1 # Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
3 # Info plugin for mod_lookup_identity Apache module via SSSD
4 # http://www.adelton.com/apache/mod_lookup_identity/
6 from ipsilon.info.common import InfoProviderBase
7 from ipsilon.info.common import InfoProviderInstaller
8 from ipsilon.util.plugin import PluginObject
9 from ipsilon.util.policy import Policy
10 from ipsilon.util import config as pconfig
11 from string import Template
18 SSSD_CONF = '/etc/sssd/sssd.conf'
20 # LDAP attributes to tell SSSD to fetch over the InfoPipe
29 # Map the mod_lookup_identity env variables to Ipsilon. The inverse of
30 # this is in the httpd template.
32 ['REMOTE_USER_GECOS', 'fullname'],
33 ['REMOTE_USER_EMAIL', 'email'],
34 ['REMOTE_USER_FIRSTNAME', 'givenname'],
35 ['REMOTE_USER_LASTNAME', 'surname'],
36 ['REMOTE_USER_STREET', 'street'],
37 ['REMOTE_USER_STATE', 'state'],
38 ['REMOTE_USER_POSTALCODE', 'postcode'],
39 ['REMOTE_USER_TELEPHONENUMBER', 'phone'],
43 class InfoProvider(InfoProviderBase):
45 def __init__(self, *pargs):
46 super(InfoProvider, self).__init__(*pargs)
47 self.mapper = Policy(sssd_mapping)
53 'SSSD can only be used when pre-configured',
57 def _get_user_data(self, user):
60 expectgroups = int(cherrypy.request.wsgi_environ.get(
61 'REMOTE_USER_GROUP_N', 0))
62 for key in cherrypy.request.wsgi_environ:
63 if key.startswith('REMOTE_USER_'):
64 if key == 'REMOTE_USER_GROUP_N':
66 if key.startswith('REMOTE_USER_GROUP_'):
67 groups.append(cherrypy.request.wsgi_environ[key])
69 reply[key] = cherrypy.request.wsgi_environ[key]
70 if len(groups) != expectgroups:
71 self.error('Number of groups expected was not found. Expected'
72 ' %d got %d' % (expectgroups, len(groups)))
75 def get_user_attrs(self, user):
78 attrs, groups = self._get_user_data(user)
79 userattrs, extras = self.mapper.map_attributes(attrs)
81 reply['_groups'] = groups
82 reply['_extras'] = {'sssd': extras}
89 def save_plugin_config(self, *args, **kwargs):
90 raise ValueError('Configuration cannot be modified live for SSSD')
92 def get_config_obj(self):
96 self.refresh_plugin_config()
97 if not self.get_config_value('preconfigured'):
98 raise Exception("SSSD Can be enabled only if pre-configured")
99 super(InfoProvider, self).enable()
103 LoadModule lookup_identity_module modules/mod_lookup_identity.so
105 <Location /${instance}>
106 LookupUserAttr sn REMOTE_USER_LASTNAME
107 LookupUserAttr locality REMOTE_USER_STATE
108 LookupUserAttr street REMOTE_USER_STREET
109 LookupUserAttr telephoneNumber REMOTE_USER_TELEPHONENUMBER
110 LookupUserAttr givenname REMOTE_USER_FIRSTNAME
111 LookupUserAttr mail REMOTE_USER_EMAIL
112 LookupUserAttr postalCode REMOTE_USER_POSTALCODE
113 LookupUserGroupsIter REMOTE_USER_GROUP
118 class Installer(InfoProviderInstaller):
120 def __init__(self, *pargs):
121 super(Installer, self).__init__()
125 def install_args(self, group):
126 group.add_argument('--info-sssd', choices=['yes', 'no'],
128 help='Use mod_lookup_identity and SSSD to populate'
130 group.add_argument('--info-sssd-domain', action='append',
131 help='SSSD domain to enable mod_lookup_identity'
134 def configure(self, opts, changes):
135 if opts['info_sssd'] != 'yes':
140 confopts = {'instance': opts['instance']}
142 tmpl = Template(CONF_TEMPLATE)
143 hunk = tmpl.substitute(**confopts)
144 with open(opts['httpd_conf'], 'a') as httpd_conf:
145 httpd_conf.write(hunk)
148 sssdconfig = SSSDConfig.SSSDConfig()
149 sssdconfig.import_config()
150 except Exception as e: # pylint: disable=broad-except
151 # Unable to read existing SSSD config so it is probably not
153 logging.info('Loading SSSD config failed: %s', e)
156 if not opts['info_sssd_domain']:
157 domains = sssdconfig.list_domains()
159 domains = opts['info_sssd_domain']
161 changes['domains'] = {}
162 for domain in domains:
163 changes['domains'][domain] = {}
165 sssd_domain = sssdconfig.get_domain(domain)
166 except SSSDConfig.NoDomainError:
167 logging.info('No SSSD domain %s', domain)
171 changes['domains'][domain] = {
172 'ldap_user_extra_attrs':
173 sssd_domain.get_option('ldap_user_extra_attrs')}
174 except SSSDConfig.NoOptionError:
176 sssd_domain.set_option(
177 'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)
179 sssdconfig.save_domain(sssd_domain)
181 logging.info("Configured SSSD domain %s", domain)
184 logging.info('No SSSD domains configured')
189 sssdconfig.new_service('ifp')
190 changes['ifp']['new'] = True
191 except SSSDConfig.ServiceAlreadyExists:
192 changes['ifp']['new'] = False
194 sssdconfig.activate_service('ifp')
196 ifp = sssdconfig.get_service('ifp')
197 if not changes['ifp']['new']:
199 changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
200 except SSSDConfig.NoOptionError:
203 changes['ifp']['user_attributes'] = ifp.get_option(
205 except SSSDConfig.NoOptionError:
207 ifp.set_option('allowed_uids', 'apache, root')
208 ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))
210 sssdconfig.save_service(ifp)
211 sssdconfig.write(SSSD_CONF)
213 # for selinux enabled platforms, ignore if it fails just report
215 subprocess.call(['/usr/sbin/setsebool', '-P',
216 'httpd_dbus_sssd=on'])
217 except Exception: # pylint: disable=broad-except
221 subprocess.call(['/sbin/service', 'sssd', 'restart'])
222 except Exception: # pylint: disable=broad-except
225 # Give SSSD a chance to restart
228 # Add configuration data to database
229 po = PluginObject(*self.pargs)
232 po.wipe_config_values()
233 config = {'preconfigured': 'True'}
234 po.save_plugin_config(config)
236 # Update global config to add info plugin
238 po.save_enabled_state()
240 def unconfigure(self, opts, changes):
242 sssdconfig = SSSDConfig.SSSDConfig()
243 sssdconfig.import_config()
244 except Exception as e: # pylint: disable=broad-except
245 # Unable to read existing SSSD config so it is probably not
247 logging.info('Loading SSSD config failed: %s', e)
250 for domain in changes['domains']:
252 sssd_domain = sssdconfig.get_domain(domain.encode('utf-8'))
253 except SSSDConfig.NoDomainError:
254 logging.info('No SSSD domain %s', domain)
257 if 'ldap_user_extra_attrs' in changes['domains'][domain]:
258 sssd_domain.set_option('ldap_user_extra_attrs',
259 changes['domains'][domain][
260 'ldap_user_extra_attrs'].encode(
263 sssd_domain.remove_option('ldap_user_extra_attrs')
264 sssdconfig.save_domain(sssd_domain)
266 if changes['ifp']['new']:
267 # We created the service newly, let's remove
268 sssdconfig.delete_service('ifp')
270 ifp = sssdconfig.get_service('ifp')
271 if 'allowed_uids' in changes['ifp']:
272 ifp.set_option('allowed_uids',
273 changes['ifp']['allowed_uids'].encode('utf-8'))
274 if 'user_attributes' in changes['ifp']:
275 ifp.set_option('user_attributes',
276 changes['ifp']['user_attributes'].encode(
278 sssdconfig.save_service(ifp)
280 sssdconfig.write(SSSD_CONF)
283 subprocess.call(['/sbin/service', 'sssd', 'restart'])
284 except Exception: # pylint: disable=broad-except
287 # Give SSSD a chance to restart