URL: https://github.com/freeipa/freeipa/pull/795 Author: MartinBasti Title: #795: dnskeysyncd: enable authlogin_nsswitch_use_ldap boolean Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/795/head:pr795 git checkout pr795
From f7d45ef02d2e66d80c7a8a6a343bba05e92b7f6d Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 18 May 2017 16:40:05 +0200 Subject: [PATCH] dnskeysyncd: enable authlogin_nsswitch_use_ldap boolean ipa-dnskeysyncd requires authlogin_nsswitch_use_ldap boolean to be able to connect to LDAP https://pagure.io/freeipa/issue/6957 --- ipaplatform/base/constants.py | 3 +++ ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 3 files changed, 23 insertions(+) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index dccb0e7..5bc553f 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -27,4 +27,7 @@ class BaseConstantsNamespace(object): ODS_GROUP = "ods" # nfsd init variable used to enable kerberized NFS SECURE_NFS_VAR = "SECURE_NFS" + SELINUX_BOOLEAN_DNSKEYSYNCD = { + 'authlogin_nsswitch_use_ldap': 'on', + } SSSD_USER = "sssd" diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 3849626..eb547f2 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -15,6 +15,7 @@ from ipaserver import p11helper as _ipap11helper from ipapython.dnsutil import DNSName +from ipapython.errors import SetseboolError from ipaserver.install import service from ipaserver.install import installutils from ipapython.ipa_log_manager import root_logger @@ -22,6 +23,7 @@ from ipapython import ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths +from ipaplatform.tasks import tasks from ipalib import errors, api from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaserver.install.bindinstance import dns_container_exists @@ -115,6 +117,7 @@ def create_instance(self, fqdn, realm_name): self.step("setting up SoftHSM", self.__setup_softhsm) self.step("adding DNSSEC containers", self.__setup_dnssec_containers) self.step("creating replica keys", self.__setup_replica_keys) + self.step("configuring SELinux", self.configure_selinux) self.step("configuring ipa-dnskeysyncd to start on boot", self.__enable) # we need restart named after setting up this service self.start_creation() @@ -443,6 +446,12 @@ def __start(self): print("Failed to start ipa-dnskeysyncd") self.logger.debug("Failed to start ipa-dnskeysyncd: %s", e) + def configure_selinux(self): + try: + tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_DNSKEYSYNCD, + self.backup_state) + except SetseboolError as e: + self.print_msg(e.format_service_warning('ipa-dnskeysyncd')) def uninstall(self): if self.is_configured(): @@ -472,3 +481,13 @@ def uninstall(self): pass installutils.remove_keytab(self.keytab) + + # Restore SELinux boolean states + boolean_states = { + name: self.restore_state(name) + for name in constants.SELINUX_BOOLEAN_DNSKEYSYNCD + } + try: + tasks.set_selinux_booleans(boolean_states) + except SetseboolError as e: + self.print_msg('WARNING: {}'.format(e)) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 5e5c837..f77bceb 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1725,6 +1725,7 @@ def upgrade_configuration(): if not dnskeysyncd.is_configured(): dnskeysyncd.create_instance(fqdn, api.env.realm) dnskeysyncd.start_dnskeysyncd() + dnskeysyncd.configure_selinux() cleanup_kdc(fstore) cleanup_adtrust(fstore)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org