-# Copyright (C) 2014 Ipsilon Project Contributors
-#
-# See the file named COPYING for the project license
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
# Info plugin for mod_lookup_identity Apache module via SSSD
# http://www.adelton.com/apache/mod_lookup_identity/
from ipsilon.info.common import InfoProviderInstaller
from ipsilon.util.plugin import PluginObject
from ipsilon.util.policy import Policy
+from ipsilon.util import config as pconfig
from string import Template
import cherrypy
import time
import subprocess
import SSSDConfig
+import logging
SSSD_CONF = '/etc/sssd/sssd.conf'
SSSD_ATTRS = ['mail',
'street',
'locality',
+ 'st',
'postalCode',
'telephoneNumber',
'givenname',
['REMOTE_USER_LASTNAME', 'surname'],
['REMOTE_USER_STREET', 'street'],
['REMOTE_USER_STATE', 'state'],
+ ['REMOTE_USER_CITY', 'city'],
['REMOTE_USER_POSTALCODE', 'postcode'],
['REMOTE_USER_TELEPHONENUMBER', 'phone'],
]
super(InfoProvider, self).__init__(*pargs)
self.mapper = Policy(sssd_mapping)
self.name = 'sssd'
- self.new_config(self.name)
+ self.new_config(
+ self.name,
+ pconfig.Condition(
+ 'preconfigured',
+ 'SSSD can only be used when pre-configured',
+ False),
+ )
def _get_user_data(self, user):
reply = dict()
return reply
+ def save_plugin_config(self, *args, **kwargs):
+ raise ValueError('Configuration cannot be modified live for SSSD')
+
+ def get_config_obj(self):
+ return None
+
+ def enable(self):
+ self.refresh_plugin_config()
+ if not self.get_config_value('preconfigured'):
+ raise Exception("SSSD Can be enabled only if pre-configured")
+ super(InfoProvider, self).enable()
+
CONF_TEMPLATE = """
LoadModule lookup_identity_module modules/mod_lookup_identity.so
<Location /${instance}>
LookupUserAttr sn REMOTE_USER_LASTNAME
- LookupUserAttr locality REMOTE_USER_STATE
+ LookupUserAttr st REMOTE_USER_STATE
+ LookupUserAttr locality REMOTE_USER_CITY
LookupUserAttr street REMOTE_USER_STREET
LookupUserAttr telephoneNumber REMOTE_USER_TELEPHONENUMBER
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
default='no',
help='Use mod_lookup_identity and SSSD to populate'
' user attrs')
- group.add_argument('--info-sssd-domain', action='store',
+ group.add_argument('--info-sssd-domain', action='append',
help='SSSD domain to enable mod_lookup_identity'
' for')
- def configure(self, opts):
+ def configure(self, opts, changes):
if opts['info_sssd'] != 'yes':
return
- if not opts['info_sssd_domain']:
- print 'info-identity-domain is required'
- return False
+ configured = 0
confopts = {'instance': opts['instance']}
tmpl = Template(CONF_TEMPLATE)
- hunk = tmpl.substitute(**confopts) # pylint: disable=star-args
+ hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
except Exception as e: # pylint: disable=broad-except
# Unable to read existing SSSD config so it is probably not
# configured.
- print 'Loading SSSD config failed: %s' % e
+ logging.info('Loading SSSD config failed: %s', e)
return False
- try:
- domain = sssdconfig.get_domain(opts['info_sssd_domain'])
- except SSSDConfig.NoDomainError:
- print 'No domain %s' % opts['info_sssd_domain']
+ if not opts['info_sssd_domain']:
+ domains = sssdconfig.list_domains()
+ else:
+ domains = opts['info_sssd_domain']
+
+ changes['domains'] = {}
+ for domain in domains:
+ changes['domains'][domain] = {}
+ try:
+ sssd_domain = sssdconfig.get_domain(domain)
+ except SSSDConfig.NoDomainError:
+ logging.info('No SSSD domain %s', domain)
+ continue
+ else:
+ try:
+ changes['domains'][domain] = {
+ 'ldap_user_extra_attrs':
+ sssd_domain.get_option('ldap_user_extra_attrs')}
+ except SSSDConfig.NoOptionError:
+ pass
+ sssd_domain.set_option(
+ 'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)
+ )
+ sssdconfig.save_domain(sssd_domain)
+ configured += 1
+ logging.info("Configured SSSD domain %s", domain)
+
+ if configured == 0:
+ logging.info('No SSSD domains configured')
return False
- domain.set_option('ldap_user_extra_attrs', ', '.join(SSSD_ATTRS))
-
+ changes['ifp'] = {}
try:
sssdconfig.new_service('ifp')
+ changes['ifp']['new'] = True
except SSSDConfig.ServiceAlreadyExists:
- pass
+ changes['ifp']['new'] = False
sssdconfig.activate_service('ifp')
ifp = sssdconfig.get_service('ifp')
+ if not changes['ifp']['new']:
+ try:
+ changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
+ except SSSDConfig.NoOptionError:
+ pass
+ try:
+ changes['ifp']['user_attributes'] = ifp.get_option(
+ 'user_attributes')
+ except SSSDConfig.NoOptionError:
+ pass
ifp.set_option('allowed_uids', 'apache, root')
ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))
sssdconfig.save_service(ifp)
- sssdconfig.save_domain(domain)
sssdconfig.write(SSSD_CONF)
+ # for selinux enabled platforms, ignore if it fails just report
+ try:
+ subprocess.call(['/usr/sbin/setsebool', '-P',
+ 'httpd_dbus_sssd=on'])
+ except Exception: # pylint: disable=broad-except
+ pass
+
try:
subprocess.call(['/sbin/service', 'sssd', 'restart'])
except Exception: # pylint: disable=broad-except
po.name = 'sssd'
po.wipe_data()
po.wipe_config_values()
+ config = {'preconfigured': 'True'}
+ po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
+
+ def unconfigure(self, opts, changes):
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ except Exception as e: # pylint: disable=broad-except
+ # Unable to read existing SSSD config so it is probably not
+ # configured.
+ logging.info('Loading SSSD config failed: %s', e)
+ return False
+
+ for domain in changes['domains']:
+ try:
+ sssd_domain = sssdconfig.get_domain(domain.encode('utf-8'))
+ except SSSDConfig.NoDomainError:
+ logging.info('No SSSD domain %s', domain)
+ continue
+ else:
+ if 'ldap_user_extra_attrs' in changes['domains'][domain]:
+ sssd_domain.set_option('ldap_user_extra_attrs',
+ changes['domains'][domain][
+ 'ldap_user_extra_attrs'].encode(
+ 'utf-8'))
+ else:
+ sssd_domain.remove_option('ldap_user_extra_attrs')
+ sssdconfig.save_domain(sssd_domain)
+
+ if changes['ifp']['new']:
+ # We created the service newly, let's remove
+ sssdconfig.delete_service('ifp')
+ else:
+ ifp = sssdconfig.get_service('ifp')
+ if 'allowed_uids' in changes['ifp']:
+ ifp.set_option('allowed_uids',
+ changes['ifp']['allowed_uids'].encode('utf-8'))
+ if 'user_attributes' in changes['ifp']:
+ ifp.set_option('user_attributes',
+ changes['ifp']['user_attributes'].encode(
+ 'utf-8'))
+ sssdconfig.save_service(ifp)
+
+ sssdconfig.write(SSSD_CONF)
+
+ try:
+ subprocess.call(['/sbin/service', 'sssd', 'restart'])
+ except Exception: # pylint: disable=broad-except
+ pass
+
+ # Give SSSD a chance to restart
+ time.sleep(5)