Yair Zaslavsky has uploaded a new change for review. Change subject: tools: Don't ask for password, before DNS SRV records are returned. ......................................................................
tools: Don't ask for password, before DNS SRV records are returned. This patch first performs DNS SRV query to get ldap servers (and KDCs) for domain, and only if sucueesful, the user will be prompted to enter password Change-Id: I9c5132300eb1f1fd94f771cab17efe5246dbeca8 Bug-Url: https://bugzilla/redhat.com/871591 Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com> --- M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosUpgrade.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomains.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomainsResultEnum.java 5 files changed, 74 insertions(+), 15 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/49/9349/1 diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java index b61675e..a9210a9 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java @@ -32,13 +32,15 @@ private final String domainName; private final LdapProviderType ldapProviderType; private final StringBuffer userGuid; + private DnsSRVResult ldapDnsResult; private final static Logger log = Logger.getLogger(JndiAction.class); - public JndiAction(String userName, String domainName, StringBuffer userGuid, LdapProviderType ldapProviderType) { + public JndiAction(String userName, String domainName, StringBuffer userGuid, LdapProviderType ldapProviderType, DnsSRVResult ldapDnsResult) { this.userName = userName; this.domainName = domainName; this.ldapProviderType = ldapProviderType; this.userGuid = userGuid; + this.ldapDnsResult = ldapDnsResult; } @Override @@ -51,11 +53,12 @@ // Send an SRV record DNS query to retrieve all the LDAP servers in the domain LdapSRVLocator locator = new LdapSRVLocator(); - DnsSRVResult ldapDnsResult; - try { - ldapDnsResult = locator.getLdapServers(domainName); - } catch (Exception ex) { - return KerberosUtils.convertDNSException(ex); + if (ldapDnsResult == null) { + try { + ldapDnsResult = locator.getLdapServers(domainName); + } catch (Exception ex) { + return KerberosUtils.convertDNSException(ex); + } } DirContext ctx = null; diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java index 1adac5f..42dd86b 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosConfigCheck.java @@ -14,6 +14,7 @@ import org.apache.log4j.Logger; import org.ovirt.engine.core.ldap.LdapProviderType; import org.ovirt.engine.core.utils.CLIParser; +import org.ovirt.engine.core.utils.dns.DnsSRVLocator.DnsSRVResult; /** * Utility to verify Kerberos installation @@ -21,6 +22,7 @@ */ public class KerberosConfigCheck { private LoginContext lc; + private final DnsSRVResult ldapDnsResult; private final static Logger log = Logger.getLogger(KerberosConfigCheck.class); public enum Arguments { @@ -31,6 +33,10 @@ jboss_dir, krb5_conf_path, ldapProviderType; + } + + public KerberosConfigCheck(DnsSRVResult ldapDnsResult) { + this.ldapDnsResult = ldapDnsResult; } // This function gets the username and adjusts it doing the following: @@ -109,7 +115,7 @@ } public static void main(String[] args) { - KerberosConfigCheck util = new KerberosConfigCheck(); + KerberosConfigCheck util = new KerberosConfigCheck(null); CLIParser parser = new CLIParser(args); if (!util.validate(parser)) { util.printUsage(); @@ -183,7 +189,7 @@ authResult = (AuthenticationResult) Subject.doAs(lc.getSubject(), new JndiAction(username, realm.toLowerCase(), - userGuid, ldapProviderType)); + userGuid, ldapProviderType,ldapDnsResult)); } finally { if (lc != null) { diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosUpgrade.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosUpgrade.java index 8c38476..d79e368 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosUpgrade.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/KerberosUpgrade.java @@ -91,7 +91,7 @@ handleError(e, "Error in querying oVirt database for Active-Directory user, password and domains"); } - KerberosConfigCheck configCheck = new KerberosConfigCheck(); + KerberosConfigCheck configCheck = new KerberosConfigCheck(null); StringBuffer userGuid = new StringBuffer(); // Check authentication and user information retrieval try { diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomains.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomains.java index 948af3f..5477cf5 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomains.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomains.java @@ -22,8 +22,11 @@ import org.apache.log4j.Logger; import org.ovirt.engine.core.common.config.ConfigValues; import org.ovirt.engine.core.ldap.LdapProviderType; +import org.ovirt.engine.core.ldap.LdapSRVLocator; import org.ovirt.engine.core.utils.CLIParser; import org.ovirt.engine.core.utils.FileUtil; +import org.ovirt.engine.core.utils.dns.DnsSRVLocator; +import org.ovirt.engine.core.utils.dns.DnsSRVLocator.DnsSRVResult; import org.ovirt.engine.core.utils.ipa.ReturnStatus; import org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck; @@ -54,6 +57,7 @@ private ManageDomainsDAOImpl daoImpl; private boolean reportAllErrors; private boolean addPermissions; + private DnsSRVResult ldapDnsResult; private final static Logger log = Logger.getLogger(ManageDomains.class); public enum Arguments { @@ -195,13 +199,15 @@ try { String engineConfigExecutable = utilityConfiguration.getEngineConfigExecutablePath(); String adUserName = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.AdUserName); - String adUserPassword = - getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.AdUserPassword); + String domainName = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.DomainName); String ldapSecurityAuthentication = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.LDAPSecurityAuthentication); - String domainName = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.DomainName); + ldapDnsResult = validateLdapServers(domainName); + validateKdcServers(ldapSecurityAuthentication,domainName); + String adUserPassword = + getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.AdUserPassword); String adUserId = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.AdUserId); String ldapServers = getConfigValue(engineConfigExecutable, engineConfigProperties, ConfigValues.LdapServers); @@ -222,6 +228,49 @@ } catch (Throwable e) { throw new ManageDomainsResult(ManageDomainsResultEnum.FAILED_READING_CURRENT_CONFIGURATION, e.getMessage()); } + } + + private void validateKdcServers(String ldapSecurityAuthentication, String domainName) throws ManageDomainsResult { + KDCLocator locator = new KDCLocator(); + DnsSRVResult result = null; + boolean foundServers = true; + try + { + result = locator.getKdc(DnsSRVLocator.TCP, domainName); + if (result.getNumOfValidAddresses() == 0) { + result = locator.getKdc(DnsSRVLocator.UDP,domainName); + if (result.getNumOfValidAddresses() == 0) { + foundServers =false; + } + } + } catch (Exception ex) { + foundServers = false; + } + if (!foundServers) { + throw new ManageDomainsResult("Could not locate KDC servers to be used to validate the input of the utility", + ManageDomainsResultEnum.NO_KDC_SERVERS_FOR_DOMAIN, domainName); + } + + } + + private DnsSRVResult validateLdapServers(String domainName) throws ManageDomainsResult { + LdapSRVLocator locator = new LdapSRVLocator(); + DnsSRVResult ldapDnsResult = null; + boolean foundServers = true; + try { + ldapDnsResult = locator.getLdapServers(domainName); + if (ldapDnsResult.getNumOfValidAddresses() == 0) { + foundServers = false; + } + } catch (Exception ex) { + foundServers = false; + } + if (!foundServers) { + throw new ManageDomainsResult("Could not locate LDAP servers to be used to validate the input of the utility", + ManageDomainsResultEnum.NO_LDAP_SERVERS_FOR_DOMAIN, domainName); + + } + return ldapDnsResult; } private void runCommand(CLIParser parser) throws ManageDomainsResult { @@ -613,7 +662,7 @@ users.setValueForDomain(domain, constructUPN(currUserName, domain)); try { log.info("Testing kerberos configuration for domain: " + domain); - KerberosConfigCheck kerberosConfigCheck = new KerberosConfigCheck(); + KerberosConfigCheck kerberosConfigCheck = new KerberosConfigCheck(ldapDnsResult); StringBuffer userGuid = new StringBuffer(); kerberosConfigCheck.checkInstallation(domain, users.getValueForDomain(domain), diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomainsResultEnum.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomainsResultEnum.java index 5df1fed..0395950 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomainsResultEnum.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/ManageDomainsResultEnum.java @@ -33,8 +33,9 @@ "Operation failed due to exception. Details: %1$s", 20), FAILURE_READING_PASSWORD_FILE("failed reading password from password file", 21), - EMPTY_PASSWORD_FILE("password file is empty", 22); - + EMPTY_PASSWORD_FILE("password file is empty", 22), + NO_LDAP_SERVERS_FOR_DOMAIN("No ldap servers can be obtained for domain %1$s",23), + NO_KDC_SERVERS_FOR_DOMAIN("No KDC can be obtained for domain %1$s",24); private String detailedMessage; private final int exitCode; -- To view, visit http://gerrit.ovirt.org/9349 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9c5132300eb1f1fd94f771cab17efe5246dbeca8 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
