This is an automated email from the git hooks/post-receive script.
rharwood pushed a commit to branch master in repository gssproxy.
commit f67470b536440412815cc44ce30c32cccd461a00 Author: Alexander Scheel ascheel@redhat.com Date: Mon Jun 26 11:05:44 2017 -0400
Create krb5 config files before setting up LDAP
We can then pass the default realm to kdb5_ldap_util, and avoid fallback to system krb5.conf.
Signed-off-by: Alexander Scheel ascheel@redhat.com [rharwood@redhat.com: Rewrote commit message] Reviewed-by: Robbie Harwood rharwood@redhat.com Resolves: #196 Merges: #200 --- proxy/tests/runtests.py | 1 + proxy/tests/testlib.py | 194 +++++++++++++++++++++++++++--------------------- 2 files changed, 111 insertions(+), 84 deletions(-)
diff --git a/proxy/tests/runtests.py b/proxy/tests/runtests.py index c5a3716..3f5d13d 100755 --- a/proxy/tests/runtests.py +++ b/proxy/tests/runtests.py @@ -30,6 +30,7 @@ if __name__ == '__main__':
try: wrapenv = setup_wrappers(testdir) + write_ldap_krb5_config(testdir)
ldapproc, ldapenv = setup_ldap(testdir, wrapenv) processes["LDAP(%d)" % ldapproc.pid] = ldapproc diff --git a/proxy/tests/testlib.py b/proxy/tests/testlib.py index f9833f7..781275a 100755 --- a/proxy/tests/testlib.py +++ b/proxy/tests/testlib.py @@ -125,18 +125,88 @@ objectClass: krbContainer cn: ${KRB5_CN} """
-def setup_ldap(testdir, wrapenv): - # setup ldap environment +TESTREALM = "GSSPROXY.DEV" +KDC_DBNAME = 'db.file' +KDC_STASH = 'stash.file' +KDC_PASSWORD = 'gssproxy' +KRB5_CONF_TEMPLATE = ''' +[libdefaults] + default_realm = ${TESTREALM} + dns_lookup_realm = false + dns_lookup_kdc = false + rdns = false + ticket_lifetime = 24h + forwardable = yes + default_ccache_name = FILE://${TESTDIR}/ccaches/krb5_ccache_XXXXXX + +[realms] + ${TESTREALM} = { + kdc = ${WRAP_HOSTNAME} + admin_server = ${WRAP_HOSTNAME} + } + +[domain_realm] + .gssproxy.dev = GSSPROXY.DEV + gssproxy.dev = GSSPROXY.DEV + +[dbmodules] + ${TESTREALM} = { + db_library = kldap + ldap_kerberos_container_dn = cn=${KRB5_CN},${LDAP_REALM} + ldap_kdc_dn = ${KRB5_USER},${LDAP_REALM} + ldap_kadmind_dn = ${KRB5_USER},${LDAP_REALM} + ldap_service_password_file = ${TESTDIR}/ldap_passwd + ldap_servers = ldap://${WRAP_HOSTNAME} + } +''' +KDC_CONF_TEMPLATE = ''' +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = true + +[realms] + ${TESTREALM} = { + master_key_type = aes256-cts + max_life = 7d + max_renewable_life = 14d + acl_file = ${KDCDIR}/kadm5.acl + dict_file = /usr/share/dict/words + default_principal_flags = +preauth + key_stash_file = ${KDCDIR}/${KDC_STASH} + } +[logging] + kdc = FILE:${KDCLOG} +''' + + +def write_ldap_krb5_config(testdir): + # LDAP environment config files ldapdir = os.path.join(testdir, "ldap") ldapconf = os.path.join(ldapdir, "slapd.conf") ldif = os.path.join(ldapdir, "k5.ldif") testlog = os.path.join(testdir, "ldap.log") stashfile = os.path.join(testdir, "ldap_passwd") + + # Kerberos environment config files + testlog = os.path.join(testdir, 'kkrb5kdc.log') + krb5conf = os.path.join(testdir, 'krb5.conf') + kdcconf = os.path.join(testdir, 'kdc.conf') + kdcdir = os.path.join(testdir, 'kdc') + kdcstash = os.path.join(kdcdir, KDC_STASH) + kdcdb = os.path.join(kdcdir, KDC_DBNAME) + + # Create directories for config files if os.path.exists(ldapdir): shutil.rmtree(ldapdir) os.makedirs(ldapdir)
- # different distros do LDAP naming differently + if os.path.exists(kdcdir): + shutil.rmtree(kdcdir) + os.makedirs(kdcdir) + + # Template LDAP config files + # Different distros do LDAP naming differently schemadir = None for path in ["/etc/openldap/schema", "/etc/ldap/schema"]: if os.path.exists(path): @@ -179,7 +249,42 @@ def setup_ldap(testdir, wrapenv): with open(ldif, "w+") as f: f.write(text)
- ldapenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin'} + # Template Kerberos config files + t = Template(KRB5_CONF_TEMPLATE) + text = t.substitute({'TESTREALM': TESTREALM, + 'TESTDIR': testdir, + 'KDCDIR': kdcdir, + 'KRB5_CN': KRB5_CN, + 'KRB5_USER': KRB5_USER, + 'KDC_DBNAME': KDC_DBNAME, + 'LDAP_REALM': LDAP_REALM, + 'WRAP_HOSTNAME': WRAP_HOSTNAME}) + with open(krb5conf, 'w+') as f: + f.write(text) + + t = Template(KDC_CONF_TEMPLATE) + text = t.substitute({'TESTREALM': TESTREALM, + 'KDCDIR': kdcdir, + 'KDCLOG': testlog, + 'KDC_STASH': KDC_STASH}) + with open(kdcconf, 'w+') as f: + f.write(text) + + + +def setup_ldap(testdir, wrapenv): + write_ldap_krb5_config(testdir) + + # Set LDAP environment paths + ldapdir = os.path.join(testdir, "ldap") + ldapconf = os.path.join(ldapdir, "slapd.conf") + ldif = os.path.join(ldapdir, "k5.ldif") + testlog = os.path.join(testdir, "ldap.log") + stashfile = os.path.join(testdir, "ldap_passwd") + krb5conf = os.path.join(testdir, 'krb5.conf') + + ldapenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', + 'KRB5_CONFIG': krb5conf} ldapenv.update(wrapenv)
with open(testlog, "a") as logfile: @@ -213,93 +318,14 @@ def setup_ldap(testdir, wrapenv):
return ldapproc, ldapenv
-TESTREALM = "GSSPROXY.DEV" -KDC_DBNAME = 'db.file' -KDC_STASH = 'stash.file' -KDC_PASSWORD = 'gssproxy' -KRB5_CONF_TEMPLATE = ''' -[libdefaults] - default_realm = ${TESTREALM} - dns_lookup_realm = false - dns_lookup_kdc = false - rdns = false - ticket_lifetime = 24h - forwardable = yes - default_ccache_name = FILE://${TESTDIR}/ccaches/krb5_ccache_XXXXXX - -[realms] - ${TESTREALM} = { - kdc = ${WRAP_HOSTNAME} - admin_server = ${WRAP_HOSTNAME} - } - -[domain_realm] - .gssproxy.dev = GSSPROXY.DEV - gssproxy.dev = GSSPROXY.DEV - -[dbmodules] - ${TESTREALM} = { - db_library = kldap - ldap_kerberos_container_dn = cn=${KRB5_CN},${LDAP_REALM} - ldap_kdc_dn = ${KRB5_USER},${LDAP_REALM} - ldap_kadmind_dn = ${KRB5_USER},${LDAP_REALM} - ldap_service_password_file = ${TESTDIR}/ldap_passwd - ldap_servers = ldap://${WRAP_HOSTNAME} - } -''' -KDC_CONF_TEMPLATE = ''' -[kdcdefaults] - kdc_ports = 88 - kdc_tcp_ports = 88 - restrict_anonymous_to_tgt = true - -[realms] - ${TESTREALM} = { - master_key_type = aes256-cts - max_life = 7d - max_renewable_life = 14d - acl_file = ${KDCDIR}/kadm5.acl - dict_file = /usr/share/dict/words - default_principal_flags = +preauth - key_stash_file = ${KDCDIR}/${KDC_STASH} - } -[logging] - kdc = FILE:${KDCLOG} -''' - - def setup_kdc(testdir, wrapenv): - - # setup kerberos environment + # Set Kerberos environtment paths testlog = os.path.join(testdir, 'kkrb5kdc.log') krb5conf = os.path.join(testdir, 'krb5.conf') kdcconf = os.path.join(testdir, 'kdc.conf') kdcdir = os.path.join(testdir, 'kdc') kdcstash = os.path.join(kdcdir, KDC_STASH) kdcdb = os.path.join(kdcdir, KDC_DBNAME) - if os.path.exists(kdcdir): - shutil.rmtree(kdcdir) - os.makedirs(kdcdir) - - t = Template(KRB5_CONF_TEMPLATE) - text = t.substitute({'TESTREALM': TESTREALM, - 'TESTDIR': testdir, - 'KDCDIR': kdcdir, - 'KRB5_CN': KRB5_CN, - 'KRB5_USER': KRB5_USER, - 'KDC_DBNAME': KDC_DBNAME, - 'LDAP_REALM': LDAP_REALM, - 'WRAP_HOSTNAME': WRAP_HOSTNAME}) - with open(krb5conf, 'w+') as f: - f.write(text) - - t = Template(KDC_CONF_TEMPLATE) - text = t.substitute({'TESTREALM': TESTREALM, - 'KDCDIR': kdcdir, - 'KDCLOG': testlog, - 'KDC_STASH': KDC_STASH}) - with open(kdcconf, 'w+') as f: - f.write(text)
kdcenv = {'PATH': '/sbin:/bin:/usr/sbin:/usr/bin', 'KRB5_CONFIG': krb5conf,