Use a common group named 'dirsrv' for all DS instances, as requested in ticket #851
While there also remove the -u option, it is silly to allow to change one in three (the other are group name and pki ds instance user) accounts only. Plus it is apparently confusing to admins. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 49162692fd3c24c667844e663e444d9844dba72b Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Fri, 28 Jan 2011 15:45:19 -0500 Subject: [PATCH] Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851 --- install/tools/ipa-replica-install | 32 +++++++++++--- install/tools/ipa-server-install | 88 ++++++++++++++++-------------------- ipaserver/install/cainstance.py | 6 ++- ipaserver/install/dsinstance.py | 18 +++---- 4 files changed, 78 insertions(+), 66 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 3eb41daae3572e6cfdec943bd776f525f30bf87b..8d35a58f767c46a3896756f7d0a98723303b5aed 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -22,6 +22,7 @@ import sys import socket import tempfile, os, pwd, traceback, logging, shutil +import grp from ConfigParser import SafeConfigParser from ipapython import ipautil @@ -33,6 +34,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import version from ipalib import api, errors, util from ipapython.config import IPAOptionParser +from ipapython import sysrestore CACERT="/etc/ipa/ca.crt" @@ -45,7 +47,6 @@ class ReplicaConfig: self.domain_name = "" self.master_host_name = "" self.dirman_password = "" - self.ds_user = "" self.host_name = "" self.dir = "" self.subject_base = "" @@ -116,7 +117,6 @@ def read_info(dir, rconfig): rconfig.realm_name = config.get("realm", "realm_name") rconfig.master_host_name = config.get("realm", "master_host_name") - rconfig.ds_user = config.get("realm", "ds_user") rconfig.domain_name = config.get("realm", "domain_name") rconfig.host_name = config.get("realm", "destination_host") rconfig.subject_base = config.get("realm", "subject_base") @@ -145,7 +145,7 @@ def resolve_host(host_name): return None def set_owner(config, dir): - pw = pwd.getpwnam(config.ds_user) + pw = pwd.getpwnam(dsinstance.DS_USER) os.chown(dir, pw.pw_uid, pw.pw_gid) def install_ca(config): @@ -168,7 +168,9 @@ def install_ca(config): sys.exit(1) cs = cainstance.CADSInstance() - cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password) + cs.create_instance(dsinstance.DS_USER, config.realm_name, + config.host_name, config.domain_name, + config.dirman_password) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base) @@ -187,7 +189,7 @@ def install_replica_ds(config): config.dir + "/dirsrv_pin.txt") ds = dsinstance.DsInstance() - ds.create_replica(config.ds_user, config.realm_name, + ds.create_replica(dsinstance.DS_USER, config.realm_name, config.master_host_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) @@ -205,7 +207,7 @@ def install_krb(config, setup_pkinit=False): pkcs12_info = (config.dir + "/pkinitcert.p12", config.dir + "/pkinit_pin.txt") - krb.create_replica(config.ds_user, config.realm_name, + krb.create_replica(dsinstance.DS_USER, config.realm_name, config.master_host_name, config.host_name, config.domain_name, config.dirman_password, ldappwd_filename, kpasswd_filename, @@ -339,6 +341,9 @@ def main(): if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) + global sstore + sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') + # check the bind is installed if options.setup_dns: check_bind() @@ -393,6 +398,21 @@ def main(): api.bootstrap(in_server=True) api.finalize() + # Create DS group if it doesn't exist yet + try: + grp.getgrnam(dsinstance.DS_GROUP) + logging.debug("ds group %s exists" % dsinstance.DS_GROUP) + group_exists = True + except KeyError: + group_exists = False + args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP] + try: + ipautil.run(args) + logging.debug("done adding DS group") + except ipautil.CalledProcessError, e: + logging.critical("failed to add DS group: %s" % e) + sstore.backup_state("install", "group_exists", group_exists) + #Automatically disable pkinit w/ dogtag until that is supported #[certs.ipa_self_signed() must be called only after api.finalize()] if not ipautil.file_exists(config.dir + "/pkinitcert.p12") and not certs.ipa_self_signed(): diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c07f6fc3e8544b290b7a6dbee987487c9bfd7db9..ff9450ee1a48e422470bb585e30d0d8bc528ae66 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -31,7 +31,7 @@ import os import socket import errno import logging -import pwd +import grp import subprocess import signal import shutil @@ -58,8 +58,6 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipapython.config import IPAOptionParser -DEF_DS_USER = 'dirsrv' - pw_name = None uninstalling = False @@ -68,8 +66,6 @@ def parse_options(): # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit) namespace = random.randint(1, 10000) * 200000 parser = IPAOptionParser(version=version.VERSION) - parser.add_option("-u", "--user", dest="ds_user", - help="ds user") parser.add_option("-r", "--realm", dest="realm_name", help="realm name") parser.add_option("-n", "--domain", dest="domain_name", @@ -151,12 +147,10 @@ def parse_options(): parser.error("You cannot specify a --forwarder option together with --no-forwarders") if options.uninstall: - if (options.ds_user or options.realm_name or + if (options.realm_name or options.admin_password or options.master_password): - parser.error("In uninstall mode, -u, r and -P options are not allowed") + parser.error("In uninstall mode, -a, -r and -P options are not allowed") elif options.unattended: - if not options.ds_user: - options.ds_user = DEF_DS_USER if (not options.realm_name or not options.dm_password or not options.admin_password): parser.error("In unattended mode you need to provide at least -r, -p and -a options") @@ -306,32 +300,6 @@ def resolve_host(host_name): print "Unable to lookup the IP address of the provided host" return ip -def read_ds_user(): - print "The server must run as a specific user in a specific group." - print "It is strongly recommended that this user should have no privileges" - print "on the computer (i.e. a non-root user). The set up procedure" - print "will give this user/group some permissions in specific paths/files" - print "to perform server-specific operations." - print "" - - ds_user = "" - try: - pwd.getpwnam(DEF_DS_USER) - - print "A user account named %s already exists." % DEF_DS_USER - print "This is the user id that the Directory Server will run as." - print "" - if user_input("Do you want to use the existing %s account?" % DEF_DS_USER, True): - ds_user = DEF_DS_USER - else: - print "" - ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False) - print "" - except KeyError: - ds_user = DEF_DS_USER - - return ds_user - def read_domain_name(domain_name, unattended): print "The domain name has been calculated based on the host name." print "" @@ -447,6 +415,14 @@ def uninstall(): os.remove("/etc/httpd/conf.d/ipa.conf") except: pass + + group_exists = sstore.restore_state("install", "group_exists") + if not group_exists is None and not group_exists: + try: + ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP]) + except ipautil.CalledProcessError, e: + logging.critical("failed to delete group %s" % e) + return 0 @@ -492,6 +468,8 @@ def main(): global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + global sstore + sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore') # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. @@ -544,7 +522,6 @@ def main(): if not options.external_ca: check_dirsrv(options.unattended) - ds_user = "" realm_name = "" host_name = "" domain_name = "" @@ -629,14 +606,6 @@ def main(): print "Domain name: " + domain_name print "" - if not options.ds_user: - ds_user = read_ds_user() - if ds_user == "": - sys.exit(1) - logging.debug("read ds_user: %s\n" % ds_user) - else: - ds_user = options.ds_user - if not options.realm_name: realm_name = read_realm_name(domain_name, options.unattended) logging.debug("read realm_name: %s\n" % realm_name) @@ -695,6 +664,21 @@ def main(): print "Please wait until the prompt is returned." print "" + # Create DS group if it doesn't exist yet + try: + grp.getgrnam(dsinstance.DS_GROUP) + logging.debug("ds group %s exists" % dsinstance.DS_GROUP) + group_exists = True + except KeyError: + group_exists = False + args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP] + try: + ipautil.run(args) + logging.debug("done adding DS group") + except ipautil.CalledProcessError, e: + logging.critical("failed to add DS group: %s" % e) + sstore.backup_state("install", "group_exists", group_exists) + # Configure ntpd if options.conf_ntp: ntp = ntpinstance.NTPInstance(fstore) @@ -737,7 +721,6 @@ def main(): elif external == 1: options.realm_name = realm_name options.domain_name = domain_name - options.ds_user = ds_user options.master_password = master_password options.host_name = host_default options.unattended = True @@ -762,11 +745,16 @@ def main(): if options.dirsrv_pkcs12: pkcs12_info = (options.dirsrv_pkcs12, pw_name) try: - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow) + ds.create_instance(dsinstance.DS_USER, + realm_name, host_name, domain_name, + dm_password, pkcs12_info, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) finally: os.remove(pw_name) else: - ds.create_instance(ds_user, realm_name, host_name, domain_name, + ds.create_instance(dsinstance.DS_USER, + realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, @@ -786,13 +774,15 @@ def main(): krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: pkcs12_info = (options.pkinit_pkcs12, pw_name) - krb.create_instance(ds_user, realm_name, host_name, domain_name, + krb.create_instance(dsinstance.DS_USER, + realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, pkcs12_info=pkcs12_info, subject_base=options.subject) else: - krb.create_instance(ds_user, realm_name, host_name, domain_name, + krb.create_instance(dsinstance.DS_USER, + realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, self_signed_ca=options.selfsign, diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dfe036dd7650da1789107b462ac7f7336694fc53..bfc150d72a4923244a4dcd129e722c169fb96c39 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -262,7 +262,11 @@ class CADSInstance(service.Service): except KeyError: user_exists = False logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] + args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP, + "-c", "DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", self.ds_user] try: ipautil.run(args) logging.debug("done adding user") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 29950520117f92938621e843c7787ff0346b3508..38072e6993fbcb5baae65744b9292d8c1abc1e61 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -21,7 +21,6 @@ import shutil import logging import pwd -import grp import glob import sys import os @@ -48,6 +47,9 @@ SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" CACERT="/etc/ipa/ca.crt" +DS_USER = 'dirsrv' +DS_GROUP = 'dirsrv' + def find_server_root(): if ipautil.dir_exists(SERVER_ROOT_64): return SERVER_ROOT_64 @@ -324,15 +326,11 @@ class DsInstance(service.Service): except KeyError: user_exists = False logging.debug("adding ds user %s" % self.ds_user) - args = ["/usr/sbin/useradd", "-c", "DS System User", "-d", "/var/lib/dirsrv", "-M", "-r", "-s", "/sbin/nologin", self.ds_user] - try: - # if the group already exists we need to request to add it, - # otherwise useradd will create it for us - grp.getgrnam(self.ds_user) - args.append("-g") - args.append(self.ds_user) - except KeyError: - pass + args = ["/usr/sbin/useradd", "-g", DS_GROUP, + "-c", "DS System User", + "-d", "/var/lib/dirsrv", + "-s", "/sbin/nologin", + "-M", "-r", self.ds_user] try: ipautil.run(args) logging.debug("done adding user") -- 1.7.3.5
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
