0000-12-31 18:09:24 -05:50
|
|
|
#! /usr/bin/python -E
|
|
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2007 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU General Public License as
|
|
|
|
# published by the Free Software Foundation; version 2 only
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
# requires the following packages:
|
|
|
|
# fedora-ds-base
|
|
|
|
# openldap-clients
|
|
|
|
# nss-tools
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
import sys
|
2007-10-02 15:56:51 -05:00
|
|
|
import os
|
0000-12-31 18:09:24 -05:50
|
|
|
import socket
|
2007-10-15 12:27:05 -05:00
|
|
|
import errno
|
0000-12-31 18:09:24 -05:50
|
|
|
import logging
|
2007-08-31 17:40:01 -05:00
|
|
|
import pwd
|
2007-10-03 16:37:13 -05:00
|
|
|
import subprocess
|
2007-10-02 15:56:51 -05:00
|
|
|
import signal
|
|
|
|
import shutil
|
|
|
|
import glob
|
0000-12-31 18:09:24 -05:50
|
|
|
import traceback
|
0000-12-31 18:09:24 -05:50
|
|
|
from optparse import OptionParser
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
from ipaserver.install import dsinstance
|
|
|
|
from ipaserver.install import krbinstance
|
|
|
|
from ipaserver.install import bindinstance
|
|
|
|
from ipaserver.install import httpinstance
|
|
|
|
from ipaserver.install import ntpinstance
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
from ipaserver.install import service
|
2009-02-05 14:03:08 -06:00
|
|
|
from ipapython import version
|
2009-02-02 12:50:53 -06:00
|
|
|
from ipaserver.install.installutils import *
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2009-02-05 14:03:08 -06:00
|
|
|
from ipapython import sysrestore
|
|
|
|
from ipapython.ipautil import *
|
2009-02-04 09:53:34 -06:00
|
|
|
from ipalib import util
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-07-11 10:34:29 -05:00
|
|
|
pw_name = None
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def parse_options():
|
2008-05-08 10:45:38 -05:00
|
|
|
parser = OptionParser(version=version.VERSION)
|
2007-07-02 14:51:04 -05:00
|
|
|
parser.add_option("-u", "--user", dest="ds_user",
|
|
|
|
help="ds user")
|
0000-12-31 18:09:24 -05:50
|
|
|
parser.add_option("-r", "--realm", dest="realm_name",
|
|
|
|
help="realm name")
|
2008-02-15 19:47:29 -06:00
|
|
|
parser.add_option("-n", "--domain", dest="domain_name",
|
|
|
|
help="domain name")
|
2007-08-31 17:40:01 -05:00
|
|
|
parser.add_option("-p", "--ds-password", dest="dm_password",
|
0000-12-31 18:09:24 -05:50
|
|
|
help="admin password")
|
2007-08-20 17:40:32 -05:00
|
|
|
parser.add_option("-P", "--master-password", dest="master_password",
|
2008-02-25 16:18:18 -06:00
|
|
|
help="kerberos master password (normally autogenerated)")
|
2007-08-31 17:40:01 -05:00
|
|
|
parser.add_option("-a", "--admin-password", dest="admin_password",
|
|
|
|
help="admin user kerberos password")
|
0000-12-31 18:09:24 -05:50
|
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
2007-09-20 14:10:21 -05:00
|
|
|
default=False, help="print debugging information")
|
0000-12-31 18:09:24 -05:50
|
|
|
parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
|
2007-09-20 14:10:21 -05:00
|
|
|
parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address")
|
|
|
|
parser.add_option("--setup-bind", dest="setup_bind", action="store_true",
|
|
|
|
default=False, help="configure bind with our zone file")
|
|
|
|
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
|
|
default=False, help="unattended installation never prompts the user")
|
2008-01-11 05:57:36 -06:00
|
|
|
parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
|
|
|
|
default=False, help="uninstall an existing installation")
|
2008-02-20 10:03:46 -06:00
|
|
|
parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
|
|
|
|
help="do not configure ntp", default=True)
|
2008-07-11 10:34:29 -05:00
|
|
|
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
|
|
|
help="PKCS#12 file containing the Directory Server SSL certificate")
|
|
|
|
parser.add_option("--http_pkcs12", dest="http_pkcs12",
|
|
|
|
help="PKCS#12 file containing the Apache Server SSL certificate")
|
|
|
|
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
|
|
|
|
help="The password of the Directory Server PKCS#12 file")
|
|
|
|
parser.add_option("--http_pin", dest="http_pin",
|
|
|
|
help="The password of the Apache Server PKCS#12 file")
|
2008-09-16 21:18:11 -05:00
|
|
|
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
|
|
|
|
default=False,
|
|
|
|
help="Do not use DNS for hostname lookup during installation")
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
options, args = parser.parse_args()
|
|
|
|
|
2008-01-11 05:57:36 -06:00
|
|
|
if options.uninstall:
|
|
|
|
if (options.ds_user or options.realm_name or
|
|
|
|
options.dm_password or options.admin_password or
|
|
|
|
options.master_password):
|
|
|
|
parser.error("error: In uninstall mode, -u, r, -p and -P options are not allowed")
|
|
|
|
elif options.unattended:
|
|
|
|
if (not options.ds_user or not options.realm_name or
|
2008-02-25 16:18:18 -06:00
|
|
|
not options.dm_password or not options.admin_password):
|
|
|
|
parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options")
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-07-11 10:34:29 -05:00
|
|
|
# If any of the PKCS#12 options are selected, all are required. Create a
|
|
|
|
# list of the options and count it to enforce that all are required without
|
|
|
|
# having a huge set of it blocks.
|
|
|
|
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
|
|
|
|
cnt = pkcs12.count(None)
|
|
|
|
if cnt > 0 and cnt < 4:
|
|
|
|
parser.error("error: All PKCS#12 options are required if any are used.")
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
return options
|
|
|
|
|
2007-10-02 15:56:51 -05:00
|
|
|
def signal_handler(signum, frame):
|
|
|
|
global ds
|
|
|
|
print "\nCleaning up..."
|
|
|
|
if ds:
|
|
|
|
print "Removing configuration for %s instance" % ds.serverid
|
|
|
|
ds.stop()
|
|
|
|
if ds.serverid:
|
2009-02-02 12:50:53 -06:00
|
|
|
dsinstance.erase_ds_instance_data (ds.serverid)
|
2007-10-02 15:56:51 -05:00
|
|
|
sys.exit(1)
|
|
|
|
|
2008-09-16 21:18:11 -05:00
|
|
|
def read_host_name(host_default,no_host_dns=False):
|
0000-12-31 18:09:24 -05:50
|
|
|
host_name = ""
|
|
|
|
|
|
|
|
print "Enter the fully qualified domain name of the computer"
|
|
|
|
print "on which you're setting up server software. Using the form"
|
|
|
|
print "<hostname>.<domainname>"
|
|
|
|
print "Example: master.example.com."
|
|
|
|
print ""
|
|
|
|
print ""
|
|
|
|
if host_default == "":
|
|
|
|
host_default = "master.example.com"
|
2008-07-21 05:25:37 -05:00
|
|
|
while True:
|
|
|
|
host_name = user_input("Server host name", host_default, allow_empty = False)
|
0000-12-31 18:09:24 -05:50
|
|
|
print ""
|
0000-12-31 18:09:24 -05:50
|
|
|
try:
|
2008-09-16 21:18:11 -05:00
|
|
|
verify_fqdn(host_name,no_host_dns)
|
2008-03-06 12:17:28 -06:00
|
|
|
except Exception, e:
|
|
|
|
raise e
|
0000-12-31 18:09:24 -05:50
|
|
|
else:
|
2008-07-21 05:25:37 -05:00
|
|
|
break
|
0000-12-31 18:09:24 -05:50
|
|
|
return host_name
|
|
|
|
|
|
|
|
def resolve_host(host_name):
|
|
|
|
ip = ""
|
|
|
|
try:
|
|
|
|
ip = socket.gethostbyname(host_name)
|
|
|
|
|
|
|
|
if ip == "127.0.0.1" or ip == "::1":
|
|
|
|
print "The hostname resolves to the localhost address (127.0.0.1/::1)"
|
|
|
|
print "Please change your /etc/hosts file so that the hostname"
|
|
|
|
print "resolves to the ip address of your network interface."
|
|
|
|
print "The KDC service does not listen on localhost"
|
|
|
|
print ""
|
|
|
|
print "Please fix your /etc/hosts file and restart the setup program"
|
2008-05-22 15:36:11 -05:00
|
|
|
return None
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
except:
|
|
|
|
print "Unable to lookup the IP address of the provided host"
|
|
|
|
return ip
|
|
|
|
|
|
|
|
def verify_ip_address(ip):
|
|
|
|
is_ok = True
|
|
|
|
try:
|
|
|
|
socket.inet_pton(socket.AF_INET, ip)
|
|
|
|
except:
|
|
|
|
try:
|
|
|
|
socket.inet_pton(socket.AF_INET6, ip)
|
|
|
|
except:
|
|
|
|
print "Unable to verify IP address"
|
|
|
|
is_ok = False
|
|
|
|
return is_ok
|
|
|
|
|
2008-02-21 09:23:29 -06:00
|
|
|
def read_ip_address(host_name):
|
|
|
|
while True:
|
2008-07-21 05:25:37 -05:00
|
|
|
ip = user_input("Please provide the IP address to be used for this host name", allow_empty = False)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
if ip == "127.0.0.1" or ip == "::1":
|
|
|
|
print "The IPA Server can't use localhost as a valid IP"
|
|
|
|
continue
|
|
|
|
|
|
|
|
if not verify_ip_address(ip):
|
|
|
|
continue
|
|
|
|
|
|
|
|
print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file"
|
2008-03-27 18:01:38 -05:00
|
|
|
fstore.backup_file("/etc/hosts")
|
0000-12-31 18:09:24 -05:50
|
|
|
hosts_fd = open('/etc/hosts', 'r+')
|
|
|
|
hosts_fd.seek(0, 2)
|
2008-05-15 10:33:07 -05:00
|
|
|
hosts_fd.write(ip+'\t'+host_name+' '+host_name.split('.')[0]+'\n')
|
0000-12-31 18:09:24 -05:50
|
|
|
hosts_fd.close()
|
2008-02-21 09:23:29 -06:00
|
|
|
|
|
|
|
return ip
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
def read_ds_user():
|
|
|
|
print "The server must run as a specific user in a specific group."
|
|
|
|
print "It is strongly recommended that this user should have no privileges"
|
|
|
|
print "on the computer (i.e. a non-root user). The setup procedure"
|
|
|
|
print "will give this user/group some permissions in specific paths/files"
|
|
|
|
print "to perform server-specific operations."
|
|
|
|
print ""
|
2008-02-20 09:16:19 -06:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
ds_user = ""
|
|
|
|
try:
|
|
|
|
pwd.getpwnam('dirsrv')
|
|
|
|
|
2008-01-25 16:08:36 -06:00
|
|
|
print "A user account named 'dirsrv' already exists. This is the user id"
|
|
|
|
print "that the Directory Server will run as."
|
0000-12-31 18:09:24 -05:50
|
|
|
print ""
|
2008-07-21 05:25:37 -05:00
|
|
|
if user_input("Do you want to use the existing 'dirsrv' account?", True):
|
0000-12-31 18:09:24 -05:50
|
|
|
ds_user = "dirsrv"
|
|
|
|
else:
|
|
|
|
print ""
|
2008-07-21 05:25:37 -05:00
|
|
|
ds_user = user_input_plain("Which account name do you want to use for the DS instance?", allow_empty = False, allow_spaces = False)
|
|
|
|
print ""
|
0000-12-31 18:09:24 -05:50
|
|
|
except KeyError:
|
|
|
|
ds_user = "dirsrv"
|
|
|
|
|
|
|
|
return ds_user
|
|
|
|
|
2008-02-25 16:16:18 -06:00
|
|
|
def read_domain_name(domain_name, unattended):
|
2008-02-15 19:47:29 -06:00
|
|
|
print "The domain name has been calculated based on the host name."
|
|
|
|
print ""
|
2008-02-25 16:16:18 -06:00
|
|
|
if not unattended:
|
2008-07-21 05:25:37 -05:00
|
|
|
domain_name = user_input("Please confirm the domain name", domain_name)
|
2008-02-25 16:16:18 -06:00
|
|
|
print ""
|
2008-02-15 19:47:29 -06:00
|
|
|
return domain_name
|
|
|
|
|
2008-02-25 16:16:18 -06:00
|
|
|
def read_realm_name(domain_name, unattended):
|
0000-12-31 18:09:24 -05:50
|
|
|
print "The kerberos protocol requires a Realm name to be defined."
|
|
|
|
print "This is typically the domain name converted to uppercase."
|
|
|
|
print ""
|
2008-07-21 05:25:37 -05:00
|
|
|
|
2008-02-25 16:16:18 -06:00
|
|
|
if unattended:
|
2008-07-21 05:25:37 -05:00
|
|
|
return domain_name.upper()
|
|
|
|
realm_name = user_input("Please provide a realm name", domain_name.upper())
|
|
|
|
upper_dom = realm_name.upper()
|
|
|
|
if upper_dom != realm_name:
|
|
|
|
print "An upper-case realm name is required."
|
|
|
|
if not user_input("Do you want to use " + upper_dom + " as realm name?", True):
|
2008-02-25 16:16:18 -06:00
|
|
|
print ""
|
2008-07-21 05:25:37 -05:00
|
|
|
print "An upper-case realm name is required. Unable to continue."
|
|
|
|
sys.exit(1)
|
|
|
|
else:
|
|
|
|
realm_name = upper_dom
|
|
|
|
print ""
|
0000-12-31 18:09:24 -05:50
|
|
|
return realm_name
|
|
|
|
|
2008-07-21 05:25:37 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def read_dm_password():
|
|
|
|
print "Certain directory server operations require an administrative user."
|
|
|
|
print "This user is referred to as the Directory Manager and has full access"
|
2008-01-29 10:33:44 -06:00
|
|
|
print "to the Directory for system management tasks and will be added to the"
|
2008-01-25 16:08:36 -06:00
|
|
|
print "instance of directory server created for IPA."
|
0000-12-31 18:09:24 -05:50
|
|
|
print "The password must be at least 8 characters long."
|
0000-12-31 18:09:24 -05:50
|
|
|
print ""
|
|
|
|
#TODO: provide the option of generating a random password
|
|
|
|
dm_password = read_password("Directory Manager")
|
|
|
|
return dm_password
|
|
|
|
|
|
|
|
def read_admin_password():
|
|
|
|
print "The IPA server requires an administrative user, named 'admin'."
|
|
|
|
print "This user is a regular system account used for IPA server administration."
|
|
|
|
print ""
|
|
|
|
#TODO: provide the option of generating a random password
|
|
|
|
admin_password = read_password("IPA admin")
|
|
|
|
return admin_password
|
|
|
|
|
2008-05-30 14:31:13 -05:00
|
|
|
def check_dirsrv(unattended):
|
2009-02-02 12:50:53 -06:00
|
|
|
serverids = dsinstance.check_existing_installation()
|
2008-01-22 02:03:06 -06:00
|
|
|
if serverids:
|
|
|
|
print ""
|
|
|
|
print "An existing Directory Server has been detected."
|
2008-09-12 17:37:11 -05:00
|
|
|
if unattended or not user_input("Do you wish to remove it and create a new one?", False):
|
2008-01-25 16:08:36 -06:00
|
|
|
print ""
|
|
|
|
print "Only a single Directory Server instance is allowed on an IPA"
|
|
|
|
print "server, the one used by IPA itself."
|
2008-01-22 02:03:06 -06:00
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
try:
|
|
|
|
service.stop("dirsrv")
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
|
|
|
for serverid in serverids:
|
2009-02-02 12:50:53 -06:00
|
|
|
dsinstance.erase_ds_instance_data(serverid)
|
2008-01-22 02:03:06 -06:00
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
(ds_unsecure, ds_secure) = dsinstance.check_ports()
|
2008-01-22 02:03:06 -06:00
|
|
|
if not ds_unsecure or not ds_secure:
|
|
|
|
print "IPA requires ports 389 and 636 for the Directory Server."
|
|
|
|
print "These are currently in use:"
|
|
|
|
if not ds_unsecure:
|
|
|
|
print "\t389"
|
|
|
|
if not ds_secure:
|
|
|
|
print "\t636"
|
|
|
|
sys.exit(1)
|
|
|
|
|
2008-01-11 05:57:36 -06:00
|
|
|
def uninstall():
|
2008-03-31 16:35:45 -05:00
|
|
|
try:
|
|
|
|
run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"])
|
|
|
|
except Exception, e:
|
|
|
|
print "Uninstall of client side components failed!"
|
|
|
|
print "ipa-client-install returned: " + str(e)
|
|
|
|
pass
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
ntpinstance.NTPInstance(fstore).uninstall()
|
|
|
|
bindinstance.BindInstance(fstore).uninstall()
|
|
|
|
httpinstance.HTTPInstance(fstore).uninstall()
|
|
|
|
krbinstance.KrbInstance(fstore).uninstall()
|
|
|
|
dsinstance.DsInstance().uninstall()
|
2008-03-27 18:01:38 -05:00
|
|
|
fstore.restore_all_files()
|
2008-01-11 05:57:36 -06:00
|
|
|
return 0
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def main():
|
2007-10-02 15:56:51 -05:00
|
|
|
global ds
|
2008-07-11 10:34:29 -05:00
|
|
|
global pw_name
|
2007-10-02 15:56:51 -05:00
|
|
|
ds = None
|
0000-12-31 18:09:24 -05:50
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
options = parse_options()
|
|
|
|
|
2007-10-02 15:56:51 -05:00
|
|
|
if os.getegid() != 0:
|
|
|
|
print "Must be root to setup server"
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2008-02-20 09:16:19 -06:00
|
|
|
|
2007-10-02 15:56:51 -05:00
|
|
|
signal.signal(signal.SIGTERM, signal_handler)
|
|
|
|
signal.signal(signal.SIGINT, signal_handler)
|
|
|
|
|
2008-03-24 11:22:34 -05:00
|
|
|
if options.uninstall:
|
|
|
|
standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
|
|
|
|
else:
|
|
|
|
standard_logging_setup("/var/log/ipaserver-install.log", options.debug)
|
|
|
|
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-03-27 18:01:38 -05:00
|
|
|
global fstore
|
|
|
|
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
|
2008-01-11 05:57:36 -06:00
|
|
|
if options.uninstall:
|
2008-03-31 16:35:45 -05:00
|
|
|
if not options.unattended:
|
|
|
|
print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
|
2008-08-06 10:27:04 -05:00
|
|
|
if not user_input("Are you sure you want to continue with the uninstall procedure?", False):
|
2008-03-31 16:35:45 -05:00
|
|
|
print ""
|
|
|
|
print "Aborting uninstall operation."
|
|
|
|
sys.exit(1)
|
|
|
|
|
2008-01-11 05:57:36 -06:00
|
|
|
return uninstall()
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
print "=============================================================================="
|
|
|
|
print "This program will setup the FreeIPA Server."
|
|
|
|
print ""
|
2008-01-25 16:08:36 -06:00
|
|
|
print "This includes:"
|
2008-06-06 14:25:36 -05:00
|
|
|
if options.conf_ntp:
|
|
|
|
print " * Configure the Network Time Daemon (ntpd)"
|
2008-01-25 16:08:36 -06:00
|
|
|
print " * Create and configure an instance of Directory Server"
|
2008-03-04 13:47:47 -06:00
|
|
|
print " * Create and configure a Kerberos Key Distribution Center (KDC)"
|
2008-01-25 16:08:36 -06:00
|
|
|
print " * Configure Apache (httpd)"
|
|
|
|
print " * Configure TurboGears"
|
2008-06-06 14:25:36 -05:00
|
|
|
if options.setup_bind:
|
|
|
|
print " * Configure DNS (bind)"
|
|
|
|
if not options.conf_ntp:
|
|
|
|
print ""
|
|
|
|
print "Excluded by options:"
|
|
|
|
print " * Configure the Network Time Daemon (ntpd)"
|
2008-01-25 16:08:36 -06:00
|
|
|
print ""
|
0000-12-31 18:09:24 -05:50
|
|
|
print "To accept the default shown in brackets, press the Enter key."
|
|
|
|
print ""
|
|
|
|
|
2008-05-30 14:31:13 -05:00
|
|
|
check_dirsrv(options.unattended)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2007-08-20 17:40:32 -05:00
|
|
|
ds_user = ""
|
|
|
|
realm_name = ""
|
|
|
|
host_name = ""
|
2007-09-20 14:10:21 -05:00
|
|
|
domain_name = ""
|
|
|
|
ip_address = ""
|
2007-08-20 17:40:32 -05:00
|
|
|
master_password = ""
|
2007-08-31 17:40:01 -05:00
|
|
|
dm_password = ""
|
|
|
|
admin_password = ""
|
2007-08-20 17:40:32 -05:00
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
# check bind packages are installed
|
|
|
|
if options.setup_bind:
|
2008-05-28 21:46:08 -05:00
|
|
|
if not ipaserver.bindinstance.check_inst():
|
2007-09-20 14:10:21 -05:00
|
|
|
print "--setup-bind was specified but bind is not installed on the system"
|
2008-05-16 11:41:48 -05:00
|
|
|
print "Please install bind and restart the setup program"
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2007-09-20 14:10:21 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
# check the hostname is correctly configured, it must be as the kldap
|
|
|
|
# utilities just use the hostname as returned by gethostbyname to set
|
|
|
|
# up some of the standard entries
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
host_default = ""
|
0000-12-31 18:09:24 -05:50
|
|
|
if options.host_name:
|
0000-12-31 18:09:24 -05:50
|
|
|
host_default = options.host_name
|
0000-12-31 18:09:24 -05:50
|
|
|
else:
|
0000-12-31 18:09:24 -05:50
|
|
|
host_default = get_fqdn()
|
2008-02-20 09:16:19 -06:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
if options.unattended:
|
0000-12-31 18:09:24 -05:50
|
|
|
try:
|
2008-09-16 21:18:11 -05:00
|
|
|
verify_fqdn(host_default,options.no_host_dns)
|
0000-12-31 18:09:24 -05:50
|
|
|
except RuntimeError, e:
|
|
|
|
logging.error(str(e) + "\n")
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
host_name = host_default
|
0000-12-31 18:09:24 -05:50
|
|
|
else:
|
2008-09-16 21:18:11 -05:00
|
|
|
host_name = read_host_name(host_default,options.no_host_dns)
|
2008-02-15 19:47:29 -06:00
|
|
|
|
2008-05-20 09:17:20 -05:00
|
|
|
host_name = host_name.lower()
|
|
|
|
|
2008-02-15 19:47:29 -06:00
|
|
|
if not options.domain_name:
|
2008-02-25 16:16:18 -06:00
|
|
|
domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
|
2008-02-15 19:47:29 -06:00
|
|
|
else:
|
2008-02-25 16:16:18 -06:00
|
|
|
domain_name = options.domain_name
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2008-05-20 09:17:20 -05:00
|
|
|
domain_name = domain_name.lower()
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
# Check we have a public IP that is associated with the hostname
|
0000-12-31 18:09:24 -05:50
|
|
|
ip = resolve_host(host_name)
|
2008-05-22 15:36:11 -05:00
|
|
|
if ip is None:
|
0000-12-31 18:09:24 -05:50
|
|
|
if options.ip_address:
|
|
|
|
ip = options.ip_address
|
2008-05-22 15:36:11 -05:00
|
|
|
if ip is None and options.unattended:
|
0000-12-31 18:09:24 -05:50
|
|
|
print "Unable to resolve IP address for host name"
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2007-09-20 14:10:21 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
if not verify_ip_address(ip):
|
|
|
|
ip = ""
|
|
|
|
if options.unattended:
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2007-09-20 14:10:21 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
if options.ip_address and options.ip_address != ip:
|
|
|
|
if options.setup_bind:
|
2007-09-20 14:10:21 -05:00
|
|
|
ip = options.ip_address
|
|
|
|
else:
|
0000-12-31 18:09:24 -05:50
|
|
|
print "Error: the hostname resolves to an IP address that is different"
|
|
|
|
print "from the one provided on the command line. Please fix your DNS"
|
|
|
|
print "or /etc/hosts file and restart the installation."
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2008-02-20 09:16:19 -06:00
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
if options.unattended:
|
0000-12-31 18:09:24 -05:50
|
|
|
if not ip:
|
2007-09-20 14:10:21 -05:00
|
|
|
print "Unable to resolve IP address"
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2007-09-20 14:10:21 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
if not ip:
|
2008-02-21 09:23:29 -06:00
|
|
|
ip = read_ip_address(host_name)
|
2007-09-20 14:10:21 -05:00
|
|
|
ip_address = ip
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
print "The IPA Master Server will be configured with"
|
|
|
|
print "Hostname: " + host_name
|
|
|
|
print "IP address: " + ip_address
|
|
|
|
print "Domain name: " + domain_name
|
2007-08-20 17:40:32 -05:00
|
|
|
print ""
|
|
|
|
|
|
|
|
if not options.ds_user:
|
0000-12-31 18:09:24 -05:50
|
|
|
ds_user = read_ds_user()
|
2007-08-20 17:40:32 -05:00
|
|
|
if ds_user == "":
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2007-08-20 17:40:32 -05:00
|
|
|
else:
|
|
|
|
ds_user = options.ds_user
|
|
|
|
|
|
|
|
if not options.realm_name:
|
2008-02-25 16:16:18 -06:00
|
|
|
realm_name = read_realm_name(domain_name, options.unattended)
|
2007-08-20 17:40:32 -05:00
|
|
|
else:
|
2008-06-03 10:28:27 -05:00
|
|
|
realm_name = options.realm_name.upper()
|
2007-08-20 17:40:32 -05:00
|
|
|
|
2007-08-31 17:40:01 -05:00
|
|
|
if not options.dm_password:
|
0000-12-31 18:09:24 -05:50
|
|
|
dm_password = read_dm_password()
|
2007-08-20 17:40:32 -05:00
|
|
|
else:
|
2007-08-31 17:40:01 -05:00
|
|
|
dm_password = options.dm_password
|
2007-08-20 17:40:32 -05:00
|
|
|
|
|
|
|
if not options.master_password:
|
0000-12-31 18:09:24 -05:50
|
|
|
master_password = ipa_generate_password()
|
2007-08-20 17:40:32 -05:00
|
|
|
else:
|
|
|
|
master_password = options.master_password
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2007-08-31 17:40:01 -05:00
|
|
|
if not options.admin_password:
|
0000-12-31 18:09:24 -05:50
|
|
|
admin_password = read_admin_password()
|
2007-08-31 17:40:01 -05:00
|
|
|
else:
|
|
|
|
admin_password = options.admin_password
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
if not options.unattended:
|
|
|
|
print ""
|
|
|
|
print "The following operations may take some minutes to complete."
|
|
|
|
print "Please wait until the prompt is returned."
|
|
|
|
|
2008-02-20 10:03:46 -06:00
|
|
|
# Configure ntpd
|
|
|
|
if options.conf_ntp:
|
2009-02-02 12:50:53 -06:00
|
|
|
ntp = ntpinstance.NTPInstance(fstore)
|
2008-02-20 10:03:46 -06:00
|
|
|
ntp.create_instance()
|
|
|
|
|
2008-07-11 10:34:29 -05:00
|
|
|
if options.dirsrv_pin:
|
|
|
|
[pw_fd, pw_name] = tempfile.mkstemp()
|
|
|
|
os.write(pw_fd, options.dirsrv_pin)
|
|
|
|
os.close(pw_fd)
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
# Create a directory server instance
|
2009-02-02 12:50:53 -06:00
|
|
|
ds = dsinstance.DsInstance()
|
2008-07-11 10:34:29 -05:00
|
|
|
if options.dirsrv_pkcs12:
|
|
|
|
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
|
|
|
|
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info)
|
|
|
|
os.remove(pw_name)
|
|
|
|
else:
|
|
|
|
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
# Create a kerberos instance
|
2009-02-02 12:50:53 -06:00
|
|
|
krb = krbinstance.KrbInstance(fstore)
|
2008-02-15 19:47:29 -06:00
|
|
|
krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2007-10-15 14:42:12 -05:00
|
|
|
# Create a HTTP instance
|
2008-07-11 10:34:29 -05:00
|
|
|
|
|
|
|
if options.http_pin:
|
|
|
|
[pw_fd, pw_name] = tempfile.mkstemp()
|
|
|
|
os.write(pw_fd, options.http_pin)
|
|
|
|
os.close(pw_fd)
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
http = httpinstance.HTTPInstance(fstore)
|
2008-07-11 10:34:29 -05:00
|
|
|
if options.http_pkcs12:
|
|
|
|
pkcs12_info = (options.http_pkcs12, pw_name)
|
2008-08-14 15:58:00 -05:00
|
|
|
http.create_instance(realm_name, host_name, domain_name, autoconfig=False, pkcs12_info=pkcs12_info)
|
2008-07-11 10:34:29 -05:00
|
|
|
os.remove(pw_name)
|
|
|
|
else:
|
2008-08-14 15:58:00 -05:00
|
|
|
http.create_instance(realm_name, host_name, domain_name, autoconfig=True)
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2008-04-03 14:49:07 -05:00
|
|
|
# Create the config file
|
|
|
|
fstore.backup_file("/etc/ipa/ipa.conf")
|
|
|
|
fd = open("/etc/ipa/ipa.conf", "w")
|
|
|
|
fd.write("[defaults]\n")
|
|
|
|
fd.write("server=" + host_name + "\n")
|
|
|
|
fd.write("realm=" + realm_name + "\n")
|
2008-05-23 13:51:50 -05:00
|
|
|
fd.write("domain=" + domain_name + "\n")
|
2008-04-03 14:49:07 -05:00
|
|
|
fd.close()
|
|
|
|
|
2009-02-04 09:53:34 -06:00
|
|
|
# Create the management framework config file
|
|
|
|
fstore.backup_file("/etc/ipa/default.conf")
|
|
|
|
fd = open("/etc/ipa/default.conf", "w")
|
|
|
|
fd.write("[global]\n")
|
|
|
|
fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
|
|
|
|
fd.write("realm=" + realm_name + "\n")
|
|
|
|
fd.write("domain=" + domain_name + "\n")
|
|
|
|
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
|
|
|
|
fd.close()
|
|
|
|
|
2009-02-02 12:50:53 -06:00
|
|
|
bind = bindinstance.BindInstance(fstore)
|
2008-02-15 19:47:29 -06:00
|
|
|
bind.setup(host_name, ip_address, realm_name, domain_name)
|
2007-09-20 14:10:21 -05:00
|
|
|
if options.setup_bind:
|
2008-05-13 12:03:04 -05:00
|
|
|
bind.create_instance()
|
2007-09-20 14:10:21 -05:00
|
|
|
else:
|
|
|
|
bind.create_sample_bind_zone()
|
|
|
|
|
2008-09-15 17:15:12 -05:00
|
|
|
# Apply any LDAP updates. Needs to be done after the configuration file
|
|
|
|
# is created
|
|
|
|
service.print_msg("Applying LDAP updates")
|
|
|
|
ds.apply_updates()
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
# Restart ds and krb after configurations have been changed
|
0000-12-31 18:09:24 -05:50
|
|
|
service.print_msg("restarting the directory server")
|
2007-06-28 18:09:54 -05:00
|
|
|
ds.restart()
|
2008-02-20 09:16:19 -06:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
service.print_msg("restarting the KDC")
|
2007-09-20 14:10:21 -05:00
|
|
|
krb.restart()
|
2007-06-28 18:09:54 -05:00
|
|
|
|
2007-08-31 17:40:01 -05:00
|
|
|
# Set the admin user kerberos password
|
|
|
|
ds.change_admin_password(admin_password)
|
|
|
|
|
2008-02-20 09:16:19 -06:00
|
|
|
# Call client install script
|
|
|
|
try:
|
|
|
|
run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
|
|
|
|
except Exception, e:
|
|
|
|
print "Configuration of client side components failed!"
|
|
|
|
print "ipa-client-install returned: " + str(e)
|
2008-05-22 15:36:11 -05:00
|
|
|
return 1
|
2008-02-20 09:16:19 -06:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
print "=============================================================================="
|
|
|
|
print "Setup complete"
|
|
|
|
print ""
|
|
|
|
print "Next steps:"
|
2008-06-06 14:25:36 -05:00
|
|
|
print "\t1. You must make sure these network ports are open:"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t\tTCP Ports:"
|
2008-01-25 16:08:36 -06:00
|
|
|
print "\t\t * 80, 443: HTTP/HTTPS"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t\t * 389, 636: LDAP/LDAPS"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t\t * 88, 464: kerberos"
|
2008-06-06 14:25:36 -05:00
|
|
|
if options.setup_bind:
|
|
|
|
print "\t\t * 53: bind"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t\tUDP Ports:"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t\t * 88, 464: kerberos"
|
2008-06-06 14:25:36 -05:00
|
|
|
if options.setup_bind:
|
|
|
|
print "\t\t * 53: bind"
|
|
|
|
if options.conf_ntp:
|
|
|
|
print "\t\t * 123: ntp"
|
0000-12-31 18:09:24 -05:50
|
|
|
print ""
|
2008-02-05 11:23:53 -06:00
|
|
|
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'"
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
|
|
|
|
print "\t and the web user interface."
|
|
|
|
|
2008-01-11 04:36:25 -06:00
|
|
|
if not service.is_running("ntpd"):
|
0000-12-31 18:09:24 -05:50
|
|
|
print "\t3. Kerberos requires time synchronization between clients"
|
|
|
|
print "\t and servers for correct operation. You should consider enabling ntpd."
|
|
|
|
|
2008-02-05 11:23:53 -06:00
|
|
|
print ""
|
2008-07-11 10:34:29 -05:00
|
|
|
if not options.dirsrv_pkcs12:
|
2009-02-02 12:50:53 -06:00
|
|
|
print "Be sure to back up the CA certificate stored in " + dsinstance.config_dirname(ds.serverid) + "cacert.p12"
|
|
|
|
print "The password for this file is in " + dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
|
2008-07-11 10:34:29 -05:00
|
|
|
else:
|
|
|
|
print "In order for Firefox autoconfiguration to work you will need to"
|
|
|
|
print "use a SSL signing certificate. See the IPA documentation for more details."
|
|
|
|
print "You also need to install a PEM copy of the HTTP issuing CA into"
|
|
|
|
print "/usr/share/ipa/html/ca.crt"
|
0000-12-31 18:09:24 -05:50
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
return 0
|
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
try:
|
2008-07-11 10:34:29 -05:00
|
|
|
try:
|
|
|
|
sys.exit(main())
|
|
|
|
except SystemExit, e:
|
|
|
|
sys.exit(e)
|
|
|
|
except Exception, e:
|
|
|
|
message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
|
|
|
|
print message
|
|
|
|
message = str(e)
|
|
|
|
for str in traceback.format_tb(sys.exc_info()[2]):
|
|
|
|
message = message + "\n" + str
|
|
|
|
logging.debug(message)
|
|
|
|
sys.exit(1)
|
|
|
|
finally:
|
|
|
|
if pw_name and ipautil.file_exists(pw_name):
|
|
|
|
os.remove(pw_name)
|