subject:"\[Freeipa\-devel\] \[freeipa PR#757\]\[synchronized\] ca, kra install\: validate DM password"

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-12 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-11 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-11 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-10 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/4] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/4] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-10 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/5] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/5] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-05 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-03 Thread tomaskrizek

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From fdfe7577da8a70f05414f3527449c6aaed7c3a2b Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/4] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Signed-off-by: Tomas Krizek 
Related https://pagure.io/freeipa/issue/6892
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From 16714084fff710f244a015d9a98f446c86b4 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 15:35:42 +0200
Subject: [PATCH 2/4] ca install: use proper exit code for keyboard interrupt

When script execution is aborted by Ctrl-C, script should
not end with succes exit code, but rather with 128 + SIGINT.

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index da6e5c3..ff819ec 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -125,7 +125,7 @@ def _get_dirman_password(password=None, unattended=False):
 "Directory Manager (existing master)", confirm=False,
 validate=False)
 except KeyboardInterrupt:
-sys.exit(0)
+sys.exit(130)
 if password is None:
 sys.exit("Directory Manager password required")
 return password

From e775fe8bff944651e74b45586463692c644dcaf2 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 3/4] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Signed-off-by: Tomas Krizek 
Related https://pagure.io/freeipa/issue/6892
---
 ipaserver/install/installutils.py | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..ea475da 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil,

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

7 matches

Site Navigation

Mail list logo

Footer information