/usr/lib/ipa/ipa-dnskeysyncd is in freeipa-server 4.7.0~pre1+git20180411-2ubuntu2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 | #!/usr/bin/python
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
import logging
import sys
import ldap
import ldapurl
import os
import signal
import time
from ipalib import api
from ipalib.install.kinit import kinit_keytab
from ipapython.dn import DN
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.keysyncer import KeySyncer
logger = logging.getLogger(os.path.basename(__file__))
# IPA framework initialization
standard_logging_setup(verbose=True)
api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
api.finalize()
if api.env.debug:
root_logger = logging.getLogger()
root_logger.setLevel(logging.DEBUG)
# Global state
watcher_running = True
ldap_connection = False
DAEMONNAME = 'ipa-dnskeysyncd'
PRINCIPAL = None # not initialized yet
WORKDIR = '/tmp' # private temp
KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB
# Shutdown handler
def commenceShutdown(signum, stack):
# Declare the needed global variables
global watcher_running
global ldap_connection # pylint: disable=global-variable-not-assigned
logger.info('Signal %s received: Shutting down!', signum)
# We are no longer running
watcher_running = False
# Tear down the server connection
if ldap_connection:
ldap_connection.close_db()
del ldap_connection
# Shutdown
sys.exit(0)
os.umask(0o07)
# Signal handlers
signal.signal(signal.SIGTERM, commenceShutdown)
signal.signal(signal.SIGINT, commenceShutdown)
# Kerberos initialization
PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
logger.debug('Kerberos principal: %s', PRINCIPAL)
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
try:
kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)
except Exception as ex:
logger.critical("Kerberos authentication failed: %s", ex)
# signal failure and let init system to restart the daemon
sys.exit(1)
os.environ['KRB5CCNAME'] = ccache_filename
# LDAP initialization
basedn = DN(api.env.container_dns, api.env.basedn)
ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri)
ldap_url.dn = str(basedn)
ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE
ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))'
logger.debug('LDAP URL: %s', ldap_url.unparse())
# Real work
while watcher_running:
# Prepare the LDAP server connection (triggers the connection as well)
ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api)
# Now we login to the LDAP server
try:
logger.info('LDAP bind...')
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
except ldap.INVALID_CREDENTIALS as e:
logger.exception('Login to LDAP server failed: %s', e)
sys.exit(1)
except ldap.SERVER_DOWN as e:
logger.exception('LDAP server is down, going to retry: %s', e)
time.sleep(5)
continue
# Commence the syncing
logger.info('Commencing sync process')
ldap_search = ldap_connection.syncrepl_search(
ldap_url.dn,
ldap_url.scope,
mode='refreshAndPersist',
attrlist=ldap_url.attrs,
filterstr=ldap_url.filterstr
)
try:
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
pass
except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
logger.exception('syncrepl_poll: LDAP error (%s)', e)
sys.exit(1)
|