Re: [Freeipa-devel] [PATCH] #318 Use openldap's ldappasswd

2010-10-14 Thread Simo Sorce 
On Thu, 14 Oct 2010 13:30:33 -0400
Rob Crittenden rcrit...@redhat.com wrote:

 Simo Sorce wrote:
 
  The following patch makes the ldappasswd operation use the
  openldap's ldappasswd command, as well as avoiding to put passwords
  in the command line (visible through a ps) and instead using secure
  temporary files that are deleted immediately after the operation.
 
  Simo.
 
 ack

thanks, pushed to master

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] #318 Use openldap's ldappasswd

2010-10-13 Thread Simo Sorce 

The following patch makes the ldappasswd operation use the openldap's
ldappasswd command, as well as avoiding to put passwords in the command
line (visible through a ps) and instead using secure temporary files
that are deleted immediately after the operation.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 8cf4d7b2c8e497001f0bb16c448f955850816480 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 13 Oct 2010 12:21:48 -0400
Subject: [PATCH] dsinstance: avoid exposing passwords when invoking ldappaswd

Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
---
 ipaserver/install/dsinstance.py |   42 ++
 1 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c79032..49762ed 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -27,6 +27,7 @@ import sys
 import os
 import re
 import time
+import tempfile
 
 from ipapython import ipautil
 
@@ -43,6 +44,7 @@ from ipaserver.plugins.ldap2 import ldap2
 
 SERVER_ROOT_64 = /usr/lib64/dirsrv
 SERVER_ROOT_32 = /usr/lib/dirsrv
+CACERT=/usr/share/ipa/html/ca.crt
 
 def find_server_root():
 if ipautil.dir_exists(SERVER_ROOT_64):
@@ -465,20 +467,34 @@ class DsInstance(service.Service):
 def change_admin_password(self, password):
 logging.debug(Changing admin password)
 dirname = config_dirname(self.serverid)
-if ipautil.dir_exists(/usr/lib64/mozldap):
-app = /usr/lib64/mozldap/ldappasswd
-else:
-app = /usr/lib/mozldap/ldappasswd
-args = [app,
--D, cn=Directory Manager, -w, self.dm_password,
--P, dirname+/cert8.db, -ZZZ, -s, password,
-uid=admin,cn=users,cn=accounts,+self.suffix]
+dmpwdfile = 
+admpwdfile = 
+
 try:
-ipautil.run(args)
-logging.debug(ldappasswd done)
-except ipautil.CalledProcessError, e:
-print Unable to set admin password, e
-logging.debug(Unable to set admin password %s % e)
+(dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+os.write(dmpwdfd, self.dm_password)
+os.close(dmpwdfd)
+
+(admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+os.write(admpwdfd, password)
+os.close(admpwdfd)
+
+args = [/usr/bin/ldappasswd,
+-ZZ, -x, -D, cn=Directory Manager,
+-y, dmpwdfile, -T, admpwdfile,
+uid=admin,cn=users,cn=accounts,+self.suffix]
+try:
+ipautil.run(args, env = { 'LDAPTLS_CACERT':CACERT })
+logging.debug(ldappasswd done)
+except ipautil.CalledProcessError, e:
+print Unable to set admin password, e
+logging.debug(Unable to set admin password %s % e)
+
+finally:
+if os.path.isfile(dmpwdfile):
+os.remove(dmpwdfile)
+if os.path.isfile(admpwdfile):
+os.remove(admpwdfile)
 
 def uninstall(self):
 if self.is_configured():
-- 
1.7.2.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel