[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/4] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/4] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/5] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/5] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From fdfe7577da8a70f05414f3527449c6aaed7c3a2b Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/4] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Signed-off-by: Tomas Krizek Related https://pagure.io/freeipa/issue/6892 --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From 16714084fff710f244a015d9a98f446c86b4 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 15:35:42 +0200 Subject: [PATCH 2/4] ca install: use proper exit code for keyboard interrupt When script execution is aborted by Ctrl-C, script should not end with succes exit code, but rather with 128 + SIGINT. Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index da6e5c3..ff819ec 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -125,7 +125,7 @@ def _get_dirman_password(password=None, unattended=False): "Directory Manager (existing master)", confirm=False, validate=False) except KeyboardInterrupt: -sys.exit(0) +sys.exit(130) if password is None: sys.exit("Directory Manager password required") return password From e775fe8bff944651e74b45586463692c644dcaf2 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 3/4] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Signed-off-by: Tomas Krizek Related https://pagure.io/freeipa/issue/6892 --- ipaserver/install/installutils.py | 14 ++ 1 file changed, 14 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..ea475da 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil,