We need to use authenticated lda binds in init scripts as otherwise
starting components fails when the option to restrict anonymous access
to ldap is set.

In order to do that we need to also start the KDC unconditionally, so
it has been removed form the list of services retrieved from ldap and
always started/stopped/restarted explicitly in the script.
This is necessary so the script can obtain kerberos credentials to bind
to ds using its keytab.

Fixes ticket #795

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 1118e77a6804f32f37352c42eafc86ee425fdbd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Tue, 18 Jan 2011 18:56:07 -0500
Subject: [PATCH] Use authenticated connections to ldap

Toi do that consider the KDC service as core as well and do not list it as one
of the optionsl services retrieved for LDAP.

Fixes: https://fedorahosted.org/freeipa/ticket/795
---
 install/tools/ipactl             |   59 ++++++++++++++++++++++++++++++++++++--
 ipaserver/install/krbinstance.py |    2 +-
 ipaserver/install/service.py     |    1 -
 3 files changed, 57 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762580fc83503510d387b3e36d67d514de..50e6d4b8ea6817a6b3e840a7d90a0f3470b6aaa4 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -18,6 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
 import sys
 try:
     from ipaserver.install import service
@@ -27,6 +28,7 @@ try:
     import logging
     import ldap
     import socket
+    import krbV
 except ImportError:
     print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@@ -36,6 +38,9 @@ error was:
 """ % sys.exc_value
     sys.exit(1)
 
+SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
+ccache_file = '/var/lib/ipa/boot-ccache'
+
 def parse_options():
     usage = "%prog start|stop|restart|status\n"
     parser = config.IPAOptionParser(usage=usage,
@@ -52,7 +57,20 @@ def parse_options():
 def emit_err(err):
     sys.stderr.write(err)
 
+def get_creds():
+    file_ccache = 'FILE:%s' % ccache_file
+    krbcontext = krbV.default_context()
+    principal = str('ldap/%s@%s' % (api.env.host, api.env.realm))
+    keytab = krbV.Keytab(name='/etc/dirsrv/ds.keytab', context=krbcontext)
+    principal = krbV.Principal(name=principal, context=krbcontext)
+    os.environ['KRB5CCNAME'] = file_ccache
+    ccache = krbV.CCache(context=krbcontext, primary_principal=principal)
+    ccache.init_creds_keytab(keytab=keytab, principal=principal)
+
 def get_config():
+
+    get_creds()
+
     base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (socket.gethostname(),
                                                   api.env.basedn)
     srcfilter = '(ipaConfigString=enabledService)'
@@ -60,7 +78,7 @@ def get_config():
 
     try:
         con = ldap.initialize(api.env.ldap_uri)
-        con.simple_bind()
+        con.sasl_interactive_bind_s('', SASL_AUTH)
         res = con.search_st(base,
                             ldap.SCOPE_SUBTREE,
                             filterstr=srcfilter,
@@ -91,6 +109,14 @@ def ipa_start(serverid):
         emit_err("Failed to start Directory Service")
         return
 
+    try:
+        print "Starting KDC Service"
+        service.start('krb5kdc', capture_output=False)
+    except:
+        emit_err("Failed to start KDC Service")
+        service.stop('dirsrv', instance_name=serverid, capture_output=False)
+        return
+
     svc_list = []
     try:
         svc_list = get_config()
@@ -117,6 +143,7 @@ def ipa_start(serverid):
                 except:
                     pass
             try:
+                service.stop('krb5kdc', capture_output=False)
                 service.stop('dirsrv', instance_name=serverid, capture_output=False)
             except:
                 pass
@@ -133,10 +160,12 @@ def ipa_stop(serverid):
         # exit
         try:
             service.start('dirsrv', instance_name=serverid, capture_output=False)
+            service.start('krb5kdc', capture_output=False)
             svc_list = get_config()
         except:
             emit_err("Failed to read data from Directory Service")
             emit_err("Shutting down")
+            service.stop('krb5kdc', capture_output=False)
             service.stop('dirsrv', instance_name=serverid, capture_output=False)
 
     if len(svc_list) == 0:
@@ -151,11 +180,16 @@ def ipa_stop(serverid):
             emit_err("Failed to stop %s Service" % svc)
 
     try:
+        print "Stopping KDC Service"
+        service.stop('krb5kdc', capture_output=False)
+    except:
+        emit_err("Failed to stop KDC Service")
+
+    try:
         print "Stopping Directory Service"
         service.stop('dirsrv', instance_name=serverid, capture_output=False)
     except:
         emit_err("Failed to stop Directory Service")
-        return
 
 
 def ipa_restart(serverid):
@@ -166,6 +200,14 @@ def ipa_restart(serverid):
         emit_err("Failed to restart Directory Service")
         return
 
+    try:
+        print "Restarting KDC Service"
+        service.restart('krb5kdc', capture_output=False)
+    except:
+        emit_err("Failed to restart KDC Service")
+        service.stop('dirsrv', instance_name=serverid, capture_output=False)
+        return
+
     svc_list = []
     try:
         svc_list = get_config()
@@ -192,6 +234,7 @@ def ipa_restart(serverid):
                 except:
                     pass
             try:
+                service.stop('krb5kdc', instance_name=serverid, capture_output=False)
                 service.stop('dirsrv', instance_name=serverid, capture_output=False)
             except:
                 pass
@@ -205,7 +248,14 @@ def ipa_status(serverid):
             print "Directory Service: STOPPED"
     except:
         print "Failed to get Directory Service status"
-        return
+
+    try:
+        if service.is_running('krb5kdc'):
+            print "KDC Service: RUNNING"
+        else:
+            print "KDC Service: STOPPED"
+    except:
+        print "Failed to get KDC Service status"
 
     svc_list = []
     try:
@@ -249,6 +299,9 @@ def main():
     elif args[0].lower() == "status":
         ipa_status(serverid)
 
+    if os.path.exists(ccache_file):
+        os.remove(ccache_file)
+
 try:
     if __name__ == "__main__":
         sys.exit(main())
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index e7c1116377a66954ecf4c024510e6d9dd79ba69d..efa2209682b43fe89a5c34834ae59efaba45e917 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -240,7 +240,7 @@ class KrbInstance(service.Service):
         # We do not let the system start IPA components on its own,
         # Instead we reply on the IPA init script to start only enabled
         # components as found in our LDAP configuration tree
-        self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
+        # self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
 
     def __start_instance(self):
         try:
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1235eaffd93e8e199773349b6d9b0ed68121ac7b..6ae29f40e9759255c2bcbcaa7e74dd981e5a3204 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -34,7 +34,6 @@ CACERT = "/etc/ipa/ca.crt"
 SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
 
 SERVICE_LIST = {
-    'KDC':('krb5kdc', 10),
     'KPASSWD':('ipa_kpasswd', 20),
     'DNS':('named', 30),
     'HTTP':('httpd', 40),
-- 
1.7.3.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to