|
 |
ac7d03 |
From d224655e4b1e218bac19dff5a10bf3e0d83edcb0 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 5 Jun 2017 12:41:02 +0000
|
|
|
ac7d03 |
Subject: [PATCH] pkinit manage: introduce ipa-pkinit-manage
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
|
|
|
ac7d03 |
the initial server install.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/7000
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
freeipa.spec.in | 2 +
|
|
|
ac7d03 |
install/tools/Makefile.am | 1 +
|
|
|
ac7d03 |
install/tools/ipa-pkinit-manage | 8 +++
|
|
|
ac7d03 |
install/tools/man/Makefile.am | 1 +
|
|
|
ac7d03 |
install/tools/man/ipa-pkinit-manage.1 | 34 +++++++++++++
|
|
|
ac7d03 |
ipaserver/install/ipa_pkinit_manage.py | 93 ++++++++++++++++++++++++++++++++++
|
|
|
ac7d03 |
ipaserver/install/krbinstance.py | 24 +++++++++
|
|
|
ac7d03 |
7 files changed, 163 insertions(+)
|
|
|
ac7d03 |
create mode 100755 install/tools/ipa-pkinit-manage
|
|
|
ac7d03 |
create mode 100644 install/tools/man/ipa-pkinit-manage.1
|
|
|
ac7d03 |
create mode 100644 ipaserver/install/ipa_pkinit_manage.py
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
ac7d03 |
index 2cbaa60df0db021a4a1ce10af383cd6a15e1e57c..ae77a9a23645c1490c32195203e2c4f665783a80 100644
|
|
|
ac7d03 |
--- a/freeipa.spec.in
|
|
|
ac7d03 |
+++ b/freeipa.spec.in
|
|
|
ac7d03 |
@@ -1184,6 +1184,7 @@ fi
|
|
|
ac7d03 |
%{_sbindir}/ipa-advise
|
|
|
ac7d03 |
%{_sbindir}/ipa-cacert-manage
|
|
|
ac7d03 |
%{_sbindir}/ipa-winsync-migrate
|
|
|
ac7d03 |
+%{_sbindir}/ipa-pkinit-manage
|
|
|
ac7d03 |
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
ac7d03 |
%{_libexecdir}/certmonger/ipa-server-guard
|
|
|
ac7d03 |
%dir %{_libexecdir}/ipa
|
|
|
ac7d03 |
@@ -1247,6 +1248,7 @@ fi
|
|
|
ac7d03 |
%{_mandir}/man1/ipa-otptoken-import.1*
|
|
|
ac7d03 |
%{_mandir}/man1/ipa-cacert-manage.1*
|
|
|
ac7d03 |
%{_mandir}/man1/ipa-winsync-migrate.1*
|
|
|
ac7d03 |
+%{_mandir}/man1/ipa-pkinit-manage.1*
|
|
|
ac7d03 |
|
|
|
ac7d03 |
|
|
|
ac7d03 |
%files -n python2-ipaserver
|
|
|
ac7d03 |
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
|
|
|
ac7d03 |
index 493e5ff4a8290be8ef076135104a85f8315b7842..47ecc14d7320336315c16587956c4965387853d9 100644
|
|
|
ac7d03 |
--- a/install/tools/Makefile.am
|
|
|
ac7d03 |
+++ b/install/tools/Makefile.am
|
|
|
ac7d03 |
@@ -28,6 +28,7 @@ dist_sbin_SCRIPTS = \
|
|
|
ac7d03 |
ipa-advise \
|
|
|
ac7d03 |
ipa-cacert-manage \
|
|
|
ac7d03 |
ipa-winsync-migrate \
|
|
|
ac7d03 |
+ ipa-pkinit-manage \
|
|
|
ac7d03 |
$(NULL)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
appdir = $(libexecdir)/ipa/
|
|
|
ac7d03 |
diff --git a/install/tools/ipa-pkinit-manage b/install/tools/ipa-pkinit-manage
|
|
|
ac7d03 |
new file mode 100755
|
|
|
ac7d03 |
index 0000000000000000000000000000000000000000..5b2413bd7cdc97632f82a77e18f3424a2ff63309
|
|
|
ac7d03 |
--- /dev/null
|
|
|
ac7d03 |
+++ b/install/tools/ipa-pkinit-manage
|
|
|
ac7d03 |
@@ -0,0 +1,8 @@
|
|
|
ac7d03 |
+#! /usr/bin/python2 -E
|
|
|
ac7d03 |
+#
|
|
|
ac7d03 |
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
|
ac7d03 |
+#
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+from ipaserver.install.ipa_pkinit_manage import PKINITManage
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+PKINITManage.run_cli()
|
|
|
ac7d03 |
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
|
|
|
ac7d03 |
index 0d06ec7306b0cc1e656dac244bcb2c480b0ae61e..2dac9ac716352847aeb0d1fd3c6375ede956c751 100644
|
|
|
ac7d03 |
--- a/install/tools/man/Makefile.am
|
|
|
ac7d03 |
+++ b/install/tools/man/Makefile.am
|
|
|
ac7d03 |
@@ -27,6 +27,7 @@ dist_man1_MANS = \
|
|
|
ac7d03 |
ipa-otptoken-import.1 \
|
|
|
ac7d03 |
ipa-cacert-manage.1 \
|
|
|
ac7d03 |
ipa-winsync-migrate.1 \
|
|
|
ac7d03 |
+ ipa-pkinit-manage.1 \
|
|
|
ac7d03 |
$(NULL)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
dist_man8_MANS = \
|
|
|
ac7d03 |
diff --git a/install/tools/man/ipa-pkinit-manage.1 b/install/tools/man/ipa-pkinit-manage.1
|
|
|
ac7d03 |
new file mode 100644
|
|
|
ac7d03 |
index 0000000000000000000000000000000000000000..5018ce8aa3f89470453d9cfc590a0c5f44f78f3c
|
|
|
ac7d03 |
--- /dev/null
|
|
|
ac7d03 |
+++ b/install/tools/man/ipa-pkinit-manage.1
|
|
|
ac7d03 |
@@ -0,0 +1,34 @@
|
|
|
ac7d03 |
+.\"
|
|
|
ac7d03 |
+.\" Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
|
ac7d03 |
+.\"
|
|
|
ac7d03 |
+.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
|
|
|
ac7d03 |
+.SH "NAME"
|
|
|
ac7d03 |
+ipa\-pkinit\-manage \- Enables or disables PKINIT
|
|
|
ac7d03 |
+.SH "SYNOPSIS"
|
|
|
ac7d03 |
+ipa\-pkinit\-manage [options] <enable|disable|status>
|
|
|
ac7d03 |
+.SH "DESCRIPTION"
|
|
|
ac7d03 |
+Run the command with the \fBenable\fR option to enable PKINIT.
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+Run the command with the \fBdisable\fR option to disable PKINIT.
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+Run the command with the \fBstatus\fR to determine the current status of PKINIT.
|
|
|
ac7d03 |
+.SH "OPTIONS"
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
+\fB\-\-version\fR
|
|
|
ac7d03 |
+Show the program's version and exit.
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
+\fB\-h\fR, \fB\-\-help\fR
|
|
|
ac7d03 |
+Show the help for this program.
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
+\fB\-v\fR, \fB\-\-verbose\fR
|
|
|
ac7d03 |
+Print debugging information.
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
+\fB\-q\fR, \fB\-\-quiet\fR
|
|
|
ac7d03 |
+Output only errors.
|
|
|
ac7d03 |
+.TP
|
|
|
ac7d03 |
+\fB\-\-log\-file\fR=\fIFILE\fR
|
|
|
ac7d03 |
+Log to the given file.
|
|
|
ac7d03 |
+.SH "EXIT STATUS"
|
|
|
ac7d03 |
+0 if the command was successful
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+1 if an error occurred
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
|
|
|
ac7d03 |
new file mode 100644
|
|
|
ac7d03 |
index 0000000000000000000000000000000000000000..428c0e3476b4dbd13a9ee5a40a42447f9fa95f2d
|
|
|
ac7d03 |
--- /dev/null
|
|
|
ac7d03 |
+++ b/ipaserver/install/ipa_pkinit_manage.py
|
|
|
ac7d03 |
@@ -0,0 +1,93 @@
|
|
|
ac7d03 |
+#
|
|
|
ac7d03 |
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
|
ac7d03 |
+#
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+from __future__ import print_function
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+from ipalib import api
|
|
|
ac7d03 |
+from ipaplatform.paths import paths
|
|
|
ac7d03 |
+from ipapython.admintool import AdminTool
|
|
|
ac7d03 |
+from ipaserver.install.krbinstance import KrbInstance, is_pkinit_enabled
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+class PKINITManage(AdminTool):
|
|
|
ac7d03 |
+ command_name = "ipa-pkinit-manage"
|
|
|
ac7d03 |
+ usage = "%prog <enable|disable|status>"
|
|
|
ac7d03 |
+ description = "Manage PKINIT."
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def validate_options(self):
|
|
|
ac7d03 |
+ super(PKINITManage, self).validate_options(needs_root=True)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ option_parser = self.option_parser
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ if not self.args:
|
|
|
ac7d03 |
+ option_parser.error("action not specified")
|
|
|
ac7d03 |
+ elif len(self.args) > 1:
|
|
|
ac7d03 |
+ option_parser.error("too many arguments")
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ action = self.args[0]
|
|
|
ac7d03 |
+ if action not in {'enable', 'disable', 'status'}:
|
|
|
ac7d03 |
+ option_parser.error("unrecognized action '{}'".format(action))
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def run(self):
|
|
|
ac7d03 |
+ api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
|
|
|
ac7d03 |
+ api.finalize()
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ api.Backend.ldap2.connect()
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ action = self.args[0]
|
|
|
ac7d03 |
+ if action == 'enable':
|
|
|
ac7d03 |
+ self.enable()
|
|
|
ac7d03 |
+ elif action == 'disable':
|
|
|
ac7d03 |
+ self.disable()
|
|
|
ac7d03 |
+ elif action == 'status':
|
|
|
ac7d03 |
+ self.status()
|
|
|
ac7d03 |
+ finally:
|
|
|
ac7d03 |
+ api.Backend.ldap2.disconnect()
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ return 0
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def _setup(self, setup_pkinit):
|
|
|
ac7d03 |
+ config = api.Command.config_show()['result']
|
|
|
ac7d03 |
+ ca_enabled = api.Command.ca_is_enabled()['result']
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ krb = KrbInstance()
|
|
|
ac7d03 |
+ krb.init_info(
|
|
|
ac7d03 |
+ realm_name=api.env.realm,
|
|
|
ac7d03 |
+ host_name=api.env.host,
|
|
|
ac7d03 |
+ setup_pkinit=setup_pkinit,
|
|
|
ac7d03 |
+ subject_base=config['ipacertificatesubjectbase'][0],
|
|
|
ac7d03 |
+ )
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ if bool(is_pkinit_enabled()) is not bool(setup_pkinit):
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ krb.stop_tracking_certs()
|
|
|
ac7d03 |
+ except RuntimeError as e:
|
|
|
ac7d03 |
+ if ca_enabled:
|
|
|
ac7d03 |
+ self.log.warning(
|
|
|
ac7d03 |
+ "Failed to stop tracking certificates: %s", e)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ krb.enable_ssl()
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ if setup_pkinit:
|
|
|
ac7d03 |
+ krb.pkinit_enable()
|
|
|
ac7d03 |
+ else:
|
|
|
ac7d03 |
+ krb.pkinit_disable()
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def enable(self):
|
|
|
ac7d03 |
+ if not api.Command.ca_is_enabled()['result']:
|
|
|
ac7d03 |
+ self.log.error("Cannot enable PKINIT in CA-less deployment")
|
|
|
ac7d03 |
+ self.log.error("Use ipa-server-certinstall to install KDC "
|
|
|
ac7d03 |
+ "certificate manually")
|
|
|
ac7d03 |
+ raise RuntimeError("Cannot enable PKINIT in CA-less deployment")
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ self._setup(True)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def disable(self):
|
|
|
ac7d03 |
+ self._setup(False)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ def status(self):
|
|
|
ac7d03 |
+ if is_pkinit_enabled():
|
|
|
ac7d03 |
+ print("PKINIT is enabled")
|
|
|
ac7d03 |
+ else:
|
|
|
ac7d03 |
+ print("PKINIT is disabled")
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
index a1053d55ccaae17bef93547c036fb9d08d296f0b..6b51e65d1ec985bfc01f167aea3fe3ca11c7ec29 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
@@ -451,6 +451,30 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
service.set_service_entry_config(
|
|
|
ac7d03 |
'KDC', self.fqdn, [PKINIT_ENABLED], self.suffix)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def pkinit_disable(self):
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ unadvertise enabled PKINIT feature in master's KDC entry in LDAP
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ ldap = api.Backend.ldap2
|
|
|
ac7d03 |
+ dn = DN(('cn', 'KDC'),
|
|
|
ac7d03 |
+ ('cn', self.fqdn),
|
|
|
ac7d03 |
+ ('cn', 'masters'),
|
|
|
ac7d03 |
+ ('cn', 'ipa'),
|
|
|
ac7d03 |
+ ('cn', 'etc'),
|
|
|
ac7d03 |
+ self.suffix)
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ entry = ldap.get_entry(dn, ['ipaConfigString'])
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ config = entry.setdefault('ipaConfigString', [])
|
|
|
ac7d03 |
+ config = [value for value in config
|
|
|
ac7d03 |
+ if value.lower() != PKINIT_ENABLED.lower()]
|
|
|
ac7d03 |
+ entry['ipaConfigString'][:] = config
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ ldap.update_entry(entry)
|
|
|
ac7d03 |
+ except errors.EmptyModlist:
|
|
|
ac7d03 |
+ pass
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def _install_pkinit_ca_bundle(self):
|
|
|
ac7d03 |
ca_certs = certstore.get_ca_certs(self.api.Backend.ldap2,
|
|
|
ac7d03 |
self.api.env.basedn,
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|