X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Finfo%2Finfosssd.py;h=cb097ad035e4ddc9a0b4e704a713631aa4f4fd50;hp=0dd78cc3001c019dc7b35bd866da9e4d969d3205;hb=d6f7323943c0e7afc26f700d05831d294119a1d1;hpb=db41f6ea5ac2b4648350900791e32a83d0974e14 diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py index 0dd78cc..cb097ad 100644 --- a/ipsilon/info/infosssd.py +++ b/ipsilon/info/infosssd.py @@ -1,6 +1,4 @@ -# Copyright (C) 2014 Ipsilon Project Contributors -# -# See the file named COPYING for the project license +# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING # Info plugin for mod_lookup_identity Apache module via SSSD # http://www.adelton.com/apache/mod_lookup_identity/ @@ -9,11 +7,13 @@ from ipsilon.info.common import InfoProviderBase from ipsilon.info.common import InfoProviderInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.policy import Policy +from ipsilon.util import config as pconfig from string import Template import cherrypy import time import subprocess import SSSDConfig +import logging SSSD_CONF = '/etc/sssd/sssd.conf' @@ -46,7 +46,13 @@ class InfoProvider(InfoProviderBase): super(InfoProvider, self).__init__(*pargs) self.mapper = Policy(sssd_mapping) self.name = 'sssd' - self.new_config(self.name) + self.new_config( + self.name, + pconfig.Condition( + 'preconfigured', + 'SSSD can only be used when pre-configured', + False), + ) def _get_user_data(self, user): reply = dict() @@ -80,6 +86,18 @@ class InfoProvider(InfoProviderBase): return reply + def save_plugin_config(self, *args, **kwargs): + raise ValueError('Configuration cannot be modified live for SSSD') + + def get_config_obj(self): + return None + + def enable(self): + self.refresh_plugin_config() + if not self.get_config_value('preconfigured'): + raise Exception("SSSD Can be enabled only if pre-configured") + super(InfoProvider, self).enable() + CONF_TEMPLATE = """ LoadModule lookup_identity_module modules/mod_lookup_identity.so @@ -113,7 +131,7 @@ class Installer(InfoProviderInstaller): help='SSSD domain to enable mod_lookup_identity' ' for') - def configure(self, opts): + def configure(self, opts, changes): if opts['info_sssd'] != 'yes': return @@ -122,7 +140,7 @@ class Installer(InfoProviderInstaller): confopts = {'instance': opts['instance']} tmpl = Template(CONF_TEMPLATE) - hunk = tmpl.substitute(**confopts) # pylint: disable=star-args + hunk = tmpl.substitute(**confopts) with open(opts['httpd_conf'], 'a') as httpd_conf: httpd_conf.write(hunk) @@ -132,7 +150,7 @@ class Installer(InfoProviderInstaller): except Exception as e: # pylint: disable=broad-except # Unable to read existing SSSD config so it is probably not # configured. - print 'Loading SSSD config failed: %s' % e + logging.info('Loading SSSD config failed: %s', e) return False if not opts['info_sssd_domain']: @@ -140,32 +158,52 @@ class Installer(InfoProviderInstaller): else: domains = opts['info_sssd_domain'] + changes['domains'] = {} for domain in domains: + changes['domains'][domain] = {} try: sssd_domain = sssdconfig.get_domain(domain) except SSSDConfig.NoDomainError: - print 'No SSSD domain %s' % domain + logging.info('No SSSD domain %s', domain) continue else: + try: + changes['domains'][domain] = { + 'ldap_user_extra_attrs': + sssd_domain.get_option('ldap_user_extra_attrs')} + except SSSDConfig.NoOptionError: + pass sssd_domain.set_option( 'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS) ) sssdconfig.save_domain(sssd_domain) configured += 1 - print "Configured SSSD domain %s" % domain + logging.info("Configured SSSD domain %s", domain) if configured == 0: - print 'No SSSD domains configured' + logging.info('No SSSD domains configured') return False + changes['ifp'] = {} try: sssdconfig.new_service('ifp') + changes['ifp']['new'] = True except SSSDConfig.ServiceAlreadyExists: - pass + changes['ifp']['new'] = False sssdconfig.activate_service('ifp') ifp = sssdconfig.get_service('ifp') + if not changes['ifp']['new']: + try: + changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids') + except SSSDConfig.NoOptionError: + pass + try: + changes['ifp']['user_attributes'] = ifp.get_option( + 'user_attributes') + except SSSDConfig.NoOptionError: + pass ifp.set_option('allowed_uids', 'apache, root') ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS)) @@ -192,7 +230,59 @@ class Installer(InfoProviderInstaller): po.name = 'sssd' po.wipe_data() po.wipe_config_values() + config = {'preconfigured': 'True'} + po.save_plugin_config(config) # Update global config to add info plugin po.is_enabled = True po.save_enabled_state() + + def unconfigure(self, opts, changes): + try: + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.import_config() + except Exception as e: # pylint: disable=broad-except + # Unable to read existing SSSD config so it is probably not + # configured. + logging.info('Loading SSSD config failed: %s', e) + return False + + for domain in changes['domains']: + try: + sssd_domain = sssdconfig.get_domain(domain.encode('utf-8')) + except SSSDConfig.NoDomainError: + logging.info('No SSSD domain %s', domain) + continue + else: + if 'ldap_user_extra_attrs' in changes['domains'][domain]: + sssd_domain.set_option('ldap_user_extra_attrs', + changes['domains'][domain][ + 'ldap_user_extra_attrs'].encode( + 'utf-8')) + else: + sssd_domain.remove_option('ldap_user_extra_attrs') + sssdconfig.save_domain(sssd_domain) + + if changes['ifp']['new']: + # We created the service newly, let's remove + sssdconfig.delete_service('ifp') + else: + ifp = sssdconfig.get_service('ifp') + if 'allowed_uids' in changes['ifp']: + ifp.set_option('allowed_uids', + changes['ifp']['allowed_uids'].encode('utf-8')) + if 'user_attributes' in changes['ifp']: + ifp.set_option('user_attributes', + changes['ifp']['user_attributes'].encode( + 'utf-8')) + sssdconfig.save_service(ifp) + + sssdconfig.write(SSSD_CONF) + + try: + subprocess.call(['/sbin/service', 'sssd', 'restart']) + except Exception: # pylint: disable=broad-except + pass + + # Give SSSD a chance to restart + time.sleep(5)