|
Tomas Mraz |
766fcc |
diff -up authconfig-6.2.10/authinfo.py.cacertdir authconfig-6.2.10/authinfo.py
|
|
Tomas Mraz |
766fcc |
--- authconfig-6.2.10/authinfo.py.cacertdir 2015-03-31 10:40:43.321241910 +0200
|
|
Tomas Mraz |
32d67a |
+++ authconfig-6.2.10/authinfo.py 2015-04-01 19:05:27.879900326 +0200
|
|
Tomas Mraz |
766fcc |
@@ -116,7 +116,7 @@ PATH_LIBSSS_AUTOFS = "/usr" + LIBDIR + "
|
|
Tomas Mraz |
446e70 |
PATH_WINBIND_NET = "/usr/bin/net"
|
|
Tomas Mraz |
446e70 |
PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
-PATH_LDAP_CACERTS = "/etc/openldap/cacerts"
|
|
Tomas Mraz |
446e70 |
+PATH_LDAP_CACERTS = "/etc/openldap/certs"
|
|
Tomas Mraz |
446e70 |
LDAP_CACERT_DOWNLOADED = "authconfig_downloaded.pem"
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
PATH_CONFIG_BACKUPS = "/var/lib/authconfig"
|
|
Tomas Mraz |
766fcc |
@@ -155,6 +155,13 @@ def matchKey(line, key):
|
|
Tomas Mraz |
766fcc |
else:
|
|
Tomas Mraz |
766fcc |
return False
|
|
Tomas Mraz |
766fcc |
|
|
Tomas Mraz |
766fcc |
+def matchKeyI(line, key):
|
|
Tomas Mraz |
766fcc |
+ if line.lower().startswith(key.lower()):
|
|
Tomas Mraz |
766fcc |
+ # Skip intervening whitespace.
|
|
Tomas Mraz |
766fcc |
+ return line[len(key):].lstrip()
|
|
Tomas Mraz |
766fcc |
+ else:
|
|
Tomas Mraz |
766fcc |
+ return False
|
|
Tomas Mraz |
766fcc |
+
|
|
Tomas Mraz |
766fcc |
def matchKeyEquals(line, key):
|
|
Tomas Mraz |
766fcc |
if line.startswith(key):
|
|
Tomas Mraz |
766fcc |
# Skip intervening whitespace.
|
|
Tomas Mraz |
32d67a |
@@ -926,9 +933,9 @@ def feedFork(command, echo, query, respo
|
|
Tomas Mraz |
32d67a |
try:
|
|
Tomas Mraz |
32d67a |
c = os.read(master, 1)
|
|
Tomas Mraz |
32d67a |
except OSError as err:
|
|
Tomas Mraz |
32d67a |
- if err == errno.EINTR or err == errno.EAGAIN:
|
|
Tomas Mraz |
32d67a |
+ if err.errno == errno.EINTR or err.errno == errno.EAGAIN:
|
|
Tomas Mraz |
32d67a |
pass
|
|
Tomas Mraz |
32d67a |
- elif err == errno.EIO:
|
|
Tomas Mraz |
32d67a |
+ elif err.errno == errno.EIO:
|
|
Tomas Mraz |
32d67a |
os.close(master)
|
|
Tomas Mraz |
32d67a |
eof = True
|
|
Tomas Mraz |
32d67a |
else:
|
|
Tomas Mraz |
32d67a |
@@ -1222,14 +1229,13 @@ class CacheBackup(FileBackup):
|
|
Tomas Mraz |
32d67a |
return rv
|
|
Tomas Mraz |
32d67a |
|
|
Tomas Mraz |
32d67a |
# indexes for the configs
|
|
Tomas Mraz |
32d67a |
-(CFG_HESIOD, CFG_YP, CFG_LDAP, CFG_NSSLDAP, CFG_PAMLDAP, CFG_NSLCD, CFG_OPENLDAP, CFG_KRB5,
|
|
Tomas Mraz |
32d67a |
+(CFG_HESIOD, CFG_YP, CFG_NSSLDAP, CFG_PAMLDAP, CFG_NSLCD, CFG_OPENLDAP, CFG_KRB5,
|
|
Tomas Mraz |
32d67a |
CFG_KRB, CFG_PAM_PKCS11, CFG_SMB, CFG_NSSWITCH, CFG_CACHE,
|
|
Tomas Mraz |
32d67a |
CFG_PAM, CFG_POSTLOGIN_PAM, CFG_PASSWORD_PAM, CFG_FINGERPRINT_PAM, CFG_SMARTCARD_PAM, CFG_AUTHCONFIG, CFG_NETWORK, CFG_LIBUSER, CFG_PWQUALITY,
|
|
Tomas Mraz |
32d67a |
- CFG_LOGIN_DEFS, CFG_SSSD, CFG_SHADOW, CFG_PASSWD, CFG_GSHADOW, CFG_GROUP, CFG_DCONF, CFG_DCONF_LOCKS) = list(range(0, 30))
|
|
Tomas Mraz |
32d67a |
+ CFG_LOGIN_DEFS, CFG_SSSD, CFG_SHADOW, CFG_PASSWD, CFG_GSHADOW, CFG_GROUP, CFG_DCONF, CFG_DCONF_LOCKS) = list(range(0, 29))
|
|
Tomas Mraz |
32d67a |
all_configs = [
|
|
Tomas Mraz |
32d67a |
FileBackup("hesiod.conf", SYSCONFDIR+"/hesiod.conf"),
|
|
Tomas Mraz |
32d67a |
FileBackup("yp.conf", SYSCONFDIR+"/yp.conf"),
|
|
Tomas Mraz |
32d67a |
- FileBackup("ldap.conf", SYSCONFDIR+"/ldap.conf"),
|
|
Tomas Mraz |
32d67a |
FileBackup("nss_ldap.conf", SYSCONFDIR+"/nss_ldap.conf"),
|
|
Tomas Mraz |
32d67a |
FileBackup("pam_ldap.conf", SYSCONFDIR+"/pam_ldap.conf"),
|
|
Tomas Mraz |
32d67a |
FileBackup("nslcd.conf", SYSCONFDIR+"/nslcd.conf"),
|
|
Tomas Mraz |
32d67a |
@@ -1627,7 +1633,6 @@ class AuthInfo:
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
# Read LDAP setup from /etc/ldap.conf.
|
|
Tomas Mraz |
446e70 |
def readLDAP(self, ref):
|
|
Tomas Mraz |
446e70 |
- self.ldapCacertDir = PATH_LDAP_CACERTS
|
|
Tomas Mraz |
446e70 |
# Open the file. Bail if it's not there or there's some problem
|
|
Tomas Mraz |
446e70 |
# reading it.
|
|
Tomas Mraz |
446e70 |
try:
|
|
Tomas Mraz |
32d67a |
@@ -1640,45 +1645,52 @@ class AuthInfo:
|
|
Tomas Mraz |
32d67a |
f = open(all_configs[CFG_PAMLDAP].origPath, "r")
|
|
Tomas Mraz |
32d67a |
except IOError:
|
|
Tomas Mraz |
766fcc |
try:
|
|
Tomas Mraz |
32d67a |
- f = open(all_configs[CFG_LDAP].origPath, "r")
|
|
Tomas Mraz |
32d67a |
+ f = open(all_configs[CFG_OPENLDAP].origPath, "r")
|
|
Tomas Mraz |
766fcc |
except IOError:
|
|
Tomas Mraz |
766fcc |
+ self.ldapCacertDir = PATH_LDAP_CACERTS
|
|
Tomas Mraz |
766fcc |
return False
|
|
Tomas Mraz |
766fcc |
|
|
Tomas Mraz |
766fcc |
for line in f:
|
|
Tomas Mraz |
766fcc |
line = line.strip()
|
|
Tomas Mraz |
766fcc |
|
|
Tomas Mraz |
766fcc |
# Is it a "base" statement?
|
|
Tomas Mraz |
766fcc |
- value = matchKey(line, "base")
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "base")
|
|
Tomas Mraz |
766fcc |
if value and checkDN(value):
|
|
Tomas Mraz |
766fcc |
# Save the base DN.
|
|
Tomas Mraz |
766fcc |
self.setParam("ldapBaseDN", value, ref)
|
|
Tomas Mraz |
766fcc |
continue
|
|
Tomas Mraz |
766fcc |
# Is it a "host" statement?
|
|
Tomas Mraz |
766fcc |
- value = matchKey(line, "host")
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "host")
|
|
Tomas Mraz |
766fcc |
if value:
|
|
Tomas Mraz |
766fcc |
# Save the host name or IP.
|
|
Tomas Mraz |
766fcc |
self.setParam("ldapServer", value, ref)
|
|
Tomas Mraz |
766fcc |
continue
|
|
Tomas Mraz |
766fcc |
# Is it a "uri" statement?
|
|
Tomas Mraz |
766fcc |
- value = matchKey(line, "uri")
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "uri")
|
|
Tomas Mraz |
766fcc |
if value:
|
|
Tomas Mraz |
766fcc |
# Save the host name or IP.
|
|
Tomas Mraz |
766fcc |
self.setParam("ldapServer", value, ref)
|
|
Tomas Mraz |
766fcc |
continue
|
|
Tomas Mraz |
766fcc |
# Is it a "ssl" statement?
|
|
Tomas Mraz |
766fcc |
- value = matchKey(line, "ssl")
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "ssl")
|
|
Tomas Mraz |
766fcc |
if value:
|
|
Tomas Mraz |
766fcc |
self.setParam("enableLDAPS", matchLine(value, "start_tls"), ref)
|
|
Tomas Mraz |
766fcc |
continue
|
|
Tomas Mraz |
766fcc |
# Is it a "nss_schema" statement?
|
|
Tomas Mraz |
766fcc |
- value = matchKey(line, "nss_schema")
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "nss_schema")
|
|
Tomas Mraz |
446e70 |
if value:
|
|
Tomas Mraz |
446e70 |
self.setParam("ldapSchema", value, ref)
|
|
Tomas Mraz |
446e70 |
continue
|
|
Tomas Mraz |
766fcc |
+ value = matchKeyI(line, "tls_cacertdir")
|
|
Tomas Mraz |
446e70 |
+ if value:
|
|
Tomas Mraz |
446e70 |
+ self.setParam("ldapCacertDir", value, ref)
|
|
Tomas Mraz |
446e70 |
+ continue
|
|
Tomas Mraz |
446e70 |
# We'll pull MD5/DES crypt ("pam_password") from the config
|
|
Tomas Mraz |
446e70 |
# file, or from the pam_unix PAM config lines.
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
self.ldapServer = self.ldapHostsToURIs(cleanList(self.ldapServer), False)
|
|
Tomas Mraz |
446e70 |
+ if not self.ldapCacertDir:
|
|
Tomas Mraz |
446e70 |
+ self.ldapCacertDir = PATH_LDAP_CACERTS
|
|
Tomas Mraz |
446e70 |
f.close()
|
|
Tomas Mraz |
446e70 |
return True
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
32d67a |
@@ -2747,10 +2759,6 @@ class AuthInfo:
|
|
Tomas Mraz |
32d67a |
return True
|
|
Tomas Mraz |
32d67a |
|
|
Tomas Mraz |
32d67a |
def writeLDAP(self):
|
|
Tomas Mraz |
32d67a |
- if os.path.isfile(all_configs[CFG_LDAP].origPath):
|
|
Tomas Mraz |
32d67a |
- all_configs[CFG_LDAP].backup(self.backupDir)
|
|
Tomas Mraz |
32d67a |
- self.writeLDAP2(all_configs[CFG_LDAP].origPath,
|
|
Tomas Mraz |
32d67a |
- "uri", "host", "base", True, True, True)
|
|
Tomas Mraz |
32d67a |
if os.path.isfile(all_configs[CFG_NSSLDAP].origPath):
|
|
Tomas Mraz |
32d67a |
all_configs[CFG_NSSLDAP].backup(self.backupDir)
|
|
Tomas Mraz |
32d67a |
self.writeLDAP2(all_configs[CFG_NSSLDAP].origPath,
|
|
Tomas Mraz |
32d67a |
@@ -4443,11 +4451,11 @@ class AuthInfo:
|
|
Tomas Mraz |
446e70 |
self.uninstallIPA()
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
def testLDAPCACerts(self):
|
|
Tomas Mraz |
446e70 |
- if self.enableLDAP or self.enableLDAPAuth:
|
|
Tomas Mraz |
446e70 |
+ if self.enableLDAP or self.enableLDAPAuth or self.ldapCacertURL:
|
|
Tomas Mraz |
446e70 |
try:
|
|
Tomas Mraz |
446e70 |
os.stat(self.ldapCacertDir)
|
|
Tomas Mraz |
446e70 |
except OSError as err:
|
|
Tomas Mraz |
32d67a |
- if err == errno.ENOENT:
|
|
Tomas Mraz |
32d67a |
+ if err.errno == errno.ENOENT:
|
|
Tomas Mraz |
32d67a |
os.mkdir(self.ldapCacertDir, 0o755)
|
|
Tomas Mraz |
32d67a |
|
|
Tomas Mraz |
32d67a |
return isEmptyDir(self.ldapCacertDir)
|
|
Tomas Mraz |
32d67a |
@@ -4455,7 +4463,7 @@ class AuthInfo:
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
def rehashLDAPCACerts(self):
|
|
Tomas Mraz |
446e70 |
if ((self.enableLDAP or self.enableLDAPAuth) and
|
|
Tomas Mraz |
446e70 |
- (self.enableLDAPS or 'ldaps:' in self.ldapServer)):
|
|
Tomas Mraz |
446e70 |
+ (self.enableLDAPS or 'ldaps:' in self.ldapServer)) or self.ldapCacertURL:
|
|
Tomas Mraz |
446e70 |
os.system("/usr/sbin/cacertdir_rehash " + self.ldapCacertDir)
|
|
Tomas Mraz |
446e70 |
|
|
Tomas Mraz |
446e70 |
def downloadLDAPCACert(self):
|