])
BaseTask.configure_nsswitch_database(self, fstore, 'automount',
['files','sss'], preserve=False,
default_value=['files','nis'])
if sudo:
BaseTask.enable_sssd_sudo(self,fstore)
logger.debug('Enabling sss in PAM')
try:
ipautil.run([paths.PAM_CONFIG, '--add', '--sss'])
if mkhomedir:
logger.debug('Enabling mkhomedir in PAM')
try:
ipautil.run([paths.PAM_CONFIG, '--add', '--mkhomedir',
'--mkhomedir-umask=0077'])
except ipautil.CalledProcessError:
logger.debug('Failed to configure PAM mkhomedir')
return False
except ipautil.CalledProcessError:
logger.debug('Failed to configure PAM to use SSSD')
return False
return True
def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed,
was_sssd_configured):
if fstore.has_file(paths.NSSWITCH_CONF):
logger.debug('Restoring nsswitch from fstore')
fstore.restore_file(paths.NSSWITCH_CONF)
else:
logger.info('nsswitch not restored')
return False
try:
logger.debug('Removing sssd from PAM')
ipautil.run([paths.PAM_CONFIG, '--delete', '--mkhomedir'])
ipautil.run([paths.PAM_CONFIG, '--delete', '--sss'])
logger.debug('Removing sssd from PAM successed')
except ipautil.CalledProcessError:
logger.debug('Faled to remove sssd from PAM')
return False
return True
def disable_ldap_automount(self, statestore):
# SUSE does not use authconfig or authselect
return BaseTask.disable_ldap_automount(self, statestore)
def modify_pam_to_use_krb5(self, statestore):
# SUSE doesn't use authconfig, this is handled by pam-config
return True
def backup_auth_configuration(self, path):
# SUSE doesn't use authconfig, nothing to backup
return True
def restore_auth_configuration(self, path):
# SUSE doesn't use authconfig, nothing to restore
return True
def migrate_auth_configuration(self, statestore):
# SUSE doesn't have authselect
return True
tasks = SuseTaskNamespace()

10
ipaplatform/tencentos/__init__.py Normal file
View File

@@ -0,0 +1,10 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This module contains TencentOS specific platform files.
"""
NAME = "tencentos"

23
ipaplatform/tencentos/constants.py Normal file
View File

@@ -0,0 +1,23 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This TencentOS base platform module exports platform related constants.
"""
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.redhat.constants import RedHatConstantsNamespace, User, Group
__all__ = ("constants", "User", "Group")
class TencentOSConstantsNamespace(RedHatConstantsNamespace):
SECURE_NFS_VAR = None
NAMED_OPENSSL_ENGINE = "pkcs11"
constants = TencentOSConstantsNamespace()

20
ipaplatform/tencentos/paths.py Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This TencentOS base platform module exports default filesystem paths
as common in TencentOS-based systems.
"""
from __future__ import absolute_import
from ipaplatform.redhat.paths import RedHatPathNamespace
class TencentOSPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
SYSCONFIG_NFS = "/etc/nfs.conf"
paths = TencentOSPathNamespace()

51
ipaplatform/tencentos/services.py Normal file
View File

@@ -0,0 +1,51 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
Contains TencentOS specific service class implementations.
"""
from __future__ import absolute_import
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
tencentos_system_units = redhat_services.redhat_system_units.copy()
tencentos_system_units["named"] = tencentos_system_units["named-regular"]
tencentos_system_units["named-conflict"] = \
tencentos_system_units["named-pkcs11"]
# Service classes that implement TencentOS-specific behaviour
class TencentOSService(redhat_services.RedHatService):
system_units = tencentos_system_units
# Function that constructs proper TencentOS-specific server classes for
# services of specified name
def tencentos_service_class_factory(name, api=None):
if name in ["named", "named-conflict"]:
return TencentOSService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
# Magicdict containing TencentOSService instances.
class TencentOSServices(redhat_services.RedHatServices):
def service_class_factory(self, name, api=None):
return tencentos_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = redhat_services.timedate_services
service = tencentos_service_class_factory
knownservices = TencentOSServices()

18
ipaplatform/tencentos/tasks.py Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
#
"""
This module contains default TencentOS-specific implementations of system tasks.
"""
from __future__ import absolute_import
from ipaplatform.redhat.tasks import RedHatTaskNamespace
class TencentOSTaskNamespace(RedHatTaskNamespace):
pass
tasks = TencentOSTaskNamespace()