The following patch makes the ldappasswd operation use the openldap's
ldappasswd command, as well as avoiding to put passwords in the command
line (visible through a ps) and instead using secure temporary files
that are deleted immediately after the operation.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 8cf4d7b2c8e497001f0bb16c448f955850816480 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 13 Oct 2010 12:21:48 -0400
Subject: [PATCH] dsinstance: avoid exposing passwords when invoking ldappaswd

Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
---
 ipaserver/install/dsinstance.py |   42 ++++++++++++++++++++++++++------------
 1 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c79032..49762ed 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -27,6 +27,7 @@ import sys
 import os
 import re
 import time
+import tempfile
 
 from ipapython import ipautil
 
@@ -43,6 +44,7 @@ from ipaserver.plugins.ldap2 import ldap2
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
+CACERT="/usr/share/ipa/html/ca.crt"
 
 def find_server_root():
     if ipautil.dir_exists(SERVER_ROOT_64):
@@ -465,20 +467,34 @@ class DsInstance(service.Service):
     def change_admin_password(self, password):
         logging.debug("Changing admin password")
         dirname = config_dirname(self.serverid)
-        if ipautil.dir_exists("/usr/lib64/mozldap"):
-            app = "/usr/lib64/mozldap/ldappasswd"
-        else:
-            app = "/usr/lib/mozldap/ldappasswd"
-        args = [app,
-                "-D", "cn=Directory Manager", "-w", self.dm_password,
-                "-P", dirname+"/cert8.db", "-ZZZ", "-s", password,
-                "uid=admin,cn=users,cn=accounts,"+self.suffix]
+        dmpwdfile = ""
+        admpwdfile = ""
+
         try:
-            ipautil.run(args)
-            logging.debug("ldappasswd done")
-        except ipautil.CalledProcessError, e:
-            print "Unable to set admin password", e
-            logging.debug("Unable to set admin password %s" % e)
+            (dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+            os.write(dmpwdfd, self.dm_password)
+            os.close(dmpwdfd)
+
+            (admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+            os.write(admpwdfd, password)
+            os.close(admpwdfd)
+
+            args = ["/usr/bin/ldappasswd",
+                    "-ZZ", "-x", "-D", "cn=Directory Manager",
+                    "-y", dmpwdfile, "-T", admpwdfile,
+                    "uid=admin,cn=users,cn=accounts,"+self.suffix]
+            try:
+                ipautil.run(args, env = { 'LDAPTLS_CACERT':CACERT })
+                logging.debug("ldappasswd done")
+            except ipautil.CalledProcessError, e:
+                print "Unable to set admin password", e
+                logging.debug("Unable to set admin password %s" % e)
+
+        finally:
+            if os.path.isfile(dmpwdfile):
+                os.remove(dmpwdfile)
+            if os.path.isfile(admpwdfile):
+                os.remove(admpwdfile)
 
     def uninstall(self):
         if self.is_configured():
-- 
1.7.2.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to