Viewing file:  authconfig.py (43.49 KB) -rwxr-xr-x
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# Authconfig - client authentication configuration program
# Copyright (c) 1999-2008 Red Hat, Inc.
#
# Original authors: Preston Brown <pbrown@redhat.com>
# Nalin Dahyabhai <nalin@redhat.com>
# Matt Wilson <msw@redhat.com>
# Python rewrite and further development by: Tomas Mraz <tmraz@redhat.com>
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
import authinfo, acutil
import gettext, os, signal, sys
_ = gettext.lgettext
from optparse import OptionParser, IndentedHelpFormatter
import locale
try:
locale.setlocale(locale.LC_ALL, '')
except locale.Error:
sys.stderr.write('Warning: Unsupported locale setting.\n')
def runsAs(name):
return sys.argv[0].find(name) >= 0
if runsAs("authconfig-tui"):
import snack
class UnihelpOptionParser(OptionParser):
def print_help(self, file=None):
if file is None:
file = sys.stdout
srcencoding = locale.getpreferredencoding()
encoding = getattr(file, "encoding", None)
if not encoding or encoding == "ascii":
encoding = srcencoding
file.write(self.format_help().decode(srcencoding).encode(encoding, "replace"))
class NonWrapFormatter(IndentedHelpFormatter):
def format_option(self, option):
# The help for each option consists of two parts:
# * the opt strings and metavars
# eg. ("-x", or "-fFILENAME, --file=FILENAME")
# * the user-supplied help string
# eg. ("turn on expert mode", "read data from FILENAME")
#
# If possible, we write both of these on the same line:
# -x turn on expert mode
#
# But if the opt string list is too long, we put the help
# string on a second line, indented to the same column it would
# start in if it fit on the first line.
# -fFILENAME, --file=FILENAME
# read data from FILENAME
# We cannot wrap the help text as it can be in any language and
# encoding and so we do not know how to wrap it correctly.
result = []
opts = self.option_strings[option]
opt_width = self.help_position - self.current_indent - 2
if len(opts) > opt_width:
opts = "%*s%s\n" % (self.current_indent, "", opts)
indent_first = self.help_position
else: # start help on same line as opts
opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts)
opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts)
indent_first = 0
result.append(opts)
if option.help:
help_text = self.expand_default(option)
result.append("%*s%s\n" % (indent_first, "", help_text))
elif opts[-1] != "\n":
result.append("\n")
return "".join(result)
class Authconfig:
def __init__(self):
self.nis_avail = False
self.kerberos_avail = False
self.ldap_avail = False
self.sssd_avail = False
self.cache_avail = False
self.fprintd_avail = False
self.retval = 0
def module(self):
return "authconfig"
def printError(self, error):
sys.stderr.write("%s: %s\n" % (self.module(), error))
def listHelp(self, l, addidx):
idx = 0
help = "<"
for item in l:
if idx > 0:
help += "|"
if addidx:
help += str(idx) + "="
help += item
idx += 1
help += ">"
return help
def parseOptions(self):
usage = _("usage: %s [options]") % self.module()
if self.module() == "authconfig":
usage += " {--update|--updateall|--test|--probe|--restorebackup <name>|--savebackup <name>|--restorelastbackup}"
parser = UnihelpOptionParser(usage, add_help_option=False, formatter=NonWrapFormatter())
parser.add_option("-h", "--help", action="help",
help=_("show this help message and exit"))
parser.add_option("--enableshadow", "--useshadow", action="store_true",
help=_("enable shadowed passwords by default"))
parser.add_option("--disableshadow", action="store_true",
help=_("disable shadowed passwords by default"))
parser.add_option("--enablemd5", "--usemd5", action="store_true",
help=_("enable MD5 passwords by default"))
parser.add_option("--disablemd5", action="store_true",
help=_("disable MD5 passwords by default"))
parser.add_option("--passalgo",
metavar=self.listHelp(authinfo.password_algorithms, False),
help=_("hash/crypt algorithm for new passwords"))
parser.add_option("--enablenis", action="store_true",
help=_("enable NIS for user information by default"))
parser.add_option("--disablenis", action="store_true",
help=_("disable NIS for user information by default"))
parser.add_option("--nisdomain", metavar=_("<domain>"),
help=_("default NIS domain"))
parser.add_option("--nisserver", metavar=_("<server>"),
help=_("default NIS server"))
parser.add_option("--enableldap", action="store_true",
help=_("enable LDAP for user information by default"))
parser.add_option("--disableldap", action="store_true",
help=_("disable LDAP for user information by default"))
parser.add_option("--enableldapauth", action="store_true",
help=_("enable LDAP for authentication by default"))
parser.add_option("--disableldapauth", action="store_true",
help=_("disable LDAP for authentication by default"))
parser.add_option("--ldapserver", metavar=_("<server>"),
help=_("default LDAP server hostname or URI"))
parser.add_option("--ldapbasedn", metavar=_("<dn>"),
help=_("default LDAP base DN"))
parser.add_option("--enableldaptls", "--enableldapstarttls", action="store_true",
help=_("enable use of TLS with LDAP (RFC-2830)"))
parser.add_option("--disableldaptls", "--disableldapstarttls", action="store_true",
help=_("disable use of TLS with LDAP (RFC-2830)"))
parser.add_option("--enablerfc2307bis", action="store_true",
help=_("enable use of RFC-2307bis schema for LDAP user information lookups"))
parser.add_option("--disablerfc2307bis", action="store_true",
help=_("disable use of RFC-2307bis schema for LDAP user information lookups"))
parser.add_option("--ldaploadcacert", metavar=_("<URL>"),
help=_("load CA certificate from the URL"))
parser.add_option("--enablesmartcard", action="store_true",
help=_("enable authentication with smart card by default"))
parser.add_option("--disablesmartcard", action="store_true",
help=_("disable authentication with smart card by default"))
parser.add_option("--enablerequiresmartcard", action="store_true",
help=_("require smart card for authentication by default"))
parser.add_option("--disablerequiresmartcard", action="store_true",
help=_("do not require smart card for authentication by default"))
parser.add_option("--smartcardmodule", metavar=_("<module>"),
help=_("default smart card module to use"))
actshelp = self.listHelp(authinfo.getSmartcardActions(), True)
parser.add_option("--smartcardaction", metavar=actshelp,
help=_("action to be taken on smart card removal"))
parser.add_option("--enablefingerprint", action="store_true",
help=_("enable authentication with fingerprint readers by default"))
parser.add_option("--disablefingerprint", action="store_true",
help=_("disable authentication with fingerprint readers by default"))
parser.add_option("--enableecryptfs", action="store_true",
help=_("enable automatic per-user ecryptfs"))
parser.add_option("--disableecryptfs", action="store_true",
help=_("disable automatic per-user ecryptfs"))
parser.add_option("--enablekrb5", action="store_true",
help=_("enable kerberos authentication by default"))
parser.add_option("--disablekrb5", action="store_true",
help=_("disable kerberos authentication by default"))
parser.add_option("--krb5kdc", metavar=_("<server>"),
help=_("default kerberos KDC"))
parser.add_option("--krb5adminserver", metavar=_("<server>"),
help=_("default kerberos admin server"))
parser.add_option("--krb5realm", metavar=_("<realm>"),
help=_("default kerberos realm"))
parser.add_option("--enablekrb5kdcdns", action="store_true",
help=_("enable use of DNS to find kerberos KDCs"))
parser.add_option("--disablekrb5kdcdns", action="store_true",
help=_("disable use of DNS to find kerberos KDCs"))
parser.add_option("--enablekrb5realmdns", action="store_true",
help=_("enable use of DNS to find kerberos realms"))
parser.add_option("--disablekrb5realmdns", action="store_true",
help=_("disable use of DNS to find kerberos realms"))
parser.add_option("--enablewinbind", action="store_true",
help=_("enable winbind for user information by default"))
parser.add_option("--disablewinbind", action="store_true",
help=_("disable winbind for user information by default"))
parser.add_option("--enablewinbindauth", action="store_true",
help=_("enable winbind for authentication by default"))
parser.add_option("--disablewinbindauth", action="store_true",
help=_("disable winbind for authentication by default"))
parser.add_option("--smbsecurity", metavar="<user|server|domain|ads>",
help=_("security mode to use for samba and winbind"))
parser.add_option("--smbrealm", metavar=_("<realm>"),
help=_("default realm for samba and winbind when security=ads"))
parser.add_option("--smbservers", metavar=_("<servers>"),
help=_("names of servers to authenticate against"))
parser.add_option("--smbworkgroup", metavar=_("<workgroup>"),
help=_("workgroup authentication servers are in"))
parser.add_option("--smbidmaprange", "--smbidmapuid", "--smbidmapgid", metavar=_("<lowest-highest>"),
help=_("uid range winbind will assign to domain or ads users"))
parser.add_option("--winbindseparator", metavar="<\\>",
help=_("the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled"))
parser.add_option("--winbindtemplatehomedir", metavar="</home/%D/%U>",
help=_("the directory which winbind-created users will have as home directories"))
parser.add_option("--winbindtemplateshell", metavar="</bin/false>",
help=_("the shell which winbind-created users will have as their login shell"))
parser.add_option("--enablewinbindusedefaultdomain", action="store_true",
help=_("configures winbind to assume that users with no domain in their user names are domain users"))
parser.add_option("--disablewinbindusedefaultdomain", action="store_true",
help=_("configures winbind to assume that users with no domain in their user names are not domain users"))
parser.add_option("--enablewinbindoffline", action="store_true",
help=_("configures winbind to allow offline login"))
parser.add_option("--disablewinbindoffline", action="store_true",
help=_("configures winbind to prevent offline login"))
parser.add_option("--enablewinbindkrb5", action="store_true",
help=_("winbind will use Kerberos 5 to authenticate"))
parser.add_option("--disablewinbindkrb5", action="store_true",
help=_("winbind will use the default authentication method"))
parser.add_option("--winbindjoin", metavar="<Administrator>",
help=_("join the winbind domain or ads realm now as this administrator"))
parser.add_option("--enableipav2", action="store_true",
help=_("enable IPAv2 for user information and authentication by default"))
parser.add_option("--disableipav2", action="store_true",
help=_("disable IPAv2 for user information and authentication by default"))
parser.add_option("--ipav2domain", metavar=_("<domain>"),
help=_("the IPAv2 domain the system should be part of"))
parser.add_option("--ipav2realm", metavar=_("<realm>"),
help=_("the realm for the IPAv2 domain"))
parser.add_option("--ipav2server", metavar=_("<servers>"),
help=_("the server for the IPAv2 domain"))
parser.add_option("--enableipav2nontp", action="store_true",
help=_("do not setup the NTP against the IPAv2 domain"))
parser.add_option("--disableipav2nontp", action="store_true",
help=_("setup the NTP against the IPAv2 domain (default)"))
parser.add_option("--ipav2join", metavar="<account>",
help=_("join the IPAv2 domain as this account"))
parser.add_option("--enablewins", action="store_true",
help=_("enable wins for hostname resolution"))
parser.add_option("--disablewins", action="store_true",
help=_("disable wins for hostname resolution"))
parser.add_option("--enablepreferdns", action="store_true",
help=_("prefer dns over wins or nis for hostname resolution"))
parser.add_option("--disablepreferdns", action="store_true",
help=_("do not prefer dns over wins or nis for hostname resolution"))
parser.add_option("--enablehesiod", action="store_true",
help=_("enable hesiod for user information by default"))
parser.add_option("--disablehesiod", action="store_true",
help=_("disable hesiod for user information by default"))
parser.add_option("--hesiodlhs", metavar="<lhs>",
help=_("default hesiod LHS"))
parser.add_option("--hesiodrhs", metavar="<rhs>",
help=_("default hesiod RHS"))
parser.add_option("--enablesssd", action="store_true",
help=_("enable SSSD for user information by default with manually managed configuration"))
parser.add_option("--disablesssd", action="store_true",
help=_("disable SSSD for user information by default (still used for supported configurations)"))
parser.add_option("--enablesssdauth", action="store_true",
help=_("enable SSSD for authentication by default with manually managed configuration"))
parser.add_option("--disablesssdauth", action="store_true",
help=_("disable SSSD for authentication by default (still used for supported configurations)"))
parser.add_option("--enableforcelegacy", action="store_true",
help=_("never use SSSD implicitly even for supported configurations"))
parser.add_option("--disableforcelegacy", action="store_true",
help=_("use SSSD implicitly if it supports the configuration"))
parser.add_option("--enablecachecreds", action="store_true",
help=_("enable caching of user credentials in SSSD by default"))
parser.add_option("--disablecachecreds", action="store_true",
help=_("disable caching of user credentials in SSSD by default"))
parser.add_option("--enablecache", action="store_true",
help=_("enable caching of user information by default (automatically disabled when SSSD is used)"))
parser.add_option("--disablecache", action="store_true",
help=_("disable caching of user information by default"))
parser.add_option("--enablelocauthorize", action="store_true",
help=_("local authorization is sufficient for local users"))
parser.add_option("--disablelocauthorize", action="store_true",
help=_("authorize local users also through remote service"))
parser.add_option("--enablepamaccess", action="store_true",
help=_("check access.conf during account authorization"))
parser.add_option("--disablepamaccess", action="store_true",
help=_("do not check access.conf during account authorization"))
parser.add_option("--enablesysnetauth", action="store_true",
help=_("authenticate system accounts by network services"))
parser.add_option("--disablesysnetauth", action="store_true",
help=_("authenticate system accounts by local files only"))
parser.add_option("--enablemkhomedir", action="store_true",
help=_("create home directories for users on their first login"))
parser.add_option("--disablemkhomedir", action="store_true",
help=_("do not create home directories for users on their first login"))
parser.add_option("--passminlen", metavar=_("<number>"),
help=_("minimum length of a password"))
parser.add_option("--passminclass", metavar=_("<number>"),
help=_("minimum number of character classes in a password"))
parser.add_option("--passmaxrepeat", metavar=_("<number>"),
help=_("maximum number of same consecutive characters in a password"))
parser.add_option("--passmaxclassrepeat", metavar=_("<number>"),
help=_("maximum number of consecutive characters of same class in a password"))
parser.add_option("--enablereqlower", action="store_true",
help=_("require at least one lowercase character in a password"))
parser.add_option("--disablereqlower", action="store_true",
help=_("do not require lowercase characters in a password"))
parser.add_option("--enablerequpper", action="store_true",
help=_("require at least one uppercase character in a password"))
parser.add_option("--disablerequpper", action="store_true",
help=_("do not require uppercase characters in a password"))
parser.add_option("--enablereqdigit", action="store_true",
help=_("require at least one digit in a password"))
parser.add_option("--disablereqdigit", action="store_true",
help=_("do not require digits in a password"))
parser.add_option("--enablereqother", action="store_true",
help=_("require at least one other character in a password"))
parser.add_option("--disablereqother", action="store_true",
help=_("do not require other characters in a password"))
parser.add_option("--enablefaillock", action="store_true",
help=_("enable account locking in case of too many consecutive authentication failures"))
parser.add_option("--disablefaillock", action="store_true",
help=_("disable account locking on too many consecutive authentication failures"))
parser.add_option("--faillockargs", metavar=_("<options>"),
help=_("the pam_faillock module options"))
parser.add_option("--nostart", action="store_true",
help=_("do not start/stop portmap, ypbind, and nscd"))
parser.add_option("--test", action="store_true",
help=_("do not update the configuration files, only print new settings"))
if self.module() == "authconfig-tui":
parser.add_option("--back", action="store_true",
help=_("display Back instead of Cancel in the main dialog of the TUI"))
parser.add_option("--kickstart", action="store_true",
help=_("do not display the deprecated text user interface"))
else:
parser.add_option("--update", "--kickstart", action="store_true",
help=_("opposite of --test, update configuration files with changed settings"))
parser.add_option("--updateall", action="store_true",
help=_("update all configuration files"))
parser.add_option("--probe", action="store_true",
help=_("probe network for defaults and print them"))
parser.add_option("--savebackup", metavar=_("<name>"),
help=_("save a backup of all configuration files"))
parser.add_option("--restorebackup", metavar=_("<name>"),
help=_("restore the backup of configuration files"))
parser.add_option("--restorelastbackup", action="store_true",
help=_("restore the backup of configuration files saved before the previous configuration change"))
(self.options, args) = parser.parse_args()
if args:
self.printError(_("unexpected argument"))
sys.exit(2)
if (not self.module() == "authconfig-tui" and not self.options.probe and
not self.options.test and not self.options.update and not self.options.updateall
and not self.options.savebackup and not self.options.restorebackup
and not self.options.restorelastbackup):
# --update (== --kickstart) or --test or --probe must be specified
# this will print usage and call sys.exit()
parser.print_help()
sys.exit(2)
def probe(self):
info = authinfo.AuthInfo(self.printError)
info.probe()
if info.hesiodLHS and info.hesiodRHS:
print "hesiod %s/%s" % (info.hesiodLHS,
info.hesiodRHS)
if info.ldapServer and info.ldapBaseDN:
print "ldap %s/%s\n" % (info.ldapServer,
info.ldapBaseDN)
if info.kerberosRealm:
print "krb5 %s/%s/%s\n" % (info.kerberosRealm,
info.kerberosKDC or "", info.kerberosAdminServer or "")
def readAuthInfo(self):
self.info = authinfo.read(self.printError)
# FIXME: what about printing critical errors reading individual configs?
self.pristineinfo = self.info.copy()
if self.info.enableLocAuthorize == None:
self.info.enableLocAuthorize = True # ON by default
def testAvailableSubsys(self):
self.nis_avail = (os.access(authinfo.PATH_YPBIND, os.X_OK) and
os.access(authinfo.PATH_LIBNSS_NIS, os.X_OK))
self.kerberos_avail = os.access(authinfo.PATH_PAM_KRB5, os.X_OK)
self.ldap_avail = (os.access(authinfo.PATH_PAM_LDAP, os.X_OK) and
os.access(authinfo.PATH_LIBNSS_LDAP, os.X_OK))
self.sssd_avail = (os.access(authinfo.PATH_PAM_SSS, os.X_OK) and
os.access(authinfo.PATH_LIBNSS_SSS, os.X_OK))
self.cache_avail = os.access(authinfo.PATH_NSCD, os.X_OK)
self.fprintd_avail = os.access(authinfo.PATH_PAM_FPRINTD, os.X_OK)
def overrideSettings(self):
bool_settings = {"shadow":"enableShadow",
"locauthorize":"enableLocAuthorize",
"pamaccess":"enablePAMAccess",
"sysnetauth":"enableSysNetAuth",
"mkhomedir":"enableMkHomeDir",
"cache":"enableCache",
"ecryptfs":"enableEcryptfs",
"hesiod":"enableHesiod",
"ldap":"enableLDAP",
"ldaptls":"enableLDAPS",
"rfc2307bis":"enableRFC2307bis",
"ldapauth":"enableLDAPAuth",
"krb5":"enableKerberos",
"nis":"enableNIS",
"krb5kdcdns":"kerberosKDCviaDNS",
"krb5realmdns":"kerberosRealmviaDNS",
"smartcard":"enableSmartcard",
"fingerprint":"enableFprintd",
"requiresmartcard":"forceSmartcard",
"winbind":"enableWinbind",
"winbindauth":"enableWinbindAuth",
"winbindusedefaultdomain":"winbindUseDefaultDomain",
"winbindoffline":"winbindOffline",
"winbindkrb5":"winbindKrb5",
"ipav2":"enableIPAv2",
"ipav2nontp":"ipav2NoNTP",
"wins":"enableWINS",
"sssd":"enableSSSD",
"sssdauth":"enableSSSDAuth",
"forcelegacy":"enableForceLegacy",
"cachecreds":"enableCacheCreds",
"preferdns":"preferDNSinHosts",
"reqlower":"passReqLower",
"requpper":"passReqUpper",
"reqdigit":"passReqDigit",
"reqother":"passReqOther",
"faillock":"enableFaillock"}
string_settings = {"passalgo":"passwordAlgorithm",
"hesiodlhs":"hesiodLHS",
"hesiodrhs":"hesiodRHS",
"ldapserver":"ldapServer",
"ldapbasedn":"ldapBaseDN",
"ldaploadcacert":"ldapCacertURL",
"krb5realm":"kerberosRealm",
"krb5kdc":"kerberosKDC",
"krb5adminserver":"kerberosAdminServer",
"smartcardmodule":"smartcardModule",
"smartcardaction":"smartcardAction",
"nisdomain":"nisDomain",
"nisserver":"nisServer",
"smbworkgroup":"smbWorkgroup",
"smbservers":"smbServers",
"smbsecurity":"smbSecurity",
"smbrealm" : "smbRealm",
"smbidmaprange":"smbIdmapRange",
"winbindseparator":"winbindSeparator",
"winbindtemplatehomedir":"winbindTemplateHomedir",
"winbindtemplateshell":"winbindTemplateShell",
"ipav2domain":"ipav2Domain",
"ipav2realm":"ipav2Realm",
"ipav2server":"ipav2Server",
"passminlen":"passMinLen",
"passminclass":"passMinClass",
"passmaxrepeat":"passMaxRepeat",
"passmaxclassrepeat":"passMaxClassRepeat",
"faillockargs":"faillockArgs"}
for opt, aival in bool_settings.iteritems():
if getattr(self.options, "enable"+opt):
setattr(self.info, aival, True)
if getattr(self.options, "disable"+opt):
setattr(self.info, aival, False)
try:
if self.info.enableRFC2307bis:
self.info.ldapSchema = 'rfc2307bis'
else:
self.info.ldapSchema = ''
except AttributeError:
pass
if self.options.krb5realm and self.options.krb5realm != self.info.kerberosRealm:
self.info.kerberosKDC = self.info.getKerberosKDC(self.options.krb5realm)
self.info.kerberosAdminServer = self.info.getKerberosAdminServer(self.options.krb5realm)
try:
val = self.options.passminlen
if val != None:
val = int(val)
if val < 6:
self.printError(_("The passminlen minimum value is 6"))
self.options.passminlen = None
self.retval = 3
except ValueError:
self.printError(_("The passminlen option value is not an integer"))
self.options.passminlen = None
self.retval = 3
try:
val = self.options.passminclass
if val != None:
val = int(val)
if val < 0:
self.printError(_("The passminclass value must not be negative"))
self.options.passminclass = None
self.retval = 3
if val > 4:
self.printError(_("The passminclass value must not be higher than 4"))
self.options.passminclass = None
self.retval = 3
except ValueError:
self.printError(_("The passminclass option value is not an integer"))
self.options.passminclass = None
self.retval = 3
try:
val = self.options.passmaxrepeat
if val != None:
val = int(val)
if val < 0:
self.printError(_("The passmaxrepeat value must not be negative"))
self.options.passmaxrepeat = None
self.retval = 3
except ValueError:
self.printError(_("The passmaxrepeat option value is not an integer"))
self.options.passmaxrepeat = None
self.retval = 3
try:
val = self.options.passmaxclassrepeat
if val != None:
val = int(val)
if val < 0:
self.printError(_("The passmaxclassrepeat value must not be negative"))
self.options.passmaxclassrepeat = None
self.retval = 3
except ValueError:
self.printError(_("The passmaxclassrepeat option value is not an integer"))
self.options.passmaxclassrepeat = None
self.retval = 3
for opt, aival in string_settings.iteritems():
if getattr(self.options, opt) != None:
setattr(self.info, aival, getattr(self.options, opt))
if self.options.winbindjoin:
lst = self.options.winbindjoin.split("%", 1)
self.info.joinUser = lst[0]
if len(lst) > 1:
self.info.joinPassword = lst[1]
if self.options.ipav2join != None:
self.info.joinUser = self.options.ipav2join
if self.options.smartcardaction:
try:
idx = int(self.options.smartcardaction)
self.info.smartcardAction = authinfo.getSmartcardActions()[idx]
except (ValueError, IndexError):
self.printError(_("Bad smart card removal action specified."))
self.info.smartcardAction = ""
if self.options.enablerequiresmartcard and self.options.smartcardmodule == "sssd":
self.printError(_("--enablerequiresmartcard is not supported for module 'sssd', option is ignored."))
self.options.enablerequiresmartcard = False
if not self.options.passalgo:
if self.options.enablemd5:
self.info.passwordAlgorithm = "md5"
if self.options.disablemd5:
self.info.passwordAlgorithm = "descrypt"
elif self.options.passalgo not in authinfo.password_algorithms:
self.printError(_("Unknown password hashing algorithm specified, using sha256."))
self.info.passwordAlgorithm = "sha256"
self.retval = 3
def doUI(self):
return True
def joinDomain(self):
ret = True
if self.options.winbindjoin:
ret = self.info.joinDomain(True)
if self.options.ipav2join != None:
if self.info.joinIPADomain(True):
# This is a hack but otherwise we cannot
# get the IPAV2DOMAINJOINED saved
# unfortunately the backup will be overwritten
self.info.writeSysconfig()
else:
ret = False
return ret
def writeAuthInfo(self):
self.info.testLDAPCACerts()
if self.info.ldapCacertURL:
if not self.info.downloadLDAPCACert():
self.retval = 4
self.info.rehashLDAPCACerts()
if self.options.updateall:
if not self.info.write():
self.retval = 5
else:
if not self.info.writeChanged(self.pristineinfo):
self.retval = 6
# FIXME: what about printing critical errors writing individual configs?
if not self.joinDomain():
self.retval = 7
self.info.post(self.options.nostart)
def run(self):
self.parseOptions()
if self.options.probe:
self.probe()
sys.exit(0)
if not self.options.test and os.getuid() != 0:
self.printError(_("can only be run as root"))
sys.exit(2)
self.readAuthInfo()
if self.options.restorelastbackup:
rv = self.info.restoreLast()
sys.exit(int(not rv))
if self.options.restorebackup:
rv = self.info.restoreBackup(self.options.restorebackup)
sys.exit(int(not rv))
if self.options.savebackup:
rv = self.info.saveBackup(self.options.savebackup)
sys.exit(int(not rv))
self.testAvailableSubsys()
self.overrideSettings()
if not self.doUI():
if self.options.test:
self.printError(_("dialog was cancelled"))
sys.exit(1)
if self.options.test:
self.info.printInfo()
else:
self.writeAuthInfo()
return self.retval
class AuthconfigTUI(Authconfig):
def module(self):
return "authconfig-tui"
def joinDomain(self):
# join domain only on kickstart
if self.options.kickstart and self.options.winbindjoin:
self.info.joinDomain(True)
def warn(self, toggle, warning):
if not toggle:
return
while warning:
path = warning[0]
package = warning[2]
if type(path) == tuple:
if self.info.sssdSupported():
path = path[1]
package = package[1]
else:
path = path[0]
package = package[0]
if not os.access(path, os.R_OK):
text = (_("The %s file was not found, but it is required for %s support to work properly.\nInstall the %s package, which provides this file.") %
(path, warning[1], package))
snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")])
warning = warning[3]
def getMainChoices(self):
warnCache = [authinfo.PATH_NSCD, _("caching"), "nscd", None]
warnFprintd = [authinfo.PATH_PAM_FPRINTD, _("Fingerprint reader"), "pam_fprintd", None]
warnKerberos = [(authinfo.PATH_PAM_KRB5, authinfo.PATH_PAM_SSS), _("Kerberos"), ("pam_krb5", "sssd-client"), None]
warnLDAPAuth = [(authinfo.PATH_PAM_LDAP, authinfo.PATH_PAM_SSS), _("LDAP authentication"), ("pam_ldap", "sssd-client"), None]
warnLDAP = [(authinfo.PATH_LIBNSS_LDAP, authinfo.PATH_LIBNSS_SSS), _("LDAP"), ("nss-pam-ldapd", "sssd-client"), None]
warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None]
warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None]
warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None]
warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-winbind", warnWinbindNet]
warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-winbind", warnWinbindAuth]
# Information
infoGrid = snack.Grid(1, 6)
comp = snack.Label(_("User Information"))
infoGrid.setField(comp, 0, 0, anchorLeft=1, growx=1)
cache = cb = snack.Checkbox(_("Cache Information"), bool(self.info.enableCache))
infoGrid.setField(cb, 0, 1, anchorLeft=1, growx=1)
ldap = cb = snack.Checkbox(_("Use LDAP"), bool(self.info.enableLDAP))
infoGrid.setField(cb, 0, 2, anchorLeft=1, growx=1)
nis = cb = snack.Checkbox(_("Use NIS"), bool(self.info.enableNIS))
infoGrid.setField(cb, 0, 3, anchorLeft=1, growx=1)
ipav2 = cb = snack.Checkbox(_("Use IPAv2"), bool(self.info.enableIPAv2))
infoGrid.setField(cb, 0, 4, anchorLeft=1, growx=1)
winbind = cb = snack.Checkbox(_("Use Winbind"), bool(self.info.enableWinbind))
infoGrid.setField(cb, 0, 5, anchorLeft=1, growx=1)
# Authentication
authGrid = snack.Grid(1, 8)
comp = snack.Label(_("Authentication"))
authGrid.setField(comp, 0, 0, anchorLeft=1, growx=1)
md5 = cb = snack.Checkbox(_("Use MD5 Passwords"), bool(self.info.passwordAlgorithm=='md5'))
authGrid.setField(cb, 0, 1, anchorLeft=1, growx=1)
shadow = cb = snack.Checkbox(_("Use Shadow Passwords"), bool(self.info.enableShadow))
authGrid.setField(cb, 0, 2, anchorLeft=1, growx=1)
ldapa = cb = snack.Checkbox(_("Use LDAP Authentication"), bool(self.info.enableLDAPAuth))
authGrid.setField(cb, 0, 3, anchorLeft=1, growx=1)
krb5 = cb = snack.Checkbox(_("Use Kerberos"), bool(self.info.enableKerberos))
authGrid.setField(cb, 0, 4, anchorLeft=1, growx=1)
fprintd = cb = snack.Checkbox(_("Use Fingerprint reader"), bool(self.info.enableFprintd))
authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1)
winbindauth = cb = snack.Checkbox(_("Use Winbind Authentication"), bool(self.info.enableWinbindAuth))
authGrid.setField(cb, 0, 6, anchorLeft=1, growx=1)
locauthorize = cb = snack.Checkbox(_("Local authorization is sufficient"), bool(self.info.enableLocAuthorize))
authGrid.setField(cb, 0, 7, anchorLeft=1, growx=1)
# Control grid
mechGrid = snack.Grid(2, 1)
mechGrid.setField(infoGrid, 0, 0, anchorLeft=1, anchorTop=1, padding=(1, 0, 1, 1))
mechGrid.setField(authGrid, 1, 0, anchorRight=1, anchorTop=1, padding=(2, 0, 1, 1))
# Buttons
buttonGrid = snack.Grid(2, 1)
cancel = snack.Button(self.options.back and _("Back") or _("Cancel"))
ok = snack.Button(_("Next"))
buttonGrid.setField(cancel, 0, 0)
buttonGrid.setField(ok, 1, 0)
# Top-level grid
mainGrid = snack.Grid(1, 2)
mainGrid.setField(mechGrid, 0, 0, growx=1)
mainGrid.setField(buttonGrid, 0, 1, growx=1)
# Run the form and interpret the results
form = snack.Form()
self.screen.gridWrappedWindow(mainGrid, _("Authentication Configuration"))
form.add(mainGrid)
# BEHOLD! AUTHCONFIG IN ALL ITS GORY GLORY!
comp = form.run()
if comp != cancel:
self.info.enableCache = cache.selected()
self.info.enableIPAv2 = ipav2.selected()
self.info.enableLDAP = ldap.selected()
self.info.enableNIS = nis.selected()
self.info.enableWinbind = winbind.selected()
self.info.enableShadow = shadow.selected()
if md5.selected():
self.info.passwordAlgorithm = 'md5'
elif self.info.passwordAlgorithm == 'md5':
self.info.passwordAlgorithm = 'descrypt'
self.info.enableLDAPAuth = ldapa.selected()
self.info.enableKerberos = krb5.selected()
self.info.enableWinbindAuth = winbindauth.selected()
self.info.enableLocAuthorize = locauthorize.selected()
self.info.enableFprintd = fprintd.selected()
allwarnings = [(self.info.enableCache, warnCache), (self.info.enableLDAP, warnLDAP),
(self.info.enableNIS, warnNIS), (self.info.enableWinbind, warnWinbind),
(self.info.enableLDAPAuth, warnLDAPAuth), (self.info.enableKerberos, warnKerberos),
(self.info.enableFprintd, warnFprintd), (self.info.enableShadow, warnShadow),
(self.info.enableWinbindAuth, warnWinbindAuth)]
for warning in allwarnings:
self.warn(warning[0], warning[1])
self.screen.popWindow()
return comp != cancel
def getGenericChoices(self, dtitle, items, canceltxt, oktxt, anothertxt=None, anothercb=None):
# Count up the number of rows we need in the grid.
rows = len(items)
# Create a grid for these questions.
questionGrid = snack.Grid(2, rows)
row = 0
widgets = []
for (t, desc, attr, val) in items:
if t == "tfvalue":
cb = snack.Checkbox(desc, bool(getattr(self.info, attr)))
widgets.append(cb)
questionGrid.setField(snack.Label(""), 0, row, anchorRight=1)
questionGrid.setField(cb, 1, row, anchorLeft=1)
elif t == "svalue":
comp = snack.Label(desc)
questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1)
comp = snack.Entry(40, getattr(self.info, attr), hidden=val)
widgets.append(comp)
# FIXME? Filtering " " and "\t"
questionGrid.setField(comp, 1, row, growx=1)
elif t == "rvalue":
comp = snack.Label(desc)
questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1, anchorTop=1)
try:
sel = getattr(self.info, attr)
val.index(sel)
except ValueError:
sel = val[0]
comp = None
buttonlist = []
for v in val:
buttonlist.append((v, v, v == sel))
radioBar = snack.RadioBar(None, buttonlist)
widgets.append(radioBar)
questionGrid.setField(radioBar, 1, row, anchorLeft=1)
elif t == "lvalue":
comp = snack.TextboxReflowed(50, desc, flexDown=1, flexUp=1)
widgets.append(comp)
questionGrid.setField(comp, 0, row, anchorLeft=1)
row += 1
# Buttons
buttonGrid = snack.Grid(anothertxt and 3 or 2, 1)
cancel = snack.Button(canceltxt)
ok = snack.Button(oktxt)
another = anothertxt and snack.Button(anothertxt) or None
buttonGrid.setField(cancel, 0, 0)
if anothertxt:
buttonGrid.setField(another, 1, 0)
buttonGrid.setField(ok, anothertxt and 2 or 1, 0)
# Top-level grid
mainGrid = snack.Grid(1, 2)
mainGrid.setField(questionGrid, 0, 0, padding=(0, 0, 0, 1), growx=1)
mainGrid.setField(buttonGrid, 0, 1, padding=(0, 0, 0, 0), growx=1)
# Run the form and interpret the results
form = snack.Form()
self.screen.gridWrappedWindow(mainGrid, dtitle)
form.add(mainGrid)
while True:
comp = form.run()
if comp == cancel:
break
wcopy = widgets[:]
for (t, desc, attr, val) in items:
if t == "tfvalue":
setattr(self.info, attr, wcopy.pop(0).selected())
elif t == "svalue":
setattr(self.info, attr, wcopy.pop(0).value())
# FIXME? Filtering " " and "\t"
elif t == "rvalue":
setattr(self.info, attr, wcopy.pop(0).getSelection())
elif t == "lvalue":
wcopy.pop(0)
if comp != another:
break
if anothercb:
anothercb()
self.screen.popWindow()
return comp != cancel
def getIPAv2Settings(self, next):
questions = [("svalue", _("Domain:"), "ipav2Domain", 0),
("svalue", _("Realm:"), "ipav2Realm", 0),
("svalue", _("Server:"), "ipav2Server", 0)]
return self.getGenericChoices(_("IPAv2 Settings"),
questions, _("Back"), next and _("Next") or _("Ok"),
anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings)
def getLDAPSettings(self, next):
questions = [("tfvalue", _("Use TLS"), "enableLDAPS", None),
("svalue", _("Server:"), "ldapServer", 0),
("svalue", _("Base DN:"), "ldapBaseDN", 0)]
return self.getGenericChoices(_("LDAP Settings"),
questions, _("Back"), next and _("Next") or _("Ok"))
def getNISSettings(self, next):
questions = [("svalue", _("Domain:"), "nisDomain", 0),
("svalue", _("Server:"), "nisServer", 0)]
return self.getGenericChoices(_("NIS Settings"),
questions, _("Back"), next and _("Next") or _("Ok"))
def getKerberosSettings(self, next):
questions = [("svalue", _("Realm:"), "kerberosRealm", 0),
("svalue", _("KDC:"), "kerberosKDC", 0),
("svalue", _("Admin Server:"), "kerberosAdminServer", 0),
("tfvalue", _("Use DNS to resolve hosts to realms"), "kerberosRealmviaDNS", None),
("tfvalue", _("Use DNS to locate KDCs for realms"), "kerberosKDCviaDNS", None)]
return self.getGenericChoices(_("Kerberos Settings"),
questions, _("Back"), next and _("Next") or _("Ok"))
def getJoinSettings(self):
questions = [("svalue", _("Domain Administrator:"), "joinUser", 0),
("svalue", _("Password:"), "joinPassword", 1)]
if not self.info.joinUser:
self.info.joinUser = "Administrator"
if self.getGenericChoices(_("Join Settings"),
questions, _("Cancel"), _("Ok")):
self.screen.suspend()
self.info.update()
if self.info.enableWinbind:
self.info.joinDomain(True)
elif self.info.enableIPAv2:
self.info.joinIPADomain(True)
self.screen.resume()
return True
def maybeGetJoinSettings(self):
questions = [("lvalue",
_("Some of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?"),
None, None)]
orig_info = authinfo.read(self.printError)
orig_info.update()
self.info.update()
ret = False
if self.info.differs(orig_info):
ret = self.getGenericChoices(_("Save Settings"),
questions, _("No"), _("Yes"))
if ret:
self.info.write()
self.getJoinSettings()
return True
def getWinbindSettings(self, next):
security = ["ads", "domain"]
shells = ["/sbin/nologin", "/bin/sh", "/bin/bash", "/bin/tcsh", "/bin/ksh",
"/bin/zsh"]
def shellexists(shell):
return os.access(shell, os.X_OK)
shells = filter(shellexists, shells)
# Why does your favorite shell not show up in the list? Because it won't
# fit, that's why!
questions = [("rvalue", _("Security Model:"), "smbSecurity", security),
("svalue", _("Domain:"), "smbWorkgroup", 0),
("svalue", _("Domain Controllers:"), "smbServers", 0),
("svalue", _("ADS Realm:"), "smbRealm", 0),
("rvalue", _("Template Shell:"), "winbindTemplateShell", shells)]
return self.getGenericChoices(_("Winbind Settings"),
questions, _("Back"), next and _("Next") or _("Ok"),
anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings)
def getChoices(self):
next = 1
rc = False
while next > 0 and next <= 6:
self.info.update()
if next == 1:
rc = self.getMainChoices()
elif next == 2:
if self.info.enableIPAv2:
more = (self.info.enableLDAP or
self.info.enableLDAPAuth or
self.info.enableKerberos or
self.info.enableNIS or
self.info.enableWinbind or
self.info.enableWinbindAuth)
rc = self.getIPAv2Settings(more)
elif next == 3:
if self.info.enableLDAP or self.info.enableLDAPAuth:
more = (self.info.enableKerberos or
self.info.enableNIS or
self.info.enableWinbind or
self.info.enableWinbindAuth)
rc = self.getLDAPSettings(more)
elif next == 4:
if self.info.enableNIS:
more = (self.info.enableKerberos or
self.info.enableWinbind or
self.info.enableWinbindAuth)
rc = self.getNISSettings(more)
elif next == 5:
if self.info.enableKerberos:
more = (self.info.enableWinbind or
self.info.enableWinbindAuth)
rc = self.getKerberosSettings(more)
elif next == 6:
if self.info.enableWinbind or self.info.enableWinbindAuth:
more = False
rc = self.getWinbindSettings(more)
self.info.update()
if rc:
next += 1
else:
next -= 1
return next == 7
def displayCACertsMessage(self):
text = (_("To connect to a LDAP server with TLS protocol enabled you need "
"a CA certificate which signed your server's certificate. "
"Copy the certificate in the PEM format to the '%s' directory.\n"
"Then press OK.") %
self.info.ldapCacertDir)
snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")])
def doUI(self):
if self.options.kickstart:
return True
try:
self.screen = snack.SnackScreen()
packageversion = self.module() # FIXME - version
self.screen.pushHelpLine(_(" <Tab>/<Alt-Tab> between elements | <Space> selects | <F12> next screen"))
self.screen.drawRootText(0, 0, packageversion + " - (c) 1999-2005 Red Hat, Inc.")
if not self.getChoices():
# cancelled
self.screen.finish()
return False
if self.info.enableLDAPS and self.info.testLDAPCACerts():
self.displayCACertsMessage()
finally:
self.screen.finish()
return True
if __name__ == '__main__':
signal.signal(signal.SIGINT, signal.SIG_DFL)
gettext.textdomain("authconfig")
if runsAs("authconfig-tui"):
# deprecated TUI
module = AuthconfigTUI()
else:
module = Authconfig()
sys.exit(module.run())
|