Xc(@s6ddkZddkZddkZddklZddkiZddkZddkZddk l Z l Z l Z ddk l Z lZlZddkTddklZddklZddklZdd klZlZlZlZlZlZdd klZdd k lZlZdd k lZdd kl Z ddk!l"Z"l#Z#l$Z$ddk%l&Z&l'Z'ddk(l)Z)ddk*l+Z+edZ,ei-ei.dZ/dZ0dZ1eddede ddde ddde ddede dded e d!ded"e d#ded$e d%ded&e d'ded(e d)ded*e d+ded,e d-ded.e d/ded0e d1ded2fZ2d3Z3d4Z4d5e5fd6YZ6e i7e6d7e8fd8YZ9e i7e9d9e:fd:YZ;e i7e;d;e<fd<YZ=e i7e=d=e>fd>YZ?e i7e?d?e@fd@YZAe i7eAdAeBfdBYZCe i7eCdCeDfdDYZEe i7eEdEeFfdFYZGe i7eGdS(GiN(t NSPRError(tapiterrorstutil(tStrtFlagtBytes(t*(tsplit_principal(tvalidate_certificate(tset_certificate_attrs(tdns_container_existst _record_typestadd_records_for_host_validationtadd_records_for_hostt_hostname_validatortget_reverse_zone(R(t_tngettext(tx509(tcontext(tnormalize_sshpubkeytvalidate_sshpubkey_no_optionstconvert_sshpubkey_post(tipa_generate_passwordtCheckedIPAddress(t SSHPublicKey(tDNs Hosts/Machines A host represents a machine. It can be used in a number of contexts: - service entries are associated with a host - a host stores the host/ service principal - a host can be used in Host-based Access Control (HBAC) rules - every enrolled client generates a host entry ENROLLMENT: There are three enrollment scenarios when enrolling a new client: 1. You are enrolling as a full administrator. The host entry may exist or not. A full administrator is a member of the hostadmin role or the admins group. 2. You are enrolling as a limited administrator. The host must already exist. A limited administrator is a member a role with the Host Enrollment privilege. 3. The host has been created with a one-time password. A host can only be enrolled once. If a client has enrolled and needs to be re-enrolled, the host entry must be removed and re-created. Note that re-creating the host entry will result in all services for the host being removed, and all SSL certificates associated with those services being revoked. A host can optionally store information such as where it is located, the OS that it runs, etc. EXAMPLES: Add a new host: ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com Delete a host: ipa host-del test.example.com Add a new host with a one-time password: ipa host-add --os='Fedora 12' --password=Secret123 test.example.com Add a new host with a random one-time password: ipa host-add --os='Fedora 12' --random test.example.com Modify information about a host: ipa host-mod --os='Fedora 12' test.example.com Remove SSH public keys of a host and update DNS to reflect this change: ipa host-mod --sshpubkey= --updatedns test.example.com Disable the host Kerberos key, SSL certificate and all of its services: ipa host-disable test.example.com Add a host that can manage this host's keytab and certificate: ipa host-add-managedby --hosts=test2 test s_,.@+-=c Cstiid|yDt|\}}hd||fd6}tid|||Wntij onXy(h||6}tid|||Wntij onXdS(Nsdeleting ipaddr %ss%s.%st ptrrecordt dnsrecord_del(RtlogtdebugRtCommandRtNotFound(tipaddrthosttdomaint recordtypetrevzonetrevnametdelkw((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytremove_fwd_ptrms c Csd|jodS|dpd}g}x]|D]U}yt|i}Wntj o }q0nX|dj o|i|q0q0Wytid||d|Wntij onXdS(Nt ipasshpubkeyt dnsrecord_modt sshfprecord(( Rtfingerprint_dns_sha1t ValueErrortNonetappendRR Rt EmptyModlist(tzonetrecordt entry_attrstpubkeystsshfpstpubkeytsshfptUnicodeDecodeError((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytupdate_sshfp_records   t has_keytabtlabeltKeytabtmanagedby_hosts Managed byt managing_hosttManagingtsubjecttSubjectt serial_numbers Serial Numbertserial_number_hexsSerial Number (hex)tissuertIssuertvalid_not_befores Not Beforetvalid_not_afters Not Aftertmd5_fingerprintsFingerprint (MD5)tsha1_fingerprintsFingerprint (SHA1)srevocation_reason?sRevocation reasont managedbysFailed managedbys sshpubkeyfp*sSSH public key fingerprintcCs9yt|dt}Wntj o}t|SXdS(s= Verify that we have either an IPv4 or IPv6 address. t match_localN(RtFalset ExceptiontunicodeR/(tugettextR"tipte((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytvalidate_ipaddrs  cCs.|ido|d }n|i}|S(s-Use common fqdn form without the trailing dotu.i(tendswithtlower(thostname((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytnormalize_hostnames R#cBseZdZeiiZedZedZ dddddgZ dd d d d d ddgZ dd d d d d ddddddddgZ dZ hdgd6dddddgd6dgd6dgd6dddddgd6ZeZhdsd6dtd6dud6dvd6ZdwdxgZed/Zed0Zeded1d2d3ed4d5ed6eed7d1d8d3ed9d:ed;ed<d1d=d3ed>d:ed?ed@d1dAd3edBd:edCedDd1dEd3edFd:edGedHd1dId3edJd:edKedLd1dMd3edNd:edOedPd:edQdRdydUeedVd3edWdRdzedZed1d[d3ed\d:ed]ed^d3ed_dRdXdYdSged`d6dadbdcdddedfed3edgd:edhedied1djd3edkd6edfedRdSgedld1dmd3ednd:edofZdpZdqZ drZ!RS({s Host object. R#thostst ipaobjecttnshosttipahosttpkiusert ipaservicetfqdnt descriptiontltnshostlocationtkrbprincipalnametnshardwareplatformt nsosversionRKtusercertificatetmemberoftmemberindirecttmemberofindirectt macaddresst userclasst ipauniqueidtusert enrolledbyt hostgrouptnetgrouptrolethbacruletsudoruletmanagings Member Oftin_tnot_in_s Enrolled byt enroll_by_tnot_enroll_by_s Managed bytman_by_t not_man_by_R@tman_tnot_man_t userpasswordt has_passwordtkrbprincipalkeyR;tHoststHosttcli_nameRVR<s Host namet primary_keyt normalizers description?tdesct DescriptiontdocsA description of this hostsl?tlocalitytLocalitys$Host locality (e.g. "Baltimore, MD")snshostlocation?tlocationtLocationsHost location (e.g. "Lab 2")snshardwareplatform?tplatformtPlatforms*Host hardware platform (e.g. "Lenovo T61")s nsosversion?tossOperating systems3Host operating system and version (e.g. "Fedora 9")s userpassword?tpasswords User passwords Password used in bulk enrollmentsrandom?s8Generate a random password to be used in bulk enrollmenttflagst no_searchtvirtual_attributetdefaultsrandompassword?sRandom passwordt no_createt no_updatesusercertificate?t certificatet Certificates"Base-64 encoded server certificateskrbprincipalname?sPrincipal names macaddress*cCs |iS((tupper(tvalue((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyt3stpatterns*^([a-fA-F0-9]{2}[:|\-]?){5}[a-fA-F0-9]{2}$tpattern_errmsgsOMust be of the form HH:HH:HH:HH:HH:HH, where each H is a hexadecimal character.tcsvs MAC addresss%Hardware MAC address(es) on this hosts ipasshpubkey*t sshpubkeysSSH public keys userclass*tclasstClasssOHost category (semantics placed on this attribute are for local interpretation)c Os|d}tt|i||}y|ii|dgWn`tij oQy1|iid||idg|i \}}Wqtij oqXnX|S(Nittserverhostname( tsuperR#tget_dntbackendt get_entryRR!tfind_entry_by_attrt object_classt container_dn(tselftkeystoptionsRVtdnR4((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRIs   c Csd|}dg}|iii}g}yM|id|id|d|\}}x|D]}|i|dqYWWntij ogSX|S(Ns managedBy=%sR^tbase_dntfiltert attrs_listi(RtBackendtldap2t find_entriesRR0RR!( RRt host_filtert host_attrstldapt managed_hostsRXt truncatedR#((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytget_managed_hostsXs  c Csttiitii}xt|idgD]}t|}|i|pq4n|ihdd6}y,|i d|d|d|i ddgWnt i j oq4X|di |q4Wd S( sp We don't want to show managed netgroups so remove them from the memberofindirect list. Rhtmepmanagedentryt objectclassRRtscopeRRN(RRtenvtcontainer_netgrouptbasedntlisttgetRTt make_filterRt SCOPE_BASERR!tremove(RRR4t ng_containertmembertmemberdnR((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytsuppress_netgroup_memberofis (s Member OfRtRu(s Enrolled byRvRw(s Managed byRxRy(R@RzR{(R|R}(R~R;(RR(RRRR("t__name__t __module__t__doc__RRtcontainer_hostRRt object_nametobject_name_pluralRtsearch_attributestdefault_attributestuuid_attributetattribute_memberstTruetbindablet relationshipstpassword_attributesR<tlabel_singularRRRWRRMRR RRt takes_paramsRRR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyR#s                                                       thost_addc BseZedZeieZedZdgZei e ddeddede dded e d e ded ded fZ d Z dZRS(sAdd a new host.sAdded host "%(value)s"RKtforceR<tForceRs"force host name even if not in DNSt no_reversesskip reverse DNS detections ip_address?s(Add the host to DNS with this IP addresss IP Addressc Ost|tpt|ido}t|op|did}|d}tdi|d} |idt } t d|| |ddt d| n|id t o(d|jot i |i |dnd |jo|d |d <|d =n|d|d <|diddd|d |idt  } t || |ddt d| |d=nt | t|d|Wqt j o} | }qXn|id t o7ytttd |d h|||t|6}tid||dd|qqWPqqWq Wny|i|dg\}} Wn&t i j o|ii|nXd| joti| i dd}ytti|ti}yltidt|d}d|jo>y!tidt|ddWqt i j oqXnWnt i j onXWqt!j o>}|i"djo|i#i$d|i%d q|qXn|S(Nit host_showtresultR^it service_findRRbt service_delt updatednsRit dnszone_showtidnsnametdnsrecord_findtarecordt aaaarecords%srecordRRet cert_showtrevocation_reasont cert_revokeii sProblem decoding certificate %s(RR(&RRRRR/RR thost_is_masterRRR!RRURRMR RRORRthandle_not_foundR)R tstrtxrangetlenRTRRRtget_serial_numbertDERtNotImplementedErrorRterrnoRtinfotargs(RRRRRt hostentryR^RtrettservicesR4t principaltserviceRVRR RR$R trecordsR3t_[1]ttt_attribute_typestattrtiR(Rtserialtnsprerr((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRs   !  1    !  ( RRRRRRRRMRR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRs      thost_modc BseZedZeieZedZdgZei e ddddedded d e e d ded d e fZ dZdZRS(s Modify information about a host.sModified host "%(value)s"RKskrbprincipalname?Rt principalnameR<sPrincipal nameRs%Kerberos principal name for this hostt attributes updatedns?sUpdate DNS entriesRcOst|tpt|idp|idoYh}|ii||||d o-|do"tidddtdqnd |joti d td nd |jo|d |d <|d =nd|jo}|i |ddg\}}d|jod} ti d | n|d} d| jo| i d| |dy!tidt| ddWqltij oqlXnWntij onXWqtj o>}|idjo|iid|idq|qXn| |dy!tid t|d dWqXt ij oqXXnWnt ij onXWnJtj o>}|idjo|iid|idq|nX|i|hdd6t }n|ii||||do|i|t }n|pt int dt d|dS(NiRR R^iReR RRbtservice_disableRRRii sProblem decoding certificate %siR;R(!RRRR/RR RRMRRRR!RRRRUtAlreadyInactiveRRRRORRRRRRRRt update_entryRtremove_principal_keyR(RRRRR R^t done_workRR4RR!R"R#R$RVRRR+R R,((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pytexecutepsv       !       cOs.t|tpt|ii|||S(N(RRRRR(RRRR4RR((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRs( RRRRtoutputtstandard_valuet has_outputRRfR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyR`js     Othost_add_managedbycBs9eZedZdgZeieZeZ dZ RS(s$Add hosts that can manage this host.RKcOs4t|tpt|ii||||fS(N(RRRRR(RRt completedtfailedRR4RR((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRs( RRRRRt LDAPAddMemberRRRt allow_sameR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRjs    thost_remove_managedbycBs3eZedZdgZeieZdZRS(s'Remove hosts that can manage this host.RKcOs4t|tpt|ii||||fS(N(RRRRR(RRRkRlRR4RR((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRs( RRRRRtLDAPRemoveMemberRRR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyRos   (HRRtsyst nss.errorRtnss.nsstnsstnetaddrtstringtipalibRRRRRRtipalib.plugins.baseldaptipalib.plugins.serviceRR R tipalib.plugins.dnsR R R RRRRRRtipalib.requestRt ipalib.utilRRRtipapython.ipautilRRt ipapython.sshRt ipapython.dnRRtdigitst ascii_lettersRR)R:RRSRWt LDAPObjectR#tregisterRRt LDAPDeleteRR;R-RWR<R_Rt LDAPQueryR`RmRjRpRo(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/host.pyts      .7                              n k  R , Z