Hello community,
here is the log from the commit of package yast2-auth-server for openSUSE:Factory checked in at 2019-07-31 14:23:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-auth-server (Old)
and /work/SRC/openSUSE:Factory/.yast2-auth-server.new.4126 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-auth-server"
Wed Jul 31 14:23:54 2019 rev:21 rq:716991 version:4.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-auth-server/yast2-auth-server.changes 2018-12-31 09:40:16.482516903 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-auth-server.new.4126/yast2-auth-server.changes 2019-07-31 14:23:55.534400889 +0200
@@ -1,0 +2,21 @@
+Fri Jul 19 09:16:56 UTC 2019 - Ladislav Slezák
+
+- Added "BuildRequires: update-desktop-files"
+- Related to the previous desktop file changes (fate#319035)
+- 4.2.2
+
+-------------------------------------------------------------------
+Mon Jul 1 15:24:00 UTC 2019 - William Brown
+
+- Add dependency on krb5-plugin-kdb-ldap
+- 4.2.1
+
+-------------------------------------------------------------------
+Fri May 31 12:26:05 UTC 2019 - Stasiek Michalski
+
+- Add metainfo (fate#319035)
+- Revamp spec
+- Replace GenericName with Comment
+- 4.2.0
+
+-------------------------------------------------------------------
Old:
----
yast2-auth-server-4.1.0.tar.bz2
New:
----
yast2-auth-server-4.2.2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-auth-server.spec ++++++
--- /var/tmp/diff_new_pack.7Mrzyq/_old 2019-07-31 14:23:55.886400490 +0200
+++ /var/tmp/diff_new_pack.7Mrzyq/_new 2019-07-31 14:23:55.890400485 +0200
@@ -1,7 +1,7 @@
#
# spec file for package yast2-auth-server
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,18 +20,22 @@
Summary: A tool for creating identity management server instances
License: GPL-2.0-or-later
Group: System/YaST
-Version: 4.1.0
+Version: 4.2.2
Release: 0
-Source0: %{name}-%{version}.tar.bz2
Url: https://github.com/yast/yast-auth-server
-BuildArch: noarch
+
+Source0: %{name}-%{version}.tar.bz2
+
+BuildRequires: update-desktop-files
BuildRequires: yast2
-BuildRequires: yast2-devtools
+BuildRequires: yast2-devtools >= 4.2.2
BuildRequires: rubygem(yast-rake)
+
Requires: net-tools
Requires: yast2
Requires: yast2-ruby-bindings
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
+
+BuildArch: noarch
%description
The program assists system administrators to create new directory server and
@@ -39,19 +43,20 @@
database for a network.
%prep
-%setup -n %{name}-%{version}
+%setup -q
%build
%install
-rake install DESTDIR="%{buildroot}"
+%yast_install
+%yast_metainfo
%files
-%defattr(-,root,root)
%doc %{yast_docdir}
-%{yast_libdir}/
-%{yast_desktopdir}/
-%{yast_clientdir}/
+%{yast_libdir}
+%{yast_desktopdir}
+%{yast_metainfodir}
+%{yast_clientdir}
%{yast_icondir}
%license COPYING
++++++ yast2-auth-server-4.1.0.tar.bz2 -> yast2-auth-server-4.2.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/Dockerfile new/yast2-auth-server-4.2.2/Dockerfile
--- old/yast2-auth-server-4.1.0/Dockerfile 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/Dockerfile 2019-07-19 11:45:17.000000000 +0200
@@ -1,2 +1,2 @@
-FROM yastdevel/ruby
+FROM registry.opensuse.org/yast/head/containers/yast-ruby:latest
COPY . /usr/src/app
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/README.md new/yast2-auth-server-4.2.2/README.md
--- old/yast2-auth-server-4.1.0/README.md 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/README.md 2019-07-19 11:45:17.000000000 +0200
@@ -12,7 +12,83 @@
## Install
To install the latest stable version on openSUSE or SLE, use zypper:
- $ sudo zypper install yast2-auth-server
+```
+$ sudo zypper install yast2-auth-server
+```
# Run
-Visit Yast control panel and launch "Create New Kerberos Server" or "Create New Directory Server".
\ No newline at end of file
+Visit Yast control panel and launch "Create New Kerberos Server" or "Create New Directory Server".
+
+
+# Development
+
+You need to prepare your environment with:
+
+```
+ruby_version=$(ruby -e "puts RbConfig::CONFIG['ruby_version']")
+zypper install -C "rubygem(ruby:$ruby_version:yast-rake)"
+zypper install -C "rubygem(ruby:$ruby_version:rspec)"
+zypper install git yast2-devtools yast2-testsuite yast
+```
+
+You can then run the auth-server module with:
+
+```
+rake run
+rake run[module name]
+rake run[ldap-server]
+```
+
+For the 389-ds setup, you'll require a CA + pkcs12 bundle with a cert to use. You can generate
+these with certutil from the package mozilla-nss-tools.
+
+```
+mkdir local_ca
+cd local_ca
+echo "password" > password.txt
+certutil -N -f password.txt -d .
+certutil -S -n CAissuer -t "C,C,C" -x -f password.txt -d . -v 24 -g 4096 -Z SHA256 --keyUsage certSigning -2 --nsCertType sslCA -s "CN=ca.nss.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"
+
+certutil -S -n Server-Cert -t ",," -c CAissuer -f password.txt -d . -s "CN=test_b.dev.example.com,O=Testing,L=example,ST=Queensland,C=AU"
+
+certutil -L -n CAissuer -a -d . > ca.pem
+pk12util -o server-export.p12 -d . -k password.txt -n Server-Cert
+```
+
+# Tests
+
+```
+rake test:unit
+```
+
+# Logs
+
+If you are running as a non-root user, the logs are located in:
+
+```
+~/.y2log
+```
+
+If you are running as root, these logs are in:
+
+```
+/var/log/YaST2/y2log
+```
+
+For more detailed logging, you are able to execute YaST with debugging environment variables:
+
+```
+Y2DEBUG=1 rake run[ldap-server]
+```
+
+# Build
+
+You can build the package with:
+
+```
+rake osc:build
+```
+
+
+
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/package/yast2-auth-server.changes new/yast2-auth-server-4.2.2/package/yast2-auth-server.changes
--- old/yast2-auth-server-4.1.0/package/yast2-auth-server.changes 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/package/yast2-auth-server.changes 2019-07-19 11:45:17.000000000 +0200
@@ -1,4 +1,25 @@
-------------------------------------------------------------------
+Fri Jul 19 09:16:56 UTC 2019 - Ladislav Slezák
+
+- Added "BuildRequires: update-desktop-files"
+- Related to the previous desktop file changes (fate#319035)
+- 4.2.2
+
+-------------------------------------------------------------------
+Mon Jul 1 15:24:00 UTC 2019 - William Brown
+
+- Add dependency on krb5-plugin-kdb-ldap
+- 4.2.1
+
+-------------------------------------------------------------------
+Fri May 31 12:26:05 UTC 2019 - Stasiek Michalski
+
+- Add metainfo (fate#319035)
+- Revamp spec
+- Replace GenericName with Comment
+- 4.2.0
+
+-------------------------------------------------------------------
Fri Nov 23 23:00:04 UTC 2018 - Stasiek Michalski
- Provide icon with module (boo#1109310)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/package/yast2-auth-server.spec new/yast2-auth-server-4.2.2/package/yast2-auth-server.spec
--- old/yast2-auth-server-4.1.0/package/yast2-auth-server.spec 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/package/yast2-auth-server.spec 2019-07-19 11:45:17.000000000 +0200
@@ -12,25 +12,29 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: yast2-auth-server
-Group: System/YaST
-Summary: A tool for creating identity management server instances
-Version: 4.1.0
+Group: System/YaST
+Summary: A tool for creating identity management server instances
+Version: 4.2.2
Release: 0
License: GPL-2.0-or-later
-Source0: %{name}-%{version}.tar.bz2
Url: https://github.com/yast/yast-auth-server
-BuildArch: noarch
+
+Source0: %{name}-%{version}.tar.bz2
+
BuildRequires: yast2
-BuildRequires: yast2-devtools
+BuildRequires: yast2-devtools >= 4.2.2
BuildRequires: rubygem(yast-rake)
+BuildRequires: update-desktop-files
+
Requires: net-tools
Requires: yast2-ruby-bindings
Requires: yast2
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
+
+BuildArch: noarch
%description
The program assists system administrators to create new directory server and
@@ -38,19 +42,20 @@
database for a network.
%prep
-%setup -n %{name}-%{version}
+%setup -q
%build
%install
-rake install DESTDIR="%{buildroot}"
+%yast_install
+%yast_metainfo
%files
-%defattr(-,root,root)
%doc %{yast_docdir}
-%{yast_libdir}/
-%{yast_desktopdir}/
-%{yast_clientdir}/
+%{yast_libdir}
+%{yast_desktopdir}
+%{yast_metainfodir}
+%{yast_clientdir}
%{yast_icondir}
%license COPYING
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/desktop/krb-server.desktop new/yast2-auth-server-4.2.2/src/desktop/krb-server.desktop
--- old/yast2-auth-server-4.1.0/src/desktop/krb-server.desktop 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/desktop/krb-server.desktop 1970-01-01 01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
-[Desktop Entry]
-Type=Application
-Categories=Settings;System;Qt;X-SuSE-YaST;X-SuSE-YaST-Net_advanced;
-
-X-KDE-ModuleType=Library
-X-KDE-HasReadOnlyMode=true
-X-SuSE-YaST-Call=krb-server
-
-X-SuSE-YaST-Group=Net_advanced
-X-SuSE-YaST-RootOnly=true
-X-SuSE-YaST-Keywords=authentication,kerberos,krb,krb5
-
-Icon=yast-kerberos-server
-Exec=xdg-su -c "/sbin/yast2 krb-server"
-
-Name=Create New Kerberos Server
-GenericName=Create New Kerberos Server
-StartupNotify=true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/desktop/ldap-server.desktop new/yast2-auth-server-4.2.2/src/desktop/ldap-server.desktop
--- old/yast2-auth-server-4.1.0/src/desktop/ldap-server.desktop 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/desktop/ldap-server.desktop 1970-01-01 01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
-[Desktop Entry]
-Type=Application
-Categories=Settings;System;Qt;X-SuSE-YaST;X-SuSE-YaST-Net_advanced;
-
-X-KDE-ModuleType=Library
-X-KDE-HasReadOnlyMode=true
-X-SuSE-YaST-Call=ldap-server
-
-X-SuSE-YaST-Group=Net_advanced
-X-SuSE-YaST-RootOnly=true
-X-SuSE-YaST-Keywords=authentication,directory,ldap
-
-Icon=yast-ldap-server
-Exec=xdg-su -c "/sbin/yast2 ldap-server"
-
-Name=Create New Directory Server
-GenericName=Create New Directory Server
-StartupNotify=true
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/desktop/org.opensuse.yast.KrbServer.desktop new/yast2-auth-server-4.2.2/src/desktop/org.opensuse.yast.KrbServer.desktop
--- old/yast2-auth-server-4.1.0/src/desktop/org.opensuse.yast.KrbServer.desktop 1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/desktop/org.opensuse.yast.KrbServer.desktop 2019-07-19 11:45:17.000000000 +0200
@@ -0,0 +1,19 @@
+[Desktop Entry]
+Type=Application
+Categories=Settings;System;Qt;X-SuSE-YaST;X-SuSE-YaST-Net_advanced;
+
+X-KDE-ModuleType=Library
+X-KDE-HasReadOnlyMode=true
+X-SuSE-YaST-Call=krb-server
+
+X-SuSE-YaST-Group=Net_advanced
+X-SuSE-YaST-RootOnly=true
+X-SuSE-YaST-Keywords=authentication,kerberos,krb,krb5
+
+Icon=yast-kerberos-server
+Exec=xdg-su -c "/sbin/yast2 krb-server"
+
+Name=YaST New Kerberos Server
+GenericName=New Kerberos Server
+Comment=Create a New Kerberos Server
+StartupNotify=true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/desktop/org.opensuse.yast.LDAPServer.desktop new/yast2-auth-server-4.2.2/src/desktop/org.opensuse.yast.LDAPServer.desktop
--- old/yast2-auth-server-4.1.0/src/desktop/org.opensuse.yast.LDAPServer.desktop 1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/desktop/org.opensuse.yast.LDAPServer.desktop 2019-07-19 11:45:17.000000000 +0200
@@ -0,0 +1,19 @@
+[Desktop Entry]
+Type=Application
+Categories=Settings;System;Qt;X-SuSE-YaST;X-SuSE-YaST-Net_advanced;
+
+X-KDE-ModuleType=Library
+X-KDE-HasReadOnlyMode=true
+X-SuSE-YaST-Call=ldap-server
+
+X-SuSE-YaST-Group=Net_advanced
+X-SuSE-YaST-RootOnly=true
+X-SuSE-YaST-Keywords=authentication,directory,ldap
+
+Icon=yast-ldap-server
+Exec=xdg-su -c "/sbin/yast2 ldap-server"
+
+Name=YaST New Directory Server
+GenericName=New Directory Server
+Comment=Create a New Directory Server
+StartupNotify=true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/lib/authserver/dir/client.rb new/yast2-auth-server-4.2.2/src/lib/authserver/dir/client.rb
--- old/yast2-auth-server-4.1.0/src/lib/authserver/dir/client.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/lib/authserver/dir/client.rb 2019-07-19 11:45:17.000000000 +0200
@@ -14,6 +14,8 @@
# LDAPClient serves utility functions for using LDAP command line client to interact with 389 directory server.
class LDAPClient
+ include Yast::Logger
+
# Initialise a client with specified connectivity details.
def initialize(url, bind_dn, bind_pw)
@url = url
@@ -23,6 +25,7 @@
# modify invokes ldapmodify and returns tuple of command output and boolean (success or not).
def modify(ldif_input, ignore_existing)
+ log.info('modify: #{ldif_input}')
stdin, stdouterr, result = Open3.popen2e('/usr/bin/ldapmodify', '-H', @url, '-x', '-D', @bind_dn, '-w', @bind_pw)
stdin.puts(ldif_input)
stdin.close
@@ -32,6 +35,7 @@
# add invokes ldapadd and returns tuple of command output and boolean (success or not).
def add(ldif_input, ignore_existing)
+ log.info('add: %s' % ldif_input)
stdin, stdouterr, result = Open3.popen2e('/usr/bin/ldapadd', '-H', @url, '-x', '-D', @bind_dn, '-w', @bind_pw)
stdin.puts(ldif_input)
stdin.close
@@ -53,6 +57,7 @@
# Most directory servers require LDAPS or StartTLS for this operation.
# Returns tuple of command output and boolean (success or not).
def change_password(dn, new_pass)
+ log.info('change password: %s' % dn)
stdin, stdouterr, result = Open3.popen2e('/usr/bin/ldappasswd', '-H', @url, '-x', '-D', @bind_dn, '-w', @bind_pw, '-s', new_pass, dn)
stdin.close
return [stdouterr.readlines.join('\n'), result.value.exitstatus == 0]
@@ -68,4 +73,4 @@
(version 3.0; acl \"#{rule_nickname}\"; allow (all)
userdn = \"ldap:///#{user_dn}\";)", true)
end
-end
\ No newline at end of file
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/lib/authserver/dir/ds389.rb new/yast2-auth-server-4.2.2/src/lib/authserver/dir/ds389.rb
--- old/yast2-auth-server-4.1.0/src/lib/authserver/dir/ds389.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/lib/authserver/dir/ds389.rb 2019-07-19 11:45:17.000000000 +0200
@@ -9,13 +9,12 @@
# this program; if not, contact SUSE LINUX GmbH.
# Authors: Howard Guo
+# William Brown
require 'yast'
require 'open3'
require 'fileutils'
-# DS_SETUP_LOG_PATH is the path to progress and debug log file for setting up a new directory instance.
-DS_SETUP_LOG_PATH = '/root/yast2-auth-server-dir-setup.log'
# DS_SETUP_INI_PATH is the path to parameter file for setting up new directory instance.
# Place the file under root directory because there are sensitive details in it.
DS_SETUP_INI_PATH = '/root/yast2-auth-server-dir-setup.ini'
@@ -23,6 +22,7 @@
# DS389 serves utility functions for setting up a new instance of 389 directory server.
class DS389
include Yast
+ include Yast::Logger
# install_pkgs installs software packages mandatory for setting up 389 directory server.
def self.install_pkgs
@@ -37,29 +37,42 @@
end
# gen_setup_ini generates INI file content with parameters for setting up directory server.
- def self.gen_setup_ini(fqdn, instance_name, suffix, dm_dn, dm_pass)
- return "[General]
-FullMachineName=#{fqdn}
-SuiteSpotUserID=dirsrv
-SuiteSpotGroup=dirsrv
+ def self.gen_setup_ini(fqdn, instance_name, suffix, dm_pass)
+ return "# Generated by yast-auth-server
+[general]
+config_version = 2
+full_machine_name = #{fqdn}
+# This may be need to be tweaked, it could break setups ...
+# strict_host_checking = true/false
[slapd]
-ServerPort=389
-ServerIdentifier=#{instance_name}
-Suffix=#{suffix}
-RootDN=#{dm_dn}
-RootDNPwd=#{dm_pass}
-AddSampleEntries=No
+root_password = #{dm_pass}
+instance_name = #{instance_name}
+
+[backend-userroot]
+sample_entries = yes
+suffix = #{suffix}
"
end
# exec_setup runs setup-ds.pl using input parameters file content.
- # The output of setup script is written into file /root/yast2-auth-server-dir-setup.log
+ # The output of setup script is written into file .y2log or /var/log/YaST/y2log
# Returns true only if setup was successful.
def self.exec_setup(content)
+ append_to_log('Beginning YAST auth server installation ...')
+
open(DS_SETUP_INI_PATH, 'w') {|fh| fh.puts(content)}
- stdin, stdouterr, result = Open3.popen2e('/usr/sbin/setup-ds.pl', '--debug', '--silent', '-f', DS_SETUP_INI_PATH)
- append_to_log(stdouterr.readlines.join('\n'))
+ # dry run first to see if it breaks ...
+ stdin, stdouterr, result = Open3.popen2e('/usr/sbin/dscreate', '-v', 'from-file', '-n', DS_SETUP_INI_PATH)
+ stdouterr.readlines.map { |l| append_to_log(l) }
+
+ if result.value.exitstatus != 0
+ return false
+ end
+
+ # Right do the real thing.
+ stdin, stdouterr, result = Open3.popen2e('/usr/sbin/dscreate', '-v', 'from-file', DS_SETUP_INI_PATH)
+ stdouterr.readlines.map { |l| append_to_log(l) }
stdin.close
return result.value.exitstatus == 0
end
@@ -71,17 +84,7 @@
# append_to_log appends current time and content into log file placed under /root/.
def self.append_to_log(content)
- open(DS_SETUP_LOG_PATH, 'a') {|fh|
- fh.puts(Time.now)
- fh.puts(content)
- }
- end
-
- # enable_krb_schema enables kerberos schema in the directory server and then restarts the directory server.
- # Returns true only if server restarted successfully.
- def self.enable_krb_schema(instance_name)
- ::FileUtils.copy('/usr/share/dirsrv/data/60kerberos.ldif', '/etc/dirsrv/slapd-' + instance_name + '/schema/60kerberos.ldif')
- return self.restart(instance_name)
+ log.info(content)
end
# restart the directory service specified by the instance name. Returns true only on success.
@@ -94,48 +97,21 @@
def self.install_tls_in_nss(instance_name, ca_path, p12_path)
instance_dir = '/etc/dirsrv/slapd-' + instance_name
# Put CA certificate into NSS database
- _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-A', '-d', instance_dir, '-n', 'ca_cert', '-t', 'C,,', '-i', ca_path)
- append_to_log(stdouterr.readlines.join('\n'))
+ _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-A', '-f', instance_dir + '/pwdfile.txt', '-d', instance_dir, '-n', 'ca_cert', '-t', 'C,,', '-i', ca_path)
+ stdouterr.readlines.map { |l| append_to_log(l) }
if result.value.exitstatus != 0
return false
end
- # Put TLS certificate and key into NSS database
- _, stdouterr, result = Open3.popen2e('/usr/bin/pk12util', '-d', instance_dir, '-W', '', '-K', '', '-i', p12_path)
- append_to_log(stdouterr.readlines.join('\n'))
+ # Delete the automatically created Server-Cert - we don't care if it fails ...
+ _, stdouterr, result = Open3.popen2e('/usr/bin/certutil', '-F', '-d', instance_dir, '-n', 'Server-Cert', '-f', instance_dir + '/pwdfile.txt')
+ stdouterr.readlines.map { |l| append_to_log(l) }
+ # Put TLS certificate and key into NSS database - and hope it's named Server-Cert ...
+ _, stdouterr, result = Open3.popen2e('/usr/bin/pk12util', '-i', p12_path, '-k', instance_dir + '/pwdfile.txt', '-d', instance_dir, '-W', '')
+ stdouterr.readlines.map { |l| append_to_log(l) }
if result.value.exitstatus != 0
return false
end
return true
end
- # get_enable_tls_ldif returns LDIF data that can be
- def self.get_enable_tls_ldif
- return 'dn: cn=encryption,cn=config
-changetype: modify
-replace: nsSSL3
-nsSSL3: off
--
-replace: nsSSLClientAuth
-nsSSLClientAuth: allowed
--
-add: nsSSL3Ciphers
-nsSSL3Ciphers: +all
-
-dn: cn=config
-changetype: modify
-add: nsslapd-security
-nsslapd-security: on
--
-replace: nsslapd-ssl-check-hostname
-nsslapd-ssl-check-hostname: off
-
-dn: cn=RSA,cn=encryption,cn=config
-changetype: add
-objectclass: top
-objectclass: nsEncryptionModule
-cn: RSA
-nsSSLPersonalitySSL: Server-Cert
-nsSSLToken: internal (software)
-nsSSLActivation: on'
- end
-end
\ No newline at end of file
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/lib/authserver/krb/mit.rb new/yast2-auth-server-4.2.2/src/lib/authserver/krb/mit.rb
--- old/yast2-auth-server-4.1.0/src/lib/authserver/krb/mit.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/lib/authserver/krb/mit.rb 2019-07-19 11:45:17.000000000 +0200
@@ -13,18 +13,16 @@
require 'yast'
require 'open3'
-# KDC_SETUP_LOG_PATH is the path to progress and debug log file for setting up a new KDC.
-KDC_SETUP_LOG_PATH = '/root/yast2-auth-server-kdc-setup.log'
-
# MITKerberos serves utility functions for setting up a new directory connected KDC.
class MITKerberos
include Yast
+ include Yast::Logger
# install_pkgs installs software packages mandatory for setting up MIT Kerberos server.
def self.install_pkgs
Yast.import 'Package'
# DoInstall never fails
- Package.DoInstall(['krb5-client', 'krb5-server'].delete_if{|name| Package.Installed(name)})
+ Package.DoInstall(['krb5-client', 'krb5-server', 'krb5-plugin-kdb-ldap'].delete_if{|name| Package.Installed(name)})
end
# is_configured returns true only if there kerberos configuration has been altered.
@@ -110,7 +108,7 @@
# init_dir uses kerberos LDAP utility to prepare a directory server for kerberos operation.
# Returns tuple of command output and boolean (success or not).
def self.init_dir(ldaps_addr, dir_admin_dn, dir_admin_pass, realm_name, container_dn, master_pass)
- puts ['/usr/lib/mit/sbin/kdb5_ldap_util', '-H', 'ldaps://'+ldaps_addr, '-D', dir_admin_dn, '-w', dir_admin_pass, 'create', '-r', realm_name, '-subtrees', container_dn, '-s', '-P', master_pass].join(' ')
+ log.info( ['/usr/lib/mit/sbin/kdb5_ldap_util', '-H', 'ldaps://'+ldaps_addr, '-D', dir_admin_dn, '-w', '********', 'create', '-r', realm_name, '-subtrees', container_dn, '-s', '-P', '********'].join(' '))
stdin, stdouterr, result = Open3.popen2e('/usr/lib/mit/sbin/kdb5_ldap_util', '-H', 'ldaps://'+ldaps_addr, '-D', dir_admin_dn, '-w', dir_admin_pass, 'create', '-r', realm_name, '-subtrees', container_dn, '-s', '-P', master_pass)
stdin.close
return [stdouterr.readlines.join('\n'), result.value.exitstatus == 0]
@@ -130,9 +128,6 @@
# append_to_log appends current time and content into log file placed under /root/.
def self.append_to_log(content)
- open(KDC_SETUP_LOG_PATH, 'a') {|fh|
- fh.puts(Time.now)
- fh.puts(content)
- }
+ log.info(content)
end
-end
\ No newline at end of file
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/lib/authserver/ui/new_dir_inst.rb new/yast2-auth-server-4.2.2/src/lib/authserver/ui/new_dir_inst.rb
--- old/yast2-auth-server-4.1.0/src/lib/authserver/ui/new_dir_inst.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/lib/authserver/ui/new_dir_inst.rb 2019-07-19 11:45:17.000000000 +0200
@@ -9,6 +9,7 @@
# this program; if not, contact SUSE LINUX GmbH.
# Authors: Howard Guo
+# William Brown
require 'yast'
require 'ui/dialog'
@@ -44,20 +45,25 @@
Left(Heading(_('Create New Directory Instance'))),
HBox(
Frame(_('General options (mandatory)'),
- VBox(
- InputField(Id(:fqdn), Opt(:hstretch), _('Fully qualified domain name (e.g. dir.example.net)'), ''),
- InputField(Id(:instance_name), Opt(:hstretch), _('Directory server instance name (e.g. MyOrgDirectory)'), ''),
- InputField(Id(:suffix), Opt(:hstretch), _('Directory suffix (e.g. dc=example,dc=net)'), ''),
- InputField(Id(:dm_dn), Opt(:hstretch), _('Directory manager DN (e.g. cn=root)'), ''),
- ),
+ VBox(
+ InputField(Id(:fqdn), Opt(:hstretch), _('Fully qualified domain name (e.g. dir.example.net)'), ''),
+ InputField(Id(:instance_name), Opt(:hstretch), _('Directory server instance name (e.g. localhost)'), ''),
+ InputField(Id(:suffix), Opt(:hstretch), _('Directory suffix (e.g. dc=example,dc=net)'), ''),
+ ),
),
- Frame(_('Security options (mandatory)'),
- VBox(
- Password(Id(:dm_pass), Opt(:hstretch), _('Directory manager password'), ''),
- Password(Id(:dm_pass_repeat), Opt(:hstretch), _('Repeat directory manager password'), ''),
- InputField(Id(:tls_ca), Opt(:hstretch), _('Server TLS certificate authority in PEM format'), ''),
- InputField(Id(:tls_p12), Opt(:hstretch), _('Server TLS certificate and key in PKCS12 format'), ''),
- ),
+ VBox(
+ Frame(_('Security options (mandatory)'),
+ VBox(
+ Password(Id(:dm_pass), Opt(:hstretch), _('"cn=Directory Manager" password'), ''),
+ Password(Id(:dm_pass_repeat), Opt(:hstretch), _('Repeat "cn=Directory Manager" password'), ''),
+ ),
+ ),
+ Frame(_('Security options (optional)'),
+ VBox(
+ InputField(Id(:tls_ca), Opt(:hstretch), _('Server TLS certificate authority in PEM format'), ''),
+ InputField(Id(:tls_p12), Opt(:hstretch), _('Server TLS certificate and key in PKCS12 format with friendly name "Server-Cert"'), ''),
+ ),
+ ),
),
),
HBox(
@@ -72,64 +78,72 @@
fqdn = UI.QueryWidget(Id(:fqdn), :Value)
instance_name = UI.QueryWidget(Id(:instance_name), :Value)
suffix = UI.QueryWidget(Id(:suffix), :Value)
- dm_dn = UI.QueryWidget(Id(:dm_dn), :Value)
dm_pass = UI.QueryWidget(Id(:dm_pass), :Value)
dm_pass_repeat = UI.QueryWidget(Id(:dm_pass_repeat), :Value)
tls_ca = UI.QueryWidget(Id(:tls_ca), :Value)
tls_p12 = UI.QueryWidget(Id(:tls_p12), :Value)
+ UI.ReplaceWidget(Id(:busy), Empty())
+
# Validate input
- if fqdn == '' || instance_name == ''|| suffix == '' || dm_dn == '' || dm_pass == '' || tls_ca == '' || tls_p12 == ''
- Popup.Error(_('Please complete setup details. All input fields are mandatory.'))
+ if fqdn == '' || instance_name == ''|| suffix == '' || dm_pass == ''
+ Popup.Error(_('Please complete mandatory setup fields.'))
return
end
if dm_pass_repeat != dm_pass
Popup.Error(_('Two password entries do not match.'))
return
end
- if !File.exists?(tls_ca) || !File.exists?(tls_p12)
- Popup.Error(_('TLS certificate authority or certificate/key file does not exist.'))
+ if ! ((tls_ca == '' && tls_p12 == '') || (tls_ca != '' && tls_p12 != ''))
+ Popup.Error(_('Both TLS Certificate authority and PKCS12 must be provided, or none provided.'))
return
end
- if DS389.get_instance_names.include?(instance_name)
- Popup.Error(_('The instance name is already used.'))
+ if (tls_ca != '' && tls_p12 != '') && (!File.exists?(tls_ca) || !File.exists?(tls_p12))
+ Popup.Error(_('TLS certificate authority PEM OR certificate/key PKCS12 file does not exist.'))
return
end
+ # The dscreate tool has an instance name checker that is much more aware of instance
+ # rules than this ruby tool can be.
+ UI.ReplaceWidget(Id(:busy), Label(_('Preparing to install new instance, this may take a minute ...')))
- UI.ReplaceWidget(Id(:busy), Label(_('Installing new instance, this may take a minute or two.')))
- begin
- DS389.install_pkgs
- # Collect setup parameters into an INI file and feed it into 389 setup script
- ok = DS389.exec_setup(DS389.gen_setup_ini(fqdn, instance_name, suffix, dm_dn, dm_pass))
- DS389.remove_setup_ini
- if !ok
- Popup.Error(_('Failed to set up new instance! Log output may be found in %s') % [DS_SETUP_LOG_PATH])
- raise
- end
+ if !DS389.install_pkgs
+ Popup.Error(_('Error during package installation.'))
+ return
+ end
+
+ # Collect setup parameters into an INI file and feed it into 389 setup script
+ ini_content = DS389.gen_setup_ini(fqdn, instance_name, suffix, dm_pass)
+ ini_safe_content = DS389.gen_setup_ini(fqdn, instance_name, suffix, "********")
+ log.info(ini_safe_content)
+ UI.ReplaceWidget(Id(:busy), Label(_('Installing new instance, this may take a minute ...')))
+ ok = DS389.exec_setup(ini_content)
+ # Always remove the ini file
+ DS389.remove_setup_ini
+ if !ok
+ Popup.Error(_('Failed to set up new instance! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+
+ if (tls_ca != '' && tls_p12 != '')
+ UI.ReplaceWidget(Id(:busy), Label(_('Configuring instance TLS ...')))
# Turn on TLS
if !DS389.install_tls_in_nss(instance_name, tls_ca, tls_p12)
- Popup.Error(_('Failed to set up new instance! Log output may be found in %s') % [DS_SETUP_LOG_PATH])
- raise
- end
- ldap = LDAPClient.new('ldap://'+fqdn, dm_dn, dm_pass)
- out, ok = ldap.modify(DS389.get_enable_tls_ldif, true)
- DS389.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to enable TLS! Log output may be found in %s') % [DS_SETUP_LOG_PATH])
- raise
+ Popup.Error(_('Failed to set up new instance! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
end
+
if !DS389.restart(instance_name)
- Popup.Error(_('Failed to restart directory instance, please inspect the journal of dirsrv@%s.service') % [instance_name])
- raise
+ Popup.Error(_('Failed to restart directory instance, please inspect the journal of dirsrv@%s.service and /var/log/dirsrv/slapd-%s') % [instance_name, instance_name])
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
end
-
- UI.ReplaceWidget(Id(:busy), Empty())
- Popup.Message(_('New instance has been set up! Log output may be found in %s') % [DS_SETUP_LOG_PATH])
- finish_dialog(:next)
- rescue
- # Give user an opportunity to correct mistake
- UI.ReplaceWidget(Id(:busy), Empty())
end
+ UI.ReplaceWidget(Id(:busy), Empty())
+ Popup.Message(_('New instance has been set up! Log output may be found in /var/log/YaST/y2log'))
+ finish_dialog(:next)
+ UI.ReplaceWidget(Id(:busy), Empty())
end
-end
\ No newline at end of file
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/src/lib/authserver/ui/new_krb_inst.rb new/yast2-auth-server-4.2.2/src/lib/authserver/ui/new_krb_inst.rb
--- old/yast2-auth-server-4.1.0/src/lib/authserver/ui/new_krb_inst.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/src/lib/authserver/ui/new_krb_inst.rb 2019-07-19 11:45:17.000000000 +0200
@@ -53,12 +53,9 @@
),
Frame(_('389 directory server connectivity (mandatory)'),
VBox(
- InputField(Id(:dir_addr), Opt(:hstretch), _('Directory server address (e.g. dir.example.net)'), ''),
- InputField(Id(:dir_inst), Opt(:hstretch), _('Directory instance name'), ''),
+ InputField(Id(:dir_addr), Opt(:hstretch), _('Fully qualified domain name (e.g. dir.example.net)'), ''),
InputField(Id(:dir_suffix), Opt(:hstretch), _('Directory suffix (e.g. dc=example,dc=net)'), ''),
- InputField(Id(:container_dn), Opt(:hstretch), _('Container DN of existing users (e.g. ou=users,dc=example,dc=net)'), ''),
- InputField(Id(:dm_dn), Opt(:hstretch), _('Directory manager DN (e.g. cn=root)'), ''),
- Password(Id(:dm_pass), Opt(:hstretch), _('Directory manager password'), ''),
+ Password(Id(:dm_pass), Opt(:hstretch), _('"cn=Directory Manager" password'), ''),
),
),
),
@@ -72,6 +69,7 @@
InputField(Id(:admin_dn), Opt(:hstretch), _('Admin account to create (e.g. cn=krbadm)'), ''),
Password(Id(:admin_pass), Opt(:hstretch), _('Password of admin account'), ''),
Password(Id(:admin_pass_repeat), Opt(:hstretch), _('Repeat password of admin account'), ''),
+ InputField(Id(:container_dn), Opt(:hstretch), _('KDC container DN (e.g. cn=kdc)'), ''),
),
),
),
@@ -95,10 +93,9 @@
realm = UI.QueryWidget(Id(:realm), :Value)
dir_addr = UI.QueryWidget(Id(:dir_addr), :Value)
- dir_inst = UI.QueryWidget(Id(:dir_inst), :Value)
dir_suffix = UI.QueryWidget(Id(:dir_suffix), :Value)
- container_dn = UI.QueryWidget(Id(:container_dn), :Value)
- dm_dn = UI.QueryWidget(Id(:dm_dn), :Value)
+ container_dn = UI.QueryWidget(Id(:container_dn), :Value) + ',' + dir_suffix
+ dm_dn = 'cn=Directory Manager'
dm_pass = UI.QueryWidget(Id(:dm_pass), :Value)
master_pass = UI.QueryWidget(Id(:master_pass), :Value)
@@ -112,7 +109,7 @@
# Validate input
if fqdn == '' || realm == '' ||
- dir_addr == '' || dir_inst == '' || dir_suffix == '' || container_dn == '' ||
+ dir_addr == '' || dir_suffix == '' || container_dn == '' ||
master_pass == '' || master_pass_repeat == '' ||
dm_dn == '' || dm_pass == '' ||
kdc_dn_prefix == '' || kdc_pass == '' || kdc_pass_repeat == '' ||
@@ -142,105 +139,117 @@
UI.ReplaceWidget(Id(:busy), Label(_('Installing new instance, this may take a minute or two.')))
- begin
- MITKerberos.install_pkgs
- # Enable kerberos schema on 389
- if !DS389.enable_krb_schema(dir_inst)
- Popup.Error(_('Failed to enable Kerberos schema.'))
- raise
- end
-
- # Create kerberos users and give them password in LDAP
- kdc_dn = kdc_dn_prefix+','+dir_suffix
- admin_dn = admin_dn_prefix+','+dir_suffix
- ldap = LDAPClient.new('ldaps://'+fqdn, dm_dn, dm_pass)
- out, ok = ldap.create_person(kdc_dn_prefix, 'Kerberos KDC Connection', dir_suffix)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
- out, ok = ldap.change_password(kdc_dn,kdc_pass)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
- out, ok = ldap.create_person(admin_dn_prefix, 'Kerberos Administration Connection', dir_suffix)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create Kerberos administration user! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
- out, ok = ldap.change_password(admin_dn,admin_pass)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create Kerberos KDC administration user! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
-
- # Create password file for KDC
- pass_file_path = '/etc/dirsrv/kdc'
- out, ok = MITKerberos.save_password_into_file(kdc_dn, kdc_pass, pass_file_path)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create password file! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
- out, ok = MITKerberos.save_password_into_file(admin_dn, admin_pass, pass_file_path)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to create password file! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
+ MITKerberos.install_pkgs
+ # Enable kerberos schema on 389
+ # By default 389-ds ships with this schema enabled today.
+
+ # Create kerberos users and give them password in LDAP
+ kdc_dn = kdc_dn_prefix+','+dir_suffix
+ MITKerberos.append_to_log(kdc_dn)
+ admin_dn = admin_dn_prefix+','+dir_suffix
+ MITKerberos.append_to_log(admin_dn)
+ ldap = LDAPClient.new('ldaps://'+dir_addr, dm_dn, dm_pass)
+ MITKerberos.append_to_log('Created ldap client')
+ out, ok = ldap.create_person(kdc_dn_prefix, 'Kerberos KDC Connection', dir_suffix)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ out, ok = ldap.change_password(kdc_dn,kdc_pass)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create Kerberos KDC connection user! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ out, ok = ldap.create_person(admin_dn_prefix, 'Kerberos Administration Connection', dir_suffix)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create Kerberos administration user! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ out, ok = ldap.change_password(admin_dn,admin_pass)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create Kerberos KDC administration user! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
- # Make common and KDC configuration files
- open('/etc/krb5.conf', 'w') {|fh|
- fh.puts(MITKerberos.gen_common_conf(realm, fqdn))
- }
- open('/var/lib/kerberos/krb5kdc/kdc.conf', 'w') {|fh|
- fh.puts(MITKerberos.gen_kdc_conf(realm, kdc_dn, admin_dn, container_dn, pass_file_path, dir_addr))
- }
-
- # Give kerberos rights to modify directory
- out, ok = ldap.aci_allow_modify(container_dn, 'kerberos-admin', admin_dn)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to modify directory permission! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
- out, ok = ldap.aci_allow_modify(container_dn, 'kerberos-kdc', kdc_dn)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Failed to modify directory permission! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
+ # Make common and KDC configuration files
+ # This has to occur the PW files else the default realm is not known
+ # to the pwstash command below.
+ pass_file_path = '/var/lib/kerberos/krb5kdc/ldap.creds'
+
+ MITKerberos.append_to_log('Generating /etc/krb5.conf')
+ open('/etc/krb5.conf', 'w') {|fh|
+ fh.puts(MITKerberos.gen_common_conf(realm, fqdn))
+ }
+ MITKerberos.append_to_log('Generating /var/lib/kerberos/krb5kdc/kdc.conf')
+ open('/var/lib/kerberos/krb5kdc/kdc.conf', 'w') {|fh|
+ fh.puts(MITKerberos.gen_kdc_conf(realm, kdc_dn, admin_dn, container_dn, pass_file_path, dir_addr))
+ }
+
+ # Create password file for KDC
+ MITKerberos.append_to_log('Generating KRBADM/KDC Passwords to %s' % pass_file_path)
+ out, ok = MITKerberos.save_password_into_file(kdc_dn, kdc_pass, pass_file_path)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ out, ok = MITKerberos.save_password_into_file(admin_dn, admin_pass, pass_file_path)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to create password file! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
- # Let kerberos do its initialisation sequence
- out, ok = MITKerberos.init_dir(dir_addr, dm_dn, dm_pass, realm, container_dn, master_pass)
- MITKerberos.append_to_log(out)
- if !ok
- Popup.Error(_('Kerberos initialisation failure! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- raise
- end
+ # Let kerberos do its initialisation sequence
+ out, ok = MITKerberos.init_dir(dir_addr, dm_dn, dm_pass, realm, container_dn, master_pass)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Kerberos initialisation failure! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
- # Kerberos may finally start
- if !MITKerberos.restart_kdc
- Popup.Error(_('Failed to start KDC, please inspect the journal of krb5kdc.service'))
- raise
- end
- if !MITKerberos.restart_kadmind
- Popup.Error(_('Failed to start kadmind, please inspect the journal of kadmind.service'))
- raise
- end
+ # Give kerberos rights to modify directory, relies on the kdc container existing
+ out, ok = ldap.aci_allow_modify(container_dn, 'kerberos-admin', admin_dn)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to modify directory permission! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ out, ok = ldap.aci_allow_modify(container_dn, 'kerberos-kdc', kdc_dn)
+ MITKerberos.append_to_log('%s' % out)
+ if !ok
+ Popup.Error(_('Failed to modify directory permission! Log output may be found in /var/log/YaST/y2log'))
+ UI.ReplaceWidget(Id(:busy), Empty())
+ return
+ end
+ # Kerberos may finally start
+ if !MITKerberos.restart_kdc
+ Popup.Error(_('Failed to start KDC, please inspect the journal of krb5kdc.service'))
UI.ReplaceWidget(Id(:busy), Empty())
- Popup.Message(_('New instance has been set up! Log output may be found in %s') % [KDC_SETUP_LOG_PATH])
- finish_dialog(:next)
- rescue Exception => e
- Popup.Error('There was an error ' + e.message)
- # Give user an opportunity to correct mistake
+ return
+ end
+ if !MITKerberos.restart_kadmind
+ Popup.Error(_('Failed to start kadmind, please inspect the journal of kadmind.service'))
UI.ReplaceWidget(Id(:busy), Empty())
+ return
end
+
+ UI.ReplaceWidget(Id(:busy), Empty())
+ Popup.Message(_('New instance has been set up! Log output may be found in /var/log/YaST/y2log'))
+ finish_dialog(:next)
+ UI.ReplaceWidget(Id(:busy), Empty())
end
-end
\ No newline at end of file
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-auth-server-4.1.0/test/dir_test.rb new/yast2-auth-server-4.2.2/test/dir_test.rb
--- old/yast2-auth-server-4.1.0/test/dir_test.rb 2018-11-28 12:09:25.000000000 +0100
+++ new/yast2-auth-server-4.2.2/test/dir_test.rb 2019-07-19 11:45:17.000000000 +0200
@@ -10,6 +10,7 @@
# this program; if not, contact SUSE LINUX GmbH.
# Authors: Howard Guo
+# William Brown
ENV['Y2DIR'] = File.expand_path('../../src', __FILE__)
@@ -20,19 +21,21 @@
describe DS389 do
it 'gen_setup_ini' do
- match = '[General]
-FullMachineName=dir.example.com
-SuiteSpotUserID=dirsrv
-SuiteSpotGroup=dirsrv
+ match = '# Generated by yast-auth-server
+[general]
+config_version = 2
+full_machine_name = dir.example.com
+# This may be need to be tweaked, it could break setups ...
+# strict_host_checking = true/false
[slapd]
-ServerPort=389
-ServerIdentifier=ExampleDotCom
-Suffix=dc=example,dc=com
-RootDN=cn=admin
-RootDNPwd=pass
-AddSampleEntries=No
+root_password = pass
+instance_name = ExampleDotCom
+
+[backend-userroot]
+sample_entries = yes
+suffix = dc=example,dc=com
'
- expect(DS389.gen_setup_ini('dir.example.com', 'ExampleDotCom', 'dc=example,dc=com', 'cn=admin', 'pass')).to eq(match)
+ expect(DS389.gen_setup_ini('dir.example.com', 'ExampleDotCom', 'dc=example,dc=com', 'pass')).to eq(match)
end
-end
\ No newline at end of file
+end