The following patch makes the ldappasswd operation use the openldap's
ldappasswd command, as well as avoiding to put passwords in the command
line (visible through a ps) and instead using secure temporary files
that are deleted immediately after the operation.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 8cf4d7b2c8e497001f0bb16c448f955850816480 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Wed, 13 Oct 2010 12:21:48 -0400
Subject: [PATCH] dsinstance: avoid exposing passwords when invoking ldappaswd
Pass passwords to ldappasswd by using files.
Replace use of mozldap's ldappaswd with openldap's one.
---
ipaserver/install/dsinstance.py | 42 ++
1 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c79032..49762ed 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -27,6 +27,7 @@ import sys
import os
import re
import time
+import tempfile
from ipapython import ipautil
@@ -43,6 +44,7 @@ from ipaserver.plugins.ldap2 import ldap2
SERVER_ROOT_64 = /usr/lib64/dirsrv
SERVER_ROOT_32 = /usr/lib/dirsrv
+CACERT=/usr/share/ipa/html/ca.crt
def find_server_root():
if ipautil.dir_exists(SERVER_ROOT_64):
@@ -465,20 +467,34 @@ class DsInstance(service.Service):
def change_admin_password(self, password):
logging.debug(Changing admin password)
dirname = config_dirname(self.serverid)
-if ipautil.dir_exists(/usr/lib64/mozldap):
-app = /usr/lib64/mozldap/ldappasswd
-else:
-app = /usr/lib/mozldap/ldappasswd
-args = [app,
--D, cn=Directory Manager, -w, self.dm_password,
--P, dirname+/cert8.db, -ZZZ, -s, password,
-uid=admin,cn=users,cn=accounts,+self.suffix]
+dmpwdfile =
+admpwdfile =
+
try:
-ipautil.run(args)
-logging.debug(ldappasswd done)
-except ipautil.CalledProcessError, e:
-print Unable to set admin password, e
-logging.debug(Unable to set admin password %s % e)
+(dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+os.write(dmpwdfd, self.dm_password)
+os.close(dmpwdfd)
+
+(admpwdfd, admpwdfile) = tempfile.mkstemp(dir='/var/lib/ipa')
+os.write(admpwdfd, password)
+os.close(admpwdfd)
+
+args = [/usr/bin/ldappasswd,
+-ZZ, -x, -D, cn=Directory Manager,
+-y, dmpwdfile, -T, admpwdfile,
+uid=admin,cn=users,cn=accounts,+self.suffix]
+try:
+ipautil.run(args, env = { 'LDAPTLS_CACERT':CACERT })
+logging.debug(ldappasswd done)
+except ipautil.CalledProcessError, e:
+print Unable to set admin password, e
+logging.debug(Unable to set admin password %s % e)
+
+finally:
+if os.path.isfile(dmpwdfile):
+os.remove(dmpwdfile)
+if os.path.isfile(admpwdfile):
+os.remove(admpwdfile)
def uninstall(self):
if self.is_configured():
--
1.7.2.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel