There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after all
file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv
instance. The instance is only restartable if ipa-ldap-updater is being
executed as root. A warning is printed if a restart is requested for a
non-root user.
Plugins are not executed by default. This is so we can use ldapupdate to
apply simple updates in commands like ipa-nis-manage.
rob
>From e8c632c0a17c5fad3792d4f741976161d245fec6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Wed, 16 Nov 2011 15:37:56 -0500
Subject: [PATCH] Add plugin framework to LDAP updates.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.
Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.
https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
---
freeipa.spec.in | 6 +-
install/tools/ipa-ldap-updater | 48 +++++--
install/tools/ipa-managed-entries | 4 +-
install/tools/man/ipa-ldap-updater.1 | 5 +-
install/updates/20-user_private_groups.update | 4 +-
ipalib/__init__.py | 4 +-
ipalib/frontend.py | 44 ++++++-
ipalib/plugable.py | 15 ++-
ipaserver/install/dsinstance.py | 2 +-
ipaserver/install/ldapupdate.py | 144 +++++++++++---------
ipaserver/install/plugins/Makefile.am | 16 ++
ipaserver/install/plugins/__init__.py | 28 ++++
ipaserver/install/plugins/baseupdate.py | 68 +++++++++
ipaserver/install/plugins/rename_managed.py | 132 ++++++++++++++++++
ipaserver/install/plugins/updateclient.py | 182 +++++++++++++++++++++++++
ipaserver/install/upgradeinstance.py | 7 +-
ipaserver/plugins/ldap2.py | 16 ++-
setup.py | 1 +
tests/test_ipaserver/test_ldap.py | 22 +++-
19 files changed, 655 insertions(+), 93 deletions(-)
create mode 100644 ipaserver/install/plugins/Makefile.am
create mode 100644 ipaserver/install/plugins/__init__.py
create mode 100644 ipaserver/install/plugins/baseupdate.py
create mode 100644 ipaserver/install/plugins/rename_managed.py
create mode 100644 ipaserver/install/plugins/updateclient.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6531cf5..5613bd0 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -388,9 +388,13 @@ fi
%endif
if [ $1 -gt 1 ] ; then
/usr/sbin/ipa-upgradeconfig || :
- /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
fi
+%posttrans server
+# This must be run in posttrans so that updates from previous
+# execution that may no longer be shipped are not applied.
+/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
+
%preun server
if [ $1 = 0 ]; then
%if 0%{?fedora} >= 16
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index 6ecb8c1..bf9be41 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -34,6 +34,7 @@ try:
from ipapython import sysrestore
import logging
import krbV
+ from ipalib import api
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
@@ -49,15 +50,19 @@ def parse_options():
parser = IPAOptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
- help="Display debugging information about the update(s)")
+ help="Display debugging information about the update(s)",
+ default=False)
parser.add_option("-t", "--test", action="store_true", dest="test",
- help="Run through the update without changing anything")
+ help="Run through the update without changing anything",
+ default=False)
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
parser.add_option("-l", '--ldapi', action="store_true", dest="ldapi",
default=False, help="Connect to the LDAP server using the ldapi socket")
parser.add_option("-u", '--upgrade', action="store_true", dest="upgrade",
default=False, help="Upgrade an installed server in offline mode")
+ parser.add_option("-p", '--plugins', action="store_true", dest="plugins",
+ default=False, help="Execute update plugins. Always true when applying all update files.")
parser.add_option("-W", '--password', action="store_true",
dest="ask_password",
help="Prompt for the Directory Manager password")
@@ -79,6 +84,7 @@ def main():
loglevel = logging.INFO
badsyntax = False
upgradefailed = False
+ run_plugins = False
safe_options, options, args = parse_options()
if options.debug:
@@ -99,22 +105,40 @@ def main():
if dirman_password is None:
sys.exit("\nDirectory Manager password required")
- files = []
- if len(args) > 0:
- files = args
-
# Clear all existing log handler
loggers = logging.getLogger()
if loggers.handlers:
for handler in loggers.handlers:
loggers.removeHandler(handler)
+
if options.upgrade:
- if os.getegid() != 0:
- sys.exit('Upgrade can only be done as root')
logging.basicConfig(level=loglevel,
format='%(asctime)s %(levelname)s %(message)s',
filename='/var/log/ipaupgrade.log',
filemode='a')
+ else:
+ logging.basicConfig(level=loglevel,
+ format='%(levelname)s %(message)s')
+
+ cfg = dict (
+ in_server=True,
+ context='updates',
+ debug=options.debug,
+ )
+ api.bootstrap(**cfg)
+ api.finalize()
+
+ files = []
+ if len(args) > 0:
+ files = args
+
+ if len(files) < 1:
+ run_plugins = True
+
+ updates = None
+ if options.upgrade:
+ if os.getegid() != 0:
+ sys.exit('Upgrade can only be done as root')
logging.debug('%s was invoked with arguments %s and options: %s' % (sys.argv[0], args, safe_options))
realm = krbV.default_context().default_realm
upgrade = IPAUpgrade(realm, files, live_run=not options.test)
@@ -123,22 +147,24 @@ def main():
badsyntax = upgrade.badsyntax
upgradefailed = upgrade.upgradefailed
else:
- logging.basicConfig(level=loglevel,
- format='%(levelname)s %(message)s')
- ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi)
+ ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, live_run=not options.test, ldapi=options.ldapi, plugins=options.plugins or run_plugins)
if len(files) < 1:
files = ld.get_all_files(UPDATES_DIR)
modified = ld.update(files)
if badsyntax:
+ logging.info('Bad syntax detected in upgrade file(s).')
print 'Bad syntax detected in upgrade file(s).'
return 1
elif upgradefailed:
+ logging.info('IPA upgrade failed.')
print 'IPA upgrade failed.'
return 1
elif modified and options.test:
+ logging.info('Update complete, changes to be made, test mode')
return 2
else:
+ logging.info('Update complete')
return 0
try:
diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index 92f02ef..c5ac901 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -133,12 +133,10 @@ def main():
entries = conn.search_s(
managed_entry_definitions_dn, ldap.SCOPE_SUBTREE, filter
)
- managed_entries = [entry.dn for entry in entries]
+ managed_entries = [entry.cn for entry in entries]
if managed_entries:
print "Available Managed Entry Definitions:"
for managed_entry in managed_entries:
- rdn = DN(managed_entry)
- managed_entry = rdn[0].value
print managed_entry
retval = 0
sys.exit()
diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
index d896a1b..df8dfe6 100644
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@@ -83,8 +83,11 @@ File containing the Directory Manager password
\fB\-l\fR, \fB\-\-ldapi\fR
Connect to the LDAP server using the ldapi socket
.TP
+\fB\-p\fR, \fB\-\-\-plugins\fR
+Execute update plugins as well as any update files. There is no way to execute only the plugins.
+.TP
\fB\-u\fR, \fB\-\-\-upgrade\fR
-Upgrade an installed server in offline mode (implies \-\-ldapi)
+Upgrade an installed server in offline mode (implies \-\-ldapi and \-\-plugins)
.TP
\fB\-W\fR, \fB\-\-\-password\fR
Prompt for the Directory Manager password
diff --git a/install/updates/20-user_private_groups.update b/install/updates/20-user_private_groups.update
index d54cc02..93b79b8 100644
--- a/install/updates/20-user_private_groups.update
+++ b/install/updates/20-user_private_groups.update
@@ -16,9 +16,11 @@ default:mepMappedAttr: description: User private group for $$uid
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
default:objectclass: extensibleObject
-replace:originFilter:objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__)))
default:cn: UPG Definition
default:originScope: cn=users,cn=accounts,$SUFFIX
default:originFilter: objectclass=posixAccount
default:managedBase: cn=groups,cn=accounts,$SUFFIX
default:managedTemplate: cn=UPG Template,cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
+
+dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
+replace:originFilter: objectclass=posixAccount::(&(objectclass=posixAccount)(!(description=__no_upg__)))
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 0489646..c54717b 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -875,7 +875,7 @@ freeIPA.org:
import os
import plugable
from backend import Backend
-from frontend import Command, LocalOrRemote
+from frontend import Command, LocalOrRemote, Updater
from frontend import Object, Method, Property
from crud import Create, Retrieve, Update, Delete, Search
from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, IA5Str, Password,List
@@ -907,7 +907,7 @@ def create_api(mode='dummy'):
- `backend.Backend`
"""
- api = plugable.API(Command, Object, Method, Property, Backend)
+ api = plugable.API(Command, Object, Method, Property, Backend, Updater)
if mode is not None:
api.env.mode = mode
assert mode != 'production'
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index 851de43..4e478e1 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -30,7 +30,7 @@ from util import make_repr
from output import Output, Entry, ListOfEntries
from text import _, ngettext
-from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError
+from errors import ZeroArgumentError, MaxArgumentError, OverlapError, RequiresRoot, VersionError, RequirementError, ValidationError
from errors import InvocationError
from constants import TYPE_ERROR
from ipapython.version import API_VERSION
@@ -553,7 +553,11 @@ class Command(HasParam):
# None means "delete this attribute"
value = None
if attr in self.params:
- value = self.params[attr](value)
+ try:
+ value = self.params[attr](value)
+ except ValidationError, err:
+ (name, error) = str(err.strerror).split(':')
+ raise ValidationError(name=attr, error=error)
if append and attr in newdict:
if type(value) in (tuple,):
newdict[attr] += list(value)
@@ -1321,3 +1325,39 @@ class Property(Attribute):
attr = getattr(self, name)
if is_rule(attr):
yield attr
+
+class Updater(Method):
+ """
+ An LDAP update with an associated object (always update).
+
+ All plugins that subclass from `Updater` will be automatically available
+ as a server update function.
+
+ Plugins that subclass from Updater are registered in the ``api.Updater``
+ namespace. For example:
+
+ >>> from ipalib import create_api
+ >>> api = create_api()
+ >>> class my(Object):
+ ... pass
+ ...
+ >>> api.register(my)
+ >>> class my_update(Updater):
+ ... pass
+ ...
+ >>> api.register(my_update)
+ >>> api.finalize()
+ >>> list(api.Updater)
+ ['my_update']
+ >>> api.Updater.my_update # doctest:+ELLIPSIS
+ ipalib.frontend.my_update()
+ """
+ def __init__(self):
+ super(Updater, self).__init__()
+
+ def __call__(self, **options):
+ self.debug(
+ 'raw: %s', self.name
+ )
+
+ return self.execute(**options)
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index b0e4156..46e445b 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,16 +530,29 @@ class API(DictProxy):
self.import_plugins('ipalib')
if self.env.in_server:
self.import_plugins('ipaserver')
+ if self.env.context in ('installer', 'updates'):
+ self.import_plugins('ipaserver/install/plugins')
# FIXME: This method has no unit test
def import_plugins(self, package):
"""
Import modules in ``plugins`` sub-package of ``package``.
"""
+ package = package.replace(os.path.sep, '.')
subpackage = '%s.plugins' % package
try:
parent = __import__(package)
- plugins = __import__(subpackage).plugins
+ parts = package.split('.')[1:]
+ if parts:
+ for part in parts:
+ if part == 'plugins':
+ plugins = subpackage.plugins
+ subpackage = plugins.__name__
+ break
+ subpackage = parent.__getattribute__(part)
+ parent = subpackage
+ else:
+ plugins = __import__(subpackage).plugins
except ImportError, e:
self.log.error(
'cannot import plugins sub-package %s: %s', subpackage, e
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 8ca33c1..13c4fd3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -420,7 +420,7 @@ class DsInstance(service.Service):
conn.unbind()
def apply_updates(self):
- ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict)
+ ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict, plugins=True)
files = ld.get_all_files(ldapupdate.UPDATES_DIR)
ld.update(files)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index e1f6b1f..c65edf1 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -31,6 +31,7 @@ from ipaserver import ipaldap
from ipapython import entity, ipautil
from ipalib import util
from ipalib import errors
+from ipalib import api
import ldap
from ldap.dn import escape_dn_chars
import logging
@@ -42,6 +43,8 @@ import os
import pwd
import fnmatch
import csv
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE
+from ipaserver.install.plugins import FIRST, MIDDLE, LAST
class BadSyntax(Exception):
def __init__(self, value):
@@ -49,32 +52,15 @@ class BadSyntax(Exception):
def __str__(self):
return repr(self.value)
-class IPARestart(service.Service):
- """
- Restart the 389 DS service prior to performing deletions.
- """
- def __init__(self, live_run=True):
- """
- This class is present to provide ldapupdate the means to
- restart 389 DS to apply updates prior to performing deletes.
- """
-
- service.Service.__init__(self, "dirsrv")
- self.live_run = live_run
-
- def create_instance(self):
- self.step("stopping directory server", self.stop)
- self.step("starting directory server", self.start)
- self.start_creation("Restarting IPA to initialize updates before performing deletes:")
-
class LDAPUpdate:
def __init__(self, dm_password, sub_dict={}, live_run=True,
- online=True, ldapi=False):
+ online=True, ldapi=False, plugins=False):
"""dm_password = Directory Manager password
sub_dict = substitution dictionary
live_run = Apply the changes or just test
online = do an online LDAP update or use an experimental LDIF updater
ldapi = bind using ldapi. This assumes autobind is enabled.
+ plugins = execute the pre/post update plugins
"""
self.sub_dict = sub_dict
self.live_run = live_run
@@ -83,6 +69,7 @@ class LDAPUpdate:
self.modified = False
self.online = online
self.ldapi = ldapi
+ self.plugins = plugins
self.pw_name = pwd.getpwuid(os.geteuid()).pw_name
if sub_dict.get("REALM"):
@@ -554,11 +541,11 @@ class LDAPUpdate:
# skip this update type, it occurs in __delete_entries()
return None
elif utype == 'replace':
- # v has the format "old:: new"
+ # v has the format "old::new"
try:
(old, new) = v.split('::', 1)
except ValueError:
- raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % v
+ raise BadSyntax, "bad syntax in replace, needs to be in the format old::new in %s" % v
try:
e.remove(old)
e.append(new)
@@ -708,11 +695,12 @@ class LDAPUpdate:
deletes = updates.get('deleteentry', [])
for d in deletes:
try:
- if self.live_run:
- self.conn.deleteEntry(dn)
- self.modified = True
+ logging.info("Deleting entry %s", dn)
+ if self.live_run:
+ self.conn.deleteEntry(dn)
+ self.modified = True
except errors.NotFound, e:
- logging.info("Deleting non-existent entry %s", e)
+ logging.info("%s did not exist: %s", (dn, e))
self.modified = True
except errors.DatabaseError, e:
logging.error("Delete failed: %s", e)
@@ -724,11 +712,12 @@ class LDAPUpdate:
if utype == 'deleteentry':
try:
- if self.live_run:
- self.conn.deleteEntry(dn)
- self.modified = True
+ logging.info("Deleting entry %s", dn)
+ if self.live_run:
+ self.conn.deleteEntry(dn)
+ self.modified = True
except errors.NotFound, e:
- logging.info("Deleting non-existent entry %s", e)
+ logging.info("%s did not exist: %s", (dn, e))
self.modified = True
except errors.DatabaseError, e:
logging.error("Delete failed: %s", e)
@@ -772,16 +761,49 @@ class LDAPUpdate:
else:
raise RuntimeError("Offline updates are not supported.")
+ def __run_updates(self, dn_list, all_updates):
+ # For adds and updates we want to apply updates from shortest
+ # to greatest length of the DN. For deletes we want the reverse.
+ sortedkeys = dn_list.keys()
+ sortedkeys.sort()
+ for k in sortedkeys:
+ for dn in dn_list[k]:
+ self.__update_record(all_updates[dn])
+
+ sortedkeys.reverse()
+ for k in sortedkeys:
+ for dn in dn_list[k]:
+ self.__delete_record(all_updates[dn])
+
def update(self, files):
"""Execute the update. files is a list of the update files to use.
returns True if anything was changed, otherwise False
"""
+ updates = None
+ if self.plugins:
+ logging.info('PRE_UPDATE')
+ updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
+
try:
self.create_connection()
all_updates = {}
dn_list = {}
+ # Start with any updates passed in from pre-update plugins
+ if updates:
+ for entry in updates:
+ all_updates.update(entry)
+ for upd in updates:
+ for dn in upd:
+ dn_explode = ldap.explode_dn(dn.lower())
+ l = len(dn_explode)
+ if dn_list.get(l):
+ if dn not in dn_list[l]:
+ dn_list[l].append(dn)
+ else:
+ dn_list[l] = [dn]
+
for f in files:
try:
logging.info("Parsing file %s" % f)
@@ -792,40 +814,38 @@ class LDAPUpdate:
(all_updates, dn_list) = self.parse_update_file(data, all_updates, dn_list)
- # Process Managed Entry Updates
- managed_entries = self.__update_managed_entries()
- if managed_entries:
- managed_entry_dns = [[m[entry]['dn'] for entry in m] for m in managed_entries]
- l = len(dn_list.keys())
-
- # Add Managed Entry DN's to the DN List
- for dn in managed_entry_dns:
- l+=1
- dn_list[l] = dn
- # Add Managed Entry Updates to All Updates List
- for managed_entry in managed_entries:
- all_updates.update(managed_entry)
-
- # For adds and updates we want to apply updates from shortest
- # to greatest length of the DN. For deletes we want the reverse.
- sortedkeys = dn_list.keys()
- sortedkeys.sort()
- for k in sortedkeys:
- for dn in dn_list[k]:
- self.__update_record(all_updates[dn])
-
- # Restart 389 Directory Service
- socket_name = '/var/run/slapd-%s.socket' % self.realm.replace('.','-')
- iparestart = IPARestart()
- iparestart.create_instance()
- installutils.wait_for_open_socket(socket_name)
- self.create_connection()
-
- sortedkeys.reverse()
- for k in sortedkeys:
- for dn in dn_list[k]:
- self.__delete_record(all_updates[dn])
+ self.__run_updates(dn_list, all_updates)
finally:
if self.conn: self.conn.unbind()
+ if self.plugins:
+ logging.info('POST_UPDATE')
+ updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run)
+ dn_list = {}
+ for upd in updates:
+ for dn in upd:
+ dn_explode = ldap.explode_dn(dn.lower())
+ l = len(dn_explode)
+ if dn_list.get(l):
+ if dn not in dn_list[l]:
+ dn_list[l].append(dn)
+ else:
+ dn_list[l] = [dn]
+ self.__run_updates(dn_list, updates)
+
+ return self.modified
+
+
+ def update_from_dict(self, dn_list, updates):
+ """
+ Apply updates internally as opposed to from a file.
+
+ dn_list is a list of dns to be updated
+ updates is a dictionary containing the updates
+ """
+ if not self.conn:
+ self.create_connection()
+
+ self.__run_updates(dn_list, updates)
+
return self.modified
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
new file mode 100644
index 0000000..a96d0be
--- /dev/null
+++ b/ipaserver/install/plugins/Makefile.am
@@ -0,0 +1,16 @@
+NULL =
+
+appdir = $(pythondir)/ipaserver/install
+app_PYTHON = \
+ __init__.py \
+ baseupdate.py \
+ rename_managed.py \
+ updateclient.py \
+ $(NULL)
+
+EXTRA_DIST = \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~ \
+ Makefile.in
diff --git a/ipaserver/install/plugins/__init__.py b/ipaserver/install/plugins/__init__.py
new file mode 100644
index 0000000..49bef4d
--- /dev/null
+++ b/ipaserver/install/plugins/__init__.py
@@ -0,0 +1,28 @@
+# Authors:
+# Rob Crittenden <[email protected]>
+#
+# Copyright (C) 2011 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Provide a separate api for updates.
+"""
+PRE_UPDATE = 1
+POST_UPDATE = 2
+
+FIRST = 1
+MIDDLE = 2
+LAST = 4
diff --git a/ipaserver/install/plugins/baseupdate.py b/ipaserver/install/plugins/baseupdate.py
new file mode 100644
index 0000000..227dc91
--- /dev/null
+++ b/ipaserver/install/plugins/baseupdate.py
@@ -0,0 +1,68 @@
+# Authors:
+# Rob Crittenden <[email protected]>
+#
+# Copyright (C) 2011 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from ipalib import api
+from ipalib import errors
+from ipalib import Updater, Object
+from ipaserver.install import service
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, MIDDLE
+
+class DSRestart(service.Service):
+ """
+ Restart the 389-ds service.
+ """
+ def __init__(self):
+ """
+ This class is present to provide ldapupdate the means to
+ restart 389-ds.
+ """
+ service.Service.__init__(self, "dirsrv")
+
+ def create_instance(self):
+ self.step("stopping directory server", self.stop)
+ self.step("starting directory server", self.start)
+ self.start_creation("Restarting Directory server to apply updates")
+
+class update(Object):
+ """
+ Generic object used to register all updates into a single namespace.
+ """
+ backend_name = 'ldap2'
+
+api.register(update)
+
+class PreUpdate(Updater):
+ """
+ Base class for updates that run prior to file processing.
+ """
+ updatetype = PRE_UPDATE
+ order = MIDDLE
+
+ def __init__(self):
+ super(PreUpdate, self).__init__()
+
+class PostUpdate(Updater):
+ """
+ Base class for updates that run after file processing.
+ """
+ updatetype = POST_UPDATE
+ order = MIDDLE
+
+ def __init__(self):
+ super(PostUpdate, self).__init__()
diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py
new file mode 100644
index 0000000..a9eed0b
--- /dev/null
+++ b/ipaserver/install/plugins/rename_managed.py
@@ -0,0 +1,132 @@
+# Authors:
+# Rob Crittenden <[email protected]>
+#
+# Copyright (C) 2011 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
+from ipalib.frontend import Updater
+from ipaserver.install.plugins import baseupdate
+from ipalib import api, errors
+from ipapython import ipautil
+import ldap as _ldap
+
+def entry_to_update(entry):
+ """
+ Convert an entry into a name/value pair list that looks like an update.
+
+ An entry is a dict.
+
+ An update is a list of name/value pairs.
+ """
+ update = []
+ for attr in entry.keys():
+ if isinstance(entry[attr], list):
+ for i in xrange(len(entry[attr])):
+ update.append('%s:%s' % (str(attr), str(entry[attr][i])))
+ else:
+ update.append('%s:%s' % (str(attr), str(entry[attr])))
+
+ return update
+
+def generate_update(ldap, deletes=False):
+ """
+ We need to separate the deletes that need to happen from the
+ new entries that need to be added.
+ """
+ suffix = ipautil.realm_to_suffix(api.env.realm)
+ searchfilter = '(objectclass=*)'
+ definitions_managed_entries = []
+ old_template_container = 'cn=etc,%s' % suffix
+ old_definition_container = 'cn=managed entries,cn=plugins,cn=config'
+ new = 'cn=Managed Entries,cn=etc,%s' % suffix
+ sub = ['cn=Definitions,', 'cn=Templates,']
+ new_managed_entries = []
+ old_templates = []
+ template = None
+ restart = False
+
+ # If the old entries don't exist the server has already been updated.
+ try:
+ (definitions_managed_entries, truncated) = ldap.find_entries(
+ searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
+ )
+ except errors.NotFound, e:
+ return (False, new_managed_entries)
+
+ for entry in definitions_managed_entries:
+ new_definition = {}
+ definition_managed_entry_updates = {}
+ if deletes:
+ old_definition = {'dn': str(entry[0]), 'deleteentry': ['dn: %s' % str(entry[0])]}
+ old_template = str(entry[1]['managedtemplate'][0])
+ definition_managed_entry_updates[old_definition['dn']] = old_definition
+ old_templates.append(old_template)
+ else:
+ entry[1]['managedtemplate'] = str(entry[1]['managedtemplate'][0].replace(old_template_container, sub[1] + new))
+ new_definition['dn'] = str(entry[0].replace(old_definition_container, sub[0] + new))
+ new_definition['default'] = entry_to_update(entry[1])
+ definition_managed_entry_updates[new_definition['dn']] = new_definition
+ new_managed_entries.append(definition_managed_entry_updates)
+ for old_template in old_templates: # Only happens when deletes is True
+ try:
+ (dn, template) = ldap.get_entry(old_template, ['*'], normalize=False)
+ dn = str(dn)
+ new_template = {}
+ template_managed_entry_updates = {}
+ old_template = {'dn': dn, 'deleteentry': ['dn: %s' % dn]}
+ new_template['dn'] = str(dn.replace(old_template_container, sub[1] + new))
+ new_template['default'] = entry_to_update(template)
+ template_managed_entry_updates[new_template['dn']] = new_template
+ template_managed_entry_updates[old_template['dn']] = old_template
+ new_managed_entries.append(template_managed_entry_updates)
+ except errors.NotFound, e:
+ pass
+
+ if len(new_managed_entries) > 0:
+ restart = True
+ new_managed_entries.sort(reverse=True)
+
+ return (restart, new_managed_entries)
+
+class update_managed_post_first(PreUpdate):
+ """
+ Update managed entries
+ """
+ order=FIRST
+
+ def execute(self, **options):
+ # Never need to restart with the pre-update changes
+ (ignore, new_managed_entries) = generate_update(self.obj.backend, False)
+
+ return (False, True, new_managed_entries)
+
+api.register(update_managed_post_first)
+
+class update_managed_post(PostUpdate):
+ """
+ Update managed entries
+ """
+ order=LAST
+
+ def execute(self, **options):
+ (restart, new_managed_entries) = generate_update(self.obj.backend, True)
+
+ return (restart, True, new_managed_entries)
+
+api.register(update_managed_post)
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
new file mode 100644
index 0000000..8f463fa
--- /dev/null
+++ b/ipaserver/install/plugins/updateclient.py
@@ -0,0 +1,182 @@
+# Authors: Rob Crittenden <[email protected]>
+#
+# Copyright (C) 2011 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from ipaserver.install import installutils
+from ipaserver.install.plugins import FIRST, MIDDLE, LAST
+from ipaserver.install.plugins import POST_UPDATE
+from ipaserver.install.plugins.baseupdate import DSRestart
+from ipaserver.install.ldapupdate import LDAPUpdate
+from ipalib import api
+from ipalib import backend
+import ldap as _ldap
+
+class updateclient(backend.Executioner):
+ """
+ Backend used for applying LDAP updates via plugins
+
+ An update plugin can be executed before the file-based plugins or
+ afterward. Each plugin returns three values:
+
+ 1. restart: dirsrv needs to be restarted BEFORE this update is
+ applied.
+ 2. apply_now: when True the update is applied when the plugin
+ returns. Otherwise the update is cached until all
+ plugins of that update type are complete, then they
+ are applied together.
+ 3. updates: A dictionary of updates to be applied.
+
+ updates is a dictionary keyed on dn. The value of an update is a
+ dictionary with the following possible values:
+ - dn: str, duplicate of the key
+ - updates: list of updates against the dn
+ - default: list of the default entry to be added if it doesn't
+ exist
+ - deleteentry: list of dn's to be deleted (typically single dn)
+
+ For example, this update file:
+
+ dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
+ replace:krbPwdLockoutDuration:10::600
+ replace: krbPwdMaxFailure:3::6
+
+ Generates this update dictionary:
+
+ dict('cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com':
+ dict(
+ 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
+ 'updates': ['replace:krbPwdLockoutDuration:10::600',
+ 'replace:krbPwdMaxFailure:3::6']
+ )
+ )
+
+ Here is another example showing how a default entry is configured:
+
+ dn: cn=Managed Entries,cn=etc,$SUFFIX
+ default: objectClass: nsContainer
+ default: objectClass: top
+ default: cn: Managed Entries
+
+ This generates:
+
+ dict('cn=Managed Entries,cn=etc,dc=example,dc=com',
+ dict(
+ 'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com',
+ 'default': ['objectClass:nsContainer',
+ 'objectClass:top',
+ 'cn:Managed Entries'
+ ]
+ )
+ )
+
+ Note that the variable substitution in both examples has been completed.
+
+ A PRE_UPDATE plugin is executed before file-based updates.
+
+ A POST_UPDATE plugin is executed after file-based updates.
+
+ Plugins are executed automatically when ipa-ldap-updater is run
+ in upgrade mode (--upgrade). They are not executed normally otherwise.
+ To execute plugins as well use the --plugins flag.
+
+ Either may make changes directly in LDAP or can return updates in
+ update format.
+ """
+ def create_context(self, dm_password):
+ if dm_password:
+ autobind = False
+ else:
+ autobind = True
+ self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind)
+
+ def order(self, updatetype):
+ """
+ Calculate rough order of plugins.
+ """
+ order = []
+ for plugin in api.Updater(): #pylint: disable=E1101
+ if plugin.updatetype != updatetype:
+ continue
+ if plugin.order == FIRST:
+ order.insert(0, plugin)
+ elif plugin.order == MIDDLE:
+ order.insert(len(order)/2, plugin)
+ else:
+ order.append(plugin)
+
+ for o in order:
+ yield o
+
+ def update(self, updatetype, dm_password, ldapi, live_run):
+ """
+ Execute all update plugins of type updatetype.
+ """
+ self.create_context(dm_password)
+ kw = dict(live_run=live_run)
+ result = []
+ ld = LDAPUpdate(dm_password=dm_password, sub_dict={}, live_run=live_run, ldapi=ldapi)
+ for update in self.order(updatetype):
+ (restart, apply_now, res) = self.run(update.name, **kw)
+ if restart:
+ self.restart(dm_password, live_run)
+ dn_list = {}
+ for upd in res:
+ for dn in upd:
+ dn_explode = _ldap.explode_dn(dn.lower())
+ l = len(dn_explode)
+ if dn_list.get(l):
+ if dn not in dn_list[l]:
+ dn_list[l].append(dn)
+ else:
+ dn_list[l] = [dn]
+ updates = {}
+ for entry in res:
+ updates.update(entry)
+
+ if apply_now:
+ ld.update_from_dict(dn_list, updates)
+ elif res:
+ result.extend(res)
+
+ self.destroy_context()
+
+ return result
+
+ def run(self, method, **kw):
+ """
+ Execute the update plugin.
+ """
+ return self.Updater[method](**kw) #pylint: disable=E1101
+
+ def restart(self, dm_password, live_run):
+ if os.getegid() != 0:
+ self.log.warn("Not root, skipping restart")
+ return
+ dsrestart = DSRestart()
+ socket_name = '/var/run/slapd-%s.socket' % \
+ api.env.realm.replace('.','-')
+ if live_run:
+ self.destroy_context()
+ dsrestart.create_instance()
+ installutils.wait_for_open_socket(socket_name)
+ self.create_context(dm_password)
+ else:
+ self.log.warn("Test mode, skipping restart")
+
+api.register(updateclient)
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index 2f42358..aec6c52 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -22,6 +22,7 @@ import sys
import shutil
import random
import logging
+import traceback
from ipaserver.install import installutils
from ipaserver.install import dsinstance
@@ -100,11 +101,12 @@ class IPAUpgrade(service.Service):
def __upgrade(self):
try:
- ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run)
+ ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True)
if len(self.files) == 0:
self.files = ld.get_all_files(ldapupdate.UPDATES_DIR)
self.modified = ld.update(self.files)
- except ldapupdate.BadSyntax:
+ except ldapupdate.BadSyntax, e:
+ logging.error('Bad syntax in upgrade %s' % str(e))
self.modified = False
self.badsyntax = True
except Exception, e:
@@ -112,6 +114,7 @@ class IPAUpgrade(service.Service):
self.modified = False
self.upgradefailed = True
logging.error('Upgrade failed with %s' % str(e))
+ logging.debug('%s', traceback.format_exc())
def main():
if os.getegid() != 0:
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 32a1ecc..45befc1 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -34,6 +34,7 @@ import shutil
import tempfile
import time
import re
+import pwd
import krbV
import logging
@@ -313,7 +314,7 @@ class ldap2(CrudBackend, Encoder):
@encode_args(2, 3, 'bind_dn', 'bind_pw')
def create_connection(self, ccache=None, bind_dn='', bind_pw='',
tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
- debug_level=0):
+ debug_level=0, autobind=False):
"""
Connect to LDAP server.
@@ -326,6 +327,7 @@ class ldap2(CrudBackend, Encoder):
tls_cacertfile -- TLS CA certificate filename
tls_certfile -- TLS certificate filename
tls_keyfile - TLS bind key filename
+ autobind - autobind as the current user
Extends backend.Connectible.create_connection.
"""
@@ -342,7 +344,7 @@ class ldap2(CrudBackend, Encoder):
try:
conn = _ldap.initialize(self.ldap_uri)
- if self.ldap_uri.startswith('ldapi://'):
+ if self.ldap_uri.startswith('ldapi://') and ccache:
conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
@@ -351,8 +353,14 @@ class ldap2(CrudBackend, Encoder):
context=krbV.default_context()).principal().name
setattr(context, 'principal', principal)
else:
- # no kerberos ccache, use simple bind
- conn.simple_bind_s(bind_dn, bind_pw)
+ # no kerberos ccache, use simple bind or external sasl
+ if autobind:
+ pent = pwd.getpwuid(os.geteuid())
+ auth_tokens = _ldap.sasl.external(pent.pw_name)
+ conn.sasl_interactive_bind_s("", auth_tokens)
+ else:
+ conn.simple_bind_s(bind_dn, bind_pw)
+
except _ldap.LDAPError, e:
_handle_errors(e, **{})
diff --git a/setup.py b/setup.py
index 5727e5d..04b20e0 100755
--- a/setup.py
+++ b/setup.py
@@ -81,6 +81,7 @@ setup(
'ipaserver',
'ipaserver.plugins',
'ipaserver.install',
+ 'ipaserver.install.plugins',
],
scripts=['ipa'],
data_files = [('share/man/man1', ["ipa.1"])],
diff --git a/tests/test_ipaserver/test_ldap.py b/tests/test_ipaserver/test_ldap.py
index b3f8009..abfd1be 100644
--- a/tests/test_ipaserver/test_ldap.py
+++ b/tests/test_ipaserver/test_ldap.py
@@ -31,7 +31,7 @@ from ipaserver.plugins.ldap2 import ldap2
from ipalib.plugins.service import service, service_show
from ipalib.plugins.host import host
import nss.nss as nss
-from ipalib import api, x509, create_api
+from ipalib import api, x509, create_api, errors
from ipapython import ipautil
from ipalib.dn import *
@@ -49,7 +49,7 @@ class test_ldap(object):
('cn','services'),('cn','accounts'),api.env.basedn))
def tearDown(self):
- if self.conn:
+ if self.conn and self.conn.isconnected():
self.conn.disconnect()
def test_anonymous(self):
@@ -120,3 +120,21 @@ class test_ldap(object):
cert = cert[0]
serial = unicode(x509.get_serial_number(cert, x509.DER))
assert serial is not None
+
+ def test_autobind(self):
+ """
+ Test an autobind LDAP bind using ldap2
+ """
+ ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
+ self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+ try:
+ self.conn.connect(autobind=True)
+ except errors.DatabaseError, e:
+ if e.desc == 'Inappropriate authentication':
+ raise nose.SkipTest("Only executed as root")
+ (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
+ cert = entry_attrs.get('usercertificate')
+ cert = cert[0]
+ serial = unicode(x509.get_serial_number(cert, x509.DER))
+ assert serial is not None
+
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
