|
 |
403b09 |
From dd108a1fd1088f6a4f382cccec2aec69c7d9f0fe Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
403b09 |
Date: Mon, 8 Aug 2016 16:06:08 +0200
|
|
|
403b09 |
Subject: [PATCH] Remove Custodia server keys from LDAP
|
|
|
403b09 |
|
|
|
403b09 |
The server-del plugin now removes the Custodia keys for encryption and
|
|
|
403b09 |
key signing from LDAP.
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6015
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipalib/constants.py | 1 +
|
|
|
403b09 |
ipaserver/plugins/server.py | 29 +++++++++++++++++++++++++++++
|
|
|
403b09 |
2 files changed, 30 insertions(+)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
|
|
403b09 |
index 0574bb3aa457dd79a6d64f6b8a6b57161d32da92..9b351e260f15211330521453b3ffcd41433a04bb 100644
|
|
|
403b09 |
--- a/ipalib/constants.py
|
|
|
403b09 |
+++ b/ipalib/constants.py
|
|
|
403b09 |
@@ -124,6 +124,7 @@ DEFAULT_CONFIG = (
|
|
|
403b09 |
('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))),
|
|
|
403b09 |
('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))),
|
|
|
403b09 |
('container_dnsservers', DN(('cn', 'servers'), ('cn', 'dns'))),
|
|
|
403b09 |
+ ('container_custodia', DN(('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'))),
|
|
|
403b09 |
|
|
|
403b09 |
# Ports, hosts, and URIs:
|
|
|
403b09 |
('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),
|
|
|
403b09 |
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
|
|
|
403b09 |
index b245dcf72a2f9f32f52ec9acf68d96c69d6169c5..d62c0232c5e33642e44a088dbfd9f10675d733f4 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/server.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/server.py
|
|
|
403b09 |
@@ -609,6 +609,32 @@ class server_del(LDAPDelete):
|
|
|
403b09 |
message=_("Failed to remove server %(master)s from server "
|
|
|
403b09 |
"list: %(err)s") % dict(master=master, err=e)))
|
|
|
403b09 |
|
|
|
403b09 |
+ def _remove_server_custodia_keys(self, ldap, master):
|
|
|
403b09 |
+ """
|
|
|
403b09 |
+ Delete all Custodia encryption and signing keys
|
|
|
403b09 |
+ """
|
|
|
403b09 |
+ conn = self.Backend.ldap2
|
|
|
403b09 |
+ env = self.api.env
|
|
|
403b09 |
+ # search for memberPrincipal=*/fqdn@realm
|
|
|
403b09 |
+ member_filter = ldap.make_filter_from_attr(
|
|
|
403b09 |
+ 'memberPrincipal', "/{}@{}".format(master, env.realm),
|
|
|
403b09 |
+ exact=False, leading_wildcard=True, trailing_wildcard=False)
|
|
|
403b09 |
+ custodia_subtree = DN(env.container_custodia, env.basedn)
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ entries = conn.get_entries(custodia_subtree,
|
|
|
403b09 |
+ ldap.SCOPE_SUBTREE,
|
|
|
403b09 |
+ filter=member_filter)
|
|
|
403b09 |
+ for entry in entries:
|
|
|
403b09 |
+ conn.delete_entry(entry)
|
|
|
403b09 |
+ except errors.NotFound:
|
|
|
403b09 |
+ pass
|
|
|
403b09 |
+ except Exception as e:
|
|
|
403b09 |
+ self.add_message(
|
|
|
403b09 |
+ messages.ServerRemovalWarning(
|
|
|
403b09 |
+ message=_(
|
|
|
403b09 |
+ "Failed to clean up Custodia keys for "
|
|
|
403b09 |
+ "%(master)s: %(err)s") % dict(master=master, err=e)))
|
|
|
403b09 |
+
|
|
|
403b09 |
def _remove_server_host_services(self, ldap, master):
|
|
|
403b09 |
"""
|
|
|
403b09 |
delete server kerberos key and all its svc principals
|
|
|
403b09 |
@@ -682,6 +708,9 @@ class server_del(LDAPDelete):
|
|
|
403b09 |
# remove the references to master's ldap/http principals
|
|
|
403b09 |
self._remove_server_principal_references(pkey)
|
|
|
403b09 |
|
|
|
403b09 |
+ # remove Custodia encryption and signing keys
|
|
|
403b09 |
+ self._remove_server_custodia_keys(ldap, pkey)
|
|
|
403b09 |
+
|
|
|
403b09 |
# finally destroy all Kerberos principals
|
|
|
403b09 |
self._remove_server_host_services(ldap, pkey)
|
|
|
403b09 |
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|