2019 03 19 update ds create (#49)

* Update ds installer based on latest python tooling for ds packages, as supported by upstream.
yast · Jan 30, 2020 · 47302a5 · 47302a5
1 parent f3425b6
commit 47302a5
Show file tree

Hide file tree

Showing 6 changed files with 202 additions and 144 deletions.
diff --git a/README.md b/README.md
@@ -12,7 +12,83 @@ The features are:
 ## Install
 To install the latest stable version on openSUSE or SLE, use zypper:
 
-    $ sudo zypper install yast2-auth-server
+```
+$ sudo zypper install yast2-auth-server
+```
 
 # Run
-Visit Yast control panel and launch "Create New Kerberos Server" or "Create New Directory Server".
+Visit Yast control panel and launch "Create New Kerberos Server" or "Create New Directory Server".
+
+
+# Development
+
+You need to prepare your environment with:
+
+```
+ruby_version=$(ruby -e "puts RbConfig::CONFIG['ruby_version']")
+zypper install -C "rubygem(ruby:$ruby_version:yast-rake)"
+zypper install -C "rubygem(ruby:$ruby_version:rspec)"
+zypper install git yast2-devtools yast2-testsuite yast
+```
+
+You can then run the auth-server module with:
+
+```
+rake run
+rake run[module name]
+rake run[ldap-server]
+```
+
+For the 389-ds setup, you'll require a CA + pkcs12 bundle with a cert to use. You can generate
+these with certutil from the package mozilla-nss-tools.
+
+```
+mkdir local_ca
+cd local_ca
+echo "password" > password.txt
+certutil -N -f password.txt -d .
+certutil -S -n CAissuer -t "C,C,C" -x -f password.txt -d . -v 24 -g 4096 -Z SHA256 --keyUsage certSigning -2 --nsCertType sslCA -s "CN=ca.nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"
+
+certutil -S -n Server-Cert -t ",," -c CAissuer -f password.txt -d . -s "CN=test_b.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"
+
+certutil -L -n CAissuer -a -d . > ca.pem
+pk12util -o server-export.p12 -d . -k password.txt -n Server-Cert
+```
+
+# Tests
+
+```
+rake test:unit
+```
+
+# Logs
+
+If you are running as a non-root user, the logs are located in:
+
+```
+~/.y2log
+```
+
+If you are running as root, these logs are in:
+
+```
+/var/log/YaST2/y2log
+```
+
+For more detailed logging, you are able to execute YaST with debugging environment variables:
+
+```
+Y2DEBUG=1 rake run[ldap-server]
+```
+
+# Build
+
+You can build the package with:
+
+```
+rake osc:build
+```
+
+
+
+
diff --git a/src/lib/authserver/dir/ds389.rb b/src/lib/authserver/dir/ds389.rb
@@ -9,20 +9,20 @@
 # this program; if not, contact SUSE LINUX GmbH.
 
 # Authors:      Howard Guo <hguo@suse.com>
+#               William Brown <wbrown@suse.de>
 
 require 'yast'
 require 'open3'
 require 'fileutils'
 
-# DS_SETUP_LOG_PATH is the path to progress and debug log file for setting up a new directory instance.
-DS_SETUP_LOG_PATH = '/root/yast2-auth-server-dir-setup.log'
 # DS_SETUP_INI_PATH is the path to parameter file for setting up new directory instance.
 # Place the file under root directory because there are sensitive details in it.
 DS_SETUP_INI_PATH = '/root/yast2-auth-server-dir-setup.ini'
 
 # DS389 serves utility functions for setting up a new instance of 389 directory server.
 class DS389
   include Yast
+  include Yast::Logger
 
   # install_pkgs installs software packages mandatory for setting up 389 directory server.
   def self.install_pkgs
@@ -37,29 +37,42 @@ def self.get_instance_names
   end
 
   # gen_setup_ini generates INI file content with parameters for setting up directory server.
-  def self.gen_setup_ini(fqdn, instance_name, suffix, dm_dn, dm_pass)
-    return "[General]
-FullMachineName=#{fqdn}
-SuiteSpotUserID=dirsrv
-SuiteSpotGroup=dirsrv
+  def self.gen_setup_ini(fqdn, instance_name, suffix, dm_pass)
+    return "# Generated by yast-auth-server
+[general]
+config_version = 2
+full_machine_name = #{fqdn}
+# This may be need to be tweaked, it could break setups ...
+# strict_host_checking = true/false
 
 [slapd]
-ServerPort=389
-ServerIdentifier=#{instance_name}
-Suffix=#{suffix}
-RootDN=#{dm_dn}
-RootDNPwd=#{dm_pass}
-AddSampleEntries=No
+root_password = #{dm_pass}
+instance_name = #{instance_name}
+
+[backend-userroot]
+sample_entries = yes
+suffix = #{suffix}
 "
   end
 
   # exec_setup runs setup-ds.pl using input parameters file content.
-  # The output of setup script is written into file /root/yast2-auth-server-dir-setup.log
+  # The output of setup script is written into file .y2log or /var/log/YaST/y2log
   # Returns true only if setup was successful.
   def self.exec_setup(content)
+    append_to_log('Beginning YAST auth server installation ...')
+
     open(DS_SETUP_INI_PATH, 'w') {|fh| fh.puts(content)}
-    stdin, stdouterr, result = Open3.popen2e('/usr/sbin/setup-ds.pl', '--debug', '--silent', '-f', DS_SETUP_INI_PATH)
-    append_to_log(stdouterr.readlines.join('\n'))
+    # dry run first to see if it breaks ...
+    stdin, stdouterr, result = Open3.popen2e('/usr/sbin/dscreate', '-v', 'from-file', '-n', DS_SETUP_INI_PATH)
+    stdouterr.readlines.map { |l| append_to_log(l) }
+
+    if result.value.exitstatus != 0
+        return false
+    end
+
+    # Right do the real thing.
+    stdin, stdouterr, result = Open3.popen2e('/usr/sbin/dscreate', '-v', 'from-file', DS_SETUP_INI_PATH)
+    stdouterr.readlines.map { |l| append_to_log(l) }
     stdin.close
     return result.value.exitstatus == 0
   end
@@ -71,17 +84,7 @@ def self.remove_setup_ini
 
   # append_to_log appends current time and content into log file placed under /root/.
   def self.append_to_log(content)
-    open(DS_SETUP_LOG_PATH, 'a') {|fh|
-      fh.puts(Time.now)
-      fh.puts(content)
-    }
-  end
-
-  # enable_krb_schema enables kerberos schema in the directory server and then restarts the directory server.
-  # Returns true only if server restarted successfully.
-  def self.enable_krb_schema(instance_name)
-    ::FileUtils.copy('/usr/share/dirsrv/data/60kerberos.ldif', '/etc/dirsrv/slapd-' + instance_name + '/schema/60kerberos.ldif')
-    return self.restart(instance_name)
+    log.info(content)
   end
 
   # restart the directory service specified by the instance name. Returns true only on success.
@@ -94,48 +97,21 @@ def self.restart(instance_name)
   def self.install_tls_in_nss(instance_name, ca_path, p12_path)
     instance_dir = '/etc/dirsrv/slapd-' + instance_name
     # Put CA certificate into NSS database
-    _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-A', '-d', instance_dir, '-n', 'ca_cert', '-t', 'C,,', '-i', ca_path)
-    append_to_log(stdouterr.readlines.join('\n'))
+    _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-A', '-f', instance_dir + '/pwdfile.txt', '-d', instance_dir, '-n', 'ca_cert', '-t', 'C,,', '-i', ca_path)
+    stdouterr.readlines.map { |l| append_to_log(l) }
     if result.value.exitstatus != 0
       return false
     end
-    # Put TLS certificate and key into NSS database
-    _, stdouterr, result = Open3.popen2e('/usr/bin/pk12util', '-d', instance_dir, '-W', '', '-K', '', '-i', p12_path)
-    append_to_log(stdouterr.readlines.join('\n'))
+    # Delete the automatically created Server-Cert - we don't care if it fails ...
+    _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-F', '-d', instance_dir, '-n', 'Server-Cert', '-f', instance_dir + '/pwdfile.txt')
+    stdouterr.readlines.map { |l| append_to_log(l) }
+    # Put TLS certificate and key into NSS database - and hope it's named Server-Cert ...
+    _, stdouterr, result = Open3.popen2e('/usr/bin/pk12util', '-i', p12_path, '-k', instance_dir + '/pwdfile.txt', '-d', instance_dir, '-W', '')
+    stdouterr.readlines.map { |l| append_to_log(l) }
     if result.value.exitstatus != 0
       return false
     end
     return true
   end
 
-  # get_enable_tls_ldif returns LDIF data that can be
-  def self.get_enable_tls_ldif
-    return 'dn: cn=encryption,cn=config
-changetype: modify
-replace: nsSSL3
-nsSSL3: off
--
-replace: nsSSLClientAuth
-nsSSLClientAuth: allowed
--
-add: nsSSL3Ciphers
-nsSSL3Ciphers: +all
-
-dn: cn=config
-changetype: modify
-add: nsslapd-security
-nsslapd-security: on
--
-replace: nsslapd-ssl-check-hostname
-nsslapd-ssl-check-hostname: off
-
-dn: cn=RSA,cn=encryption,cn=config
-changetype: add
-objectclass: top
-objectclass: nsEncryptionModule
-cn: RSA
-nsSSLPersonalitySSL: Server-Cert
-nsSSLToken: internal (software)
-nsSSLActivation: on'
-  end
-end
+end
diff --git a/src/lib/authserver/krb/mit.rb b/src/lib/authserver/krb/mit.rb
@@ -13,9 +13,6 @@
 require 'yast'
 require 'open3'
 
-# KDC_SETUP_LOG_PATH is the path to progress and debug log file for setting up a new KDC.
-KDC_SETUP_LOG_PATH = '/root/yast2-auth-server-kdc-setup.log'
-
 # MITKerberos serves utility functions for setting up a new directory connected KDC.
 class MITKerberos
   include Yast
@@ -130,9 +127,6 @@ def self.restart_kadmind
 
   # append_to_log appends current time and content into log file placed under /root/.
   def self.append_to_log(content)
-    open(KDC_SETUP_LOG_PATH, 'a') {|fh|
-      fh.puts(Time.now)
-      fh.puts(content)
-    }
+    log.info(content)
   end
-end
+end