IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-27 09:21:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
7fe63f8233
freeipa/ipaserver/install/krbinstance.py

459 lines
18 KiB
Python
Raw Normal View History

Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
#
import shutil
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
import fileinput
import re
import sys
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
import os
import pwd
import socket
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
import service
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
import installutils
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython import ipautil
Convert server install code to platform-independent access to system services https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 02:47:13 -05:00
from ipapython import services as ipaservices
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
from ipalib import util
Rename errors2.py to errors.py. Modify all affected files.
2009-04-23 07:51:59 -05:00
from ipalib import errors
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
from ipapython.ipa_log_manager import *
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
from ipaserver import ipaldap
Use GSSAPI for replication Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
2011-01-11 09:27:48 -06:00
from ipaserver.install import replication
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
from ipaserver.install import dsinstance
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
import ldap
from ldap import LDAPError
from ldap import ldapobject
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
from pyasn1.type import univ, namedtype
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
import pyasn1.codec.ber.encoder
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
import pyasn1.codec.ber.decoder
- Store Master Key in Ldap (Makes it easier to set up replicas) - Does not require dirsrv access to stash file - Finalize password history support - Fix strict password length default in pwd_extop (fix install sctript too) - fix plugin configuration - Introduce 3 kind of password change: normal, admin, and ds manager - normal require adherence to policies - admin does not but password is immediately expired - ds manager can just change the password any way he likes. Initial code to read the Kerberos Master Key from the Directory
2007-11-16 19:16:11 -06:00
import struct
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
import certs
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
from distutils import version
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
def update_key_val_in_file(filename, key, val):
if os.path.exists(filename):
Only update key/value files if necessary update_key_val_in_file() shouldn't try and write to a file if the key is already set to the given value in the file Rationale here is that if we write these files out while building a system image, ipa-server-install shouldn't need to re-write them and, therefore, they don't need to be writable. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
p = re.compile(pattern)
for line in fileinput.input(filename):
if p.search(line):
fileinput.close()
return
fileinput.close()
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
pattern = "^[\s#]*%s\s*=" % re.escape(key)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
if not p.search(line):
sys.stdout.write(line)
fileinput.close()
f = open(filename, "a")
f.write("%s=%s\n" % (key, val))
f.close()
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
class KpasswdInstance(service.SimpleServiceInstance):
def __init__(self):
daemons: Remove ipa_kpasswd Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
2011-07-20 17:11:05 -05:00
service.SimpleServiceInstance.__init__(self, "kadmin")
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
class KrbInstance(service.Service):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
def __init__(self, fstore=None):
Introduce service base class and clean up ipa-server-install 1) Add a base class for all of the instance objects. 2) Normalize usage of logging. 3) General cleanups of ipa-server-install. 4) Make better use of httpinstance. 5) Add webguiinstance. 6) Improve progress reporting during installation. Works Here (TM), but it would be nice to get someone else to test since this moves code around a bit.
0000-12-31 18:09:24 -05:50
service.Service.__init__(self, "krb5kdc")
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.fqdn = None
self.realm = None
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self.domain = None
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.host = None
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
self.admin_password = None
self.master_password = None
self.suffix = None
self.kdc_password = None
self.sub_dict = None
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
self.pkcs12_info = None
self.self_signed_ca = None
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
krbinstance: use helper function to get realm suffix
2011-06-09 11:42:03 -05:00
def get_realm_suffix(self):
return "cn=%s,cn=kerberos,%s" % (self.realm, self.suffix)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
def move_service_to_host(self, principal):
"""
Used to move a host/ service principal created by kadmin.local from
cn=kerberos to reside under the host entry.
"""
krbinstance: use helper function to get realm suffix
2011-06-09 11:42:03 -05:00
service_dn = "krbprincipalname=%s,%s" % (principal, self.get_realm_suffix())
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
service_entry = self.admin_conn.getEntry(service_dn, ldap.SCOPE_BASE)
self.admin_conn.deleteEntry(service_dn)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
# Create a host entry for this master
host_dn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix)
host_entry = ipaldap.Entry(host_dn)
Add support for SSH public keys to user and host objects. This patch adds a new multivalue param "sshpubkey" for specifying SSH public keys to both user and host objects. The accepted value is base64-encoded public key blob as specified in RFC4253, section 6.6. Additionaly, host commands automatically update DNS SSHFP records when requested by user. https://fedorahosted.org/freeipa/ticket/754
2011-12-07 01:50:31 -06:00
host_entry.setValues('objectclass', ['top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice', 'pkiuser', 'krbprincipalaux', 'krbprincipal', 'krbticketpolicyaux', 'ipasshhost'])
Changes to fix compatibility with Fedora 14 Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
2010-08-31 15:59:27 -05:00
host_entry.setValues('krbextradata', service_entry.getValues('krbextradata'))
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
host_entry.setValue('krblastpwdchange', service_entry.getValue('krblastpwdchange'))
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
if 'krbpasswordexpiration' in service_entry.toDict():
host_entry.setValue('krbpasswordexpiration', service_entry.getValue('krbpasswordexpiration'))
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
host_entry.setValue('krbprincipalname', service_entry.getValue('krbprincipalname'))
Changes to fix compatibility with Fedora 14 Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
2010-08-31 15:59:27 -05:00
if 'krbticketflags' in service_entry.toDict():
host_entry.setValue('krbticketflags', service_entry.getValue('krbticketflags'))
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
host_entry.setValue('krbprincipalkey', service_entry.getValue('krbprincipalkey'))
host_entry.setValue('serverhostname', self.fqdn.split('.',1)[0])
host_entry.setValue('cn', self.fqdn)
host_entry.setValue('fqdn', self.fqdn)
UUIDs: remove uuid python plugin and let DS always autogenerate merge in remove uuid
2010-10-26 09:26:06 -05:00
host_entry.setValue('ipauniqueid', 'autogenerate')
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
host_entry.setValue('managedby', host_dn)
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
self.admin_conn.addEntry(host_entry)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
def __common_setup(self, realm_name, host_name, domain_name, admin_password):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fqdn = host_name
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.realm = realm_name.upper()
self.host = host_name.split(".")[0]
Make the IPA installer IPv6 friendly Notable changes include: * parse AAAA records in dnsclient * also ask for AAAA records when verifying FQDN * do not use functions that are not IPv6 aware - notably socket.gethostbyname() The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html section "Interface Checklist"
2010-12-01 10:22:56 -06:00
self.ip = socket.getaddrinfo(host_name, None, socket.AF_UNSPEC, socket.SOCK_STREAM)[0][4][0]
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
self.domain = domain_name
Remove some duplicated code that was moved to ipaserver and use it Remove some unused files
2009-02-04 09:53:34 -06:00
self.suffix = util.realm_to_suffix(self.realm)
from ipa.ipautil import * --> from ipa import ipautil
2007-12-12 12:15:56 -06:00
self.kdc_password = ipautil.ipa_generate_password()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.admin_password = admin_password
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self.dm_password = admin_password
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__setup_sub_dict()
# get a connection to the DS
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
self.ldap_connect()
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.backup_state("running", self.is_running())
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
try:
self.stop()
except:
# It could have been not running
pass
Initial support for confiuguring a DNS Server during installation. It's not perfect yet but good enough to include it.
2007-09-20 14:10:21 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __common_post_setup(self):
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("starting the KDC", self.__start_instance)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
self.step("configuring KDC to start on boot", self.__enable)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, self_signed_ca=False, subject_base=None):
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.master_password = master_password
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
self.__common_setup(realm_name, host_name, domain_name, admin_password)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
self.step("adding kerberos container to the directory", self.__add_krb_container)
self.step("configuring KDC", self.__configure_instance)
self.step("initialize kerberos container", self.__init_ipa_kdb)
Fix two typos
2008-02-05 15:50:12 -06:00
self.step("adding default ACIs", self.__add_default_acis)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("creating a keytab for the directory", self.__create_ds_keytab)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
self.step("creating a keytab for the machine", self.__create_host_keytab)
Configure the ipa_pwd_extop plugin on replicas. If plugin isn't configured then the kerberos attributes don't get populated. User's will get Preauthentication errors from the kerberos libraries because there is no krbPrincipalKey to match against. 442134
2008-04-14 16:12:40 -05:00
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if setup_pkinit:
self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit)
anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
2010-11-02 17:02:59 -05:00
self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__common_post_setup()
Include time duration hints when configuring services in ipa-server-install. Give a better heads-up on how long the installation will take. Particularly important when configuring dogtag. ticket 139
2010-09-29 12:55:54 -05:00
self.start_creation("Configuring Kerberos KDC", 30)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
Introduce ipa control script that reads configuration off ldap This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-04 14:42:14 -06:00
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
def create_replica(self, realm_name,
Use GSSAPI for replication Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
2011-01-11 09:27:48 -06:00
master_fqdn, host_name,
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
domain_name, admin_password,
setup_pkinit=False, pkcs12_info=None,
self_signed_ca=False, subject_base=None):
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.subject_base = subject_base
Use GSSAPI for replication Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
2011-01-11 09:27:48 -06:00
self.master_fqdn = master_fqdn
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
self.__common_setup(realm_name, host_name, domain_name, admin_password)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("writing stash file from DS", self.__write_stash_from_ds)
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
self.step("configuring KDC", self.__configure_instance)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
self.step("creating a keytab for the directory", self.__create_ds_keytab)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
self.step("creating a keytab for the machine", self.__create_host_keytab)
Configure the ipa_pwd_extop plugin on replicas. If plugin isn't configured then the kerberos attributes don't get populated. User's will get Preauthentication errors from the kerberos libraries because there is no krbPrincipalKey to match against. 442134
2008-04-14 16:12:40 -05:00
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if setup_pkinit:
self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
ipa-server-install inconsistent capitalization A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
2011-02-02 09:24:30 -06:00
self.step("enable GSSAPI for replication", self.__convert_to_gssapi_replication)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
self.__common_post_setup()
Include time duration hints when configuring services in ipa-server-install. Give a better heads-up on how long the installation will take. Particularly important when configuring dogtag. ticket 139
2010-09-29 12:55:54 -05:00
self.start_creation("Configuring Kerberos KDC", 30)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
Introduce ipa control script that reads configuration off ldap This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-04 14:42:14 -06:00
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
def __enable(self):
self.backup_state("enabled", self.is_enabled())
Introduce ipa control script that reads configuration off ldap This replace the former ipactl script, as well as replace the current way ipa components are started. Instead of enabling each service in the system init scripts, enable only the ipa script, and then let it start all components based on the configuration read from the LDAP tree. resolves: https://fedorahosted.org/freeipa/ticket/294
2010-12-04 14:42:14 -06:00
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
def __start_instance(self):
try:
self.start()
except:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("krb5kdc service failed to start")
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
def __setup_sub_dict(self):
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
PASSWORD=self.kdc_password,
SUFFIX=self.suffix,
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
DOMAIN=self.domain,
HOST=self.host,
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
SERVER_ID=dsinstance.realm_to_serverid(self.realm),
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
REALM=self.realm)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __configure_sasl_mappings(self):
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
# we need to remove any existing SASL mappings in the directory as otherwise they
Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640
2010-12-20 20:19:36 -06:00
# they may conflict.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Remove default SASL mappings if any to avoid conflicts with IPA SASL mappings
2007-11-19 18:34:10 -06:00
try:
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
res = self.admin_conn.search_s("cn=mapping,cn=sasl,cn=config",
Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640
2010-12-20 20:19:36 -06:00
ldap.SCOPE_ONELEVEL,
"(objectclass=nsSaslMapping)")
for r in res:
try:
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
self.admin_conn.delete_s(r.dn)
Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640
2010-12-20 20:19:36 -06:00
except LDAPError, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("Error during SASL mapping removal: %s" % str(e))
Fix race condition in installation due to use of asynchronous search. Fixes: https://fedorahosted.org/freeipa/ticket/640
2010-12-20 20:19:36 -06:00
raise e
except LDAPError, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("Error while enumerating SASL mappings %s" % str(e))
When an LDAP connection fails, display the host one is trying to connect to. 450111
2008-06-05 13:41:15 -05:00
raise e
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
entry = ipaldap.Entry("cn=Full Principal,cn=mapping,cn=sasl,cn=config")
entry.setValues("objectclass", "top", "nsSaslMapping")
entry.setValues("cn", "Full Principal")
entry.setValues("nsSaslMapRegexString", '\(.*\)@\(.*\)')
entry.setValues("nsSaslMapBaseDNTemplate", self.suffix)
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)')
try:
ticket #1870 - subclass SimpleLDAPObject We use convenience types (classes) in IPA which make working with LDAP easier and more robust. It would be really nice if the basic python-ldap library understood our utility types and could accept them as parameters to the basic ldap functions and/or the basic ldap functions returned our utility types. Normally such a requirement would trivially be handled in an object- oriented language (which Python is) by subclassing to extend and modify the functionality. For some reason we didn't do this with the python-ldap classes. python-ldap objects are primarily used in two different places in our code, ipaserver.ipaldap.py for the IPAdmin class and in ipaserver/plugins/ldap2.py for the ldap2 class's .conn member. In IPAdmin we use a IPA utility class called Entry to make it easier to use the results returned by LDAP. The IPAdmin class is derived from python-ldap.SimpleLDAPObject. But for some reason when we added the support for the use of the Entry class in SimpleLDAPObject we didn't subclass SimpleLDAPObject and extend it for use with the Entry class as would be the normal expected methodology in an object-oriented language, rather we used an obscure feature of the Python language to override all methods of the SimpleLDAPObject class by wrapping those class methods in another function call. The reason why this isn't a good approach is: * It violates object-oriented methodology. * Other classes cannot be derived and inherit the customization (because the method wrapping occurs in a class instance, not within the class type). * It's non-obvious and obscure * It's inefficient. Here is a summary of what the code was doing: It iterated over every member of the SimpleLDAPObject class and if it was callable it wrapped the method. The wrapper function tested the name of the method being wrapped, if it was one of a handful of methods we wanted to customize we modified a parameter and called the original method. If the method wasn't of interest to use we still wrapped the method. It was inefficient because every non-customized method (the majority) executed a function call for the wrapper, the wrapper during run-time used logic to determine if the method was being overridden and then called the original method. So every call to ldap was doing extra function calls and logic processing which for the majority of cases produced nothing useful (and was non-obvious from brief code reading some methods were being overridden). Object-orientated languages have support built in for calling the right method for a given class object that do not involve extra function call overhead to realize customized class behaviour. Also when programmers look for customized class behaviour they look for derived classes. They might also want to utilize the customized class as the base class for their use. Also the wrapper logic was fragile, it did things like: if the method name begins with "add" I'll unconditionally modify the first and second argument. It would be some much cleaner if the "add", "add_s", etc. methods were overridden in a subclass where the logic could be seen and where it would apply to only the explicit functions and parameters being overridden. Also we would really benefit if there were classes which could be used as a base class which had specific ldap customization. At the moment our ldap customization needs are: 1) Support DN objects being passed to ldap operations 2) Support Entry & Entity objects being passed into and returned from ldap operations. We want to subclass the ldap SimpleLDAPObject class, that is the base ldap class with all the ldap methods we're using. IPASimpleLDAPObject class would subclass SimpleLDAPObject class which knows about DN objects (and possilby other IPA specific types that are universally used in IPA). Then IPAEntrySimpleLDAPObject would subclass IPASimpleLDAPObject which knows about Entry objects. The reason for the suggested class hierarchy is because DN objects will be used whenever we talk to LDAP (in the future we may want to add other IPA specific classes which will always be used). We don't add Entry support to the the IPASimpleLDAPObject class because Entry objects are (currently) only used in IPAdmin. What this patch does is: * Introduce IPASimpleLDAPObject derived from SimpleLDAPObject. IPASimpleLDAPObject is DN object aware. * Introduce IPAEntryLDAPObject derived from IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware. * Derive IPAdmin from IPAEntryLDAPObject and remove the funky method wrapping from IPAdmin. * Code which called add_s() with an Entry or Entity object now calls addEntry(). addEntry() always existed, it just wasn't always used. add_s() had been modified to accept Entry or Entity object (why didn't we just call addEntry()?). The add*() ldap routine in IPAEntryLDAPObject have been subclassed to accept Entry and Entity objects, but that should proably be removed in the future and just use addEntry(). * Replace the call to ldap.initialize() in ldap2.create_connection() with a class constructor for IPASimpleLDAPObject. The ldap.initialize() is a convenience function in python-ldap, but it always returns a SimpleLDAPObject created via the SimpleLDAPObject constructor, thus ldap.initialize() did not allow subclassing, yet has no particular ease-of-use advantage thus we better off using the obvious class constructor mechanism. * Fix the use of _handle_errors(), it's not necessary to construct an empty dict to pass to it. If we follow the standard class derivation pattern for ldap we can make us of our own ldap utilities in a far easier, cleaner and more efficient manner.
2011-09-26 16:33:32 -05:00
self.admin_conn.addEntry(entry)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
except ldap.ALREADY_EXISTS:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("failed to add Full Principal Sasl mapping")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
raise e
entry = ipaldap.Entry("cn=Name Only,cn=mapping,cn=sasl,cn=config")
entry.setValues("objectclass", "top", "nsSaslMapping")
entry.setValues("cn", "Name Only")
Fix SASL mappings
2009-09-29 11:41:20 -05:00
entry.setValues("nsSaslMapRegexString", '^[^:@]+$')
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
entry.setValues("nsSaslMapBaseDNTemplate", self.suffix)
Fix SASL mappings
2009-09-29 11:41:20 -05:00
entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
try:
ticket #1870 - subclass SimpleLDAPObject We use convenience types (classes) in IPA which make working with LDAP easier and more robust. It would be really nice if the basic python-ldap library understood our utility types and could accept them as parameters to the basic ldap functions and/or the basic ldap functions returned our utility types. Normally such a requirement would trivially be handled in an object- oriented language (which Python is) by subclassing to extend and modify the functionality. For some reason we didn't do this with the python-ldap classes. python-ldap objects are primarily used in two different places in our code, ipaserver.ipaldap.py for the IPAdmin class and in ipaserver/plugins/ldap2.py for the ldap2 class's .conn member. In IPAdmin we use a IPA utility class called Entry to make it easier to use the results returned by LDAP. The IPAdmin class is derived from python-ldap.SimpleLDAPObject. But for some reason when we added the support for the use of the Entry class in SimpleLDAPObject we didn't subclass SimpleLDAPObject and extend it for use with the Entry class as would be the normal expected methodology in an object-oriented language, rather we used an obscure feature of the Python language to override all methods of the SimpleLDAPObject class by wrapping those class methods in another function call. The reason why this isn't a good approach is: * It violates object-oriented methodology. * Other classes cannot be derived and inherit the customization (because the method wrapping occurs in a class instance, not within the class type). * It's non-obvious and obscure * It's inefficient. Here is a summary of what the code was doing: It iterated over every member of the SimpleLDAPObject class and if it was callable it wrapped the method. The wrapper function tested the name of the method being wrapped, if it was one of a handful of methods we wanted to customize we modified a parameter and called the original method. If the method wasn't of interest to use we still wrapped the method. It was inefficient because every non-customized method (the majority) executed a function call for the wrapper, the wrapper during run-time used logic to determine if the method was being overridden and then called the original method. So every call to ldap was doing extra function calls and logic processing which for the majority of cases produced nothing useful (and was non-obvious from brief code reading some methods were being overridden). Object-orientated languages have support built in for calling the right method for a given class object that do not involve extra function call overhead to realize customized class behaviour. Also when programmers look for customized class behaviour they look for derived classes. They might also want to utilize the customized class as the base class for their use. Also the wrapper logic was fragile, it did things like: if the method name begins with "add" I'll unconditionally modify the first and second argument. It would be some much cleaner if the "add", "add_s", etc. methods were overridden in a subclass where the logic could be seen and where it would apply to only the explicit functions and parameters being overridden. Also we would really benefit if there were classes which could be used as a base class which had specific ldap customization. At the moment our ldap customization needs are: 1) Support DN objects being passed to ldap operations 2) Support Entry & Entity objects being passed into and returned from ldap operations. We want to subclass the ldap SimpleLDAPObject class, that is the base ldap class with all the ldap methods we're using. IPASimpleLDAPObject class would subclass SimpleLDAPObject class which knows about DN objects (and possilby other IPA specific types that are universally used in IPA). Then IPAEntrySimpleLDAPObject would subclass IPASimpleLDAPObject which knows about Entry objects. The reason for the suggested class hierarchy is because DN objects will be used whenever we talk to LDAP (in the future we may want to add other IPA specific classes which will always be used). We don't add Entry support to the the IPASimpleLDAPObject class because Entry objects are (currently) only used in IPAdmin. What this patch does is: * Introduce IPASimpleLDAPObject derived from SimpleLDAPObject. IPASimpleLDAPObject is DN object aware. * Introduce IPAEntryLDAPObject derived from IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware. * Derive IPAdmin from IPAEntryLDAPObject and remove the funky method wrapping from IPAdmin. * Code which called add_s() with an Entry or Entity object now calls addEntry(). addEntry() always existed, it just wasn't always used. add_s() had been modified to accept Entry or Entity object (why didn't we just call addEntry()?). The add*() ldap routine in IPAEntryLDAPObject have been subclassed to accept Entry and Entity objects, but that should proably be removed in the future and just use addEntry(). * Replace the call to ldap.initialize() in ldap2.create_connection() with a class constructor for IPASimpleLDAPObject. The ldap.initialize() is a convenience function in python-ldap, but it always returns a SimpleLDAPObject created via the SimpleLDAPObject constructor, thus ldap.initialize() did not allow subclassing, yet has no particular ease-of-use advantage thus we better off using the obvious class constructor mechanism. * Fix the use of _handle_errors(), it's not necessary to construct an empty dict to pass to it. If we follow the standard class derivation pattern for ldap we can make us of our own ldap utilities in a far easier, cleaner and more efficient manner.
2011-09-26 16:33:32 -05:00
self.admin_conn.addEntry(entry)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
except ldap.ALREADY_EXISTS:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("failed to add Name Only Sasl mapping")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
raise e
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
def __add_krb_container(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("kerberos.ldif", self.sub_dict)
Added krbinstance to configure the kerberos server Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2007-06-28 18:09:54 -05:00
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
def __add_default_acis(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("default-aci.ldif", self.sub_dict)
Refactor krbinstance and dsinstance creation steps Creation steps are currently done with: self.start_creation(2, "Create foo") self.step("do foo") self.foo() self.step("do bar") self.bar() self.done_creation() This patch refactors that into the much more straightforward: self.step("do foo", self.foo) self.step("do bar", self.bar) self.start_creation("Create foo") Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-13 03:31:28 -06:00
Fix permissions in installers Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
2011-08-30 09:32:40 -05:00
def __template_file(self, path, chmod=0644):
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(path)
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
fd = open(path, "w+")
fd.write(conf)
fd.close()
Fix permissions in installers Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
2011-08-30 09:32:40 -05:00
if chmod is not None:
os.chmod(path, chmod)
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
def __init_ipa_kdb(self):
#populate the directory with the realm structure
Don't leak passwords through kdb5_ldap_util command line arguments. ticket 1948
2011-10-11 11:44:33 -05:00
args = ["kdb5_util", "create", "-s",
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
"-r", self.realm,
"-x", "ipa-setup-override-restrictions"]
Don't leak passwords through kdb5_ldap_util command line arguments. ticket 1948
2011-10-11 11:44:33 -05:00
dialogue = (
# Enter KDC database master key:
self.master_password + '\n',
# Re-enter KDC database master key to verify:
self.master_password + '\n',
)
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
try:
Don't leak passwords through kdb5_ldap_util command line arguments. ticket 1948
2011-10-11 11:44:33 -05:00
ipautil.run(args, nolog=(self.master_password), stdin=''.join(dialogue))
ipa-kdb: Change install to use the new ipa-kdb kdc backend Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2011-06-08 16:21:23 -05:00
except ipautil.CalledProcessError, e:
print "Failed to initialize the realm container"
def __configure_instance(self):
Fix permissions in installers Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
2011-08-30 09:32:40 -05:00
self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None)
Refactor some krbinstance templating code Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 04:36:25 -06:00
self.__template_file("/etc/krb5.conf")
self.__template_file("/usr/share/ipa/html/krb5.ini")
self.__template_file("/usr/share/ipa/html/krb.con")
self.__template_file("/usr/share/ipa/html/krbrealm.con")
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration.
2007-10-29 11:00:48 -05:00
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
MIN_KRB5KDC_WITH_WORKERS = "1.9"
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
workers = False
Don't use full pathnames for kerberos binaries, let PATH find them. Kerberos binaries may be in /usr/kerberos/*bin or /usr/*bin, let PATH sort it out.
2010-11-22 13:52:09 -06:00
(stdout, stderr, rc) = ipautil.run(['klist', '-V'], raiseonerr=False)
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
if rc == 0:
verstr = stdout.split()[-1]
ver = version.LooseVersion(verstr)
min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
if ver >= min:
workers = True
Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of /etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we need to make sure it is always existing and pointing to our realm. Partial fix for: https://fedorahosted.org/freeipa/ticket/1192
2011-10-12 06:18:21 -05:00
# Write down config file
# We write realm and also number of workers (for multi-CPU systems)
replacevars = {'KRB5REALM':self.realm}
appendvars = {}
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
if workers and cpus > 1:
Quote multiple workers option https://fedorahosted.org/freeipa/ticket/2023
2011-10-25 10:41:32 -05:00
appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of /etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we need to make sure it is always existing and pointing to our realm. Partial fix for: https://fedorahosted.org/freeipa/ticket/1192
2011-10-12 06:18:21 -05:00
ipautil.backup_config_and_replace_variables(self.fstore, "/etc/sysconfig/krb5kdc",
replacevars=replacevars,
appendvars=appendvars)
ipaservices.restore_context("/etc/sysconfig/krb5kdc")
Configure KDC to use multiple workers Only if more than one CPU is available Only if supported by the installed krb5kdc
2010-11-15 16:06:32 -06:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def __write_stash_from_ds(self):
Try to catch more error conditions during installation Modify the way we detect SELinux to use selinuxenabled instead of using a try/except. Handle SASL/GSSAPI authentication failures when getting a connection
2007-10-03 16:37:13 -05:00
try:
krbinstance: use helper function to get realm suffix
2011-06-09 11:42:03 -05:00
entry = self.admin_conn.getEntry(self.get_realm_suffix(),
ldap.SCOPE_SUBTREE)
Clean up some problems discovered with pylint and pychecker Much of this is formatting to make pylint happy but it also fixes some real bugs.
2009-08-11 16:08:09 -05:00
except errors.NotFound, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("Could not find master key in DS")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(entry.krbmkey)
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open("/var/kerberos/krb5kdc/.k5."+self.realm, "w")
fd.write(s)
Minor bugs found while testing stuff. - wrong import in certs.py makes ipa-replica-manage fail - close the fs after the stash file is written so that the file is updated immediately and not when the fd is garbage collected
2008-08-19 15:39:33 -05:00
fd.close()
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
except os.error, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("failed to write stash file")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
raise e
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
General fixes. Do not start ipa_kpasswd by default yet
2007-08-15 20:35:35 -05:00
#add the password extop module
Manage to create a spcific DS user for the ldap instance Add uncalled code to load and configure the password extop plugin
2007-07-02 14:51:04 -05:00
def __add_pwd_extop_module(self):
Move the __ldap_mod function to the Service class We were duplicating it for KrbInstance and DsInstance. Since we will also need it for BindInstance as well, it will be better if it is in the Service class instead.
2009-05-12 05:51:46 -05:00
self._ldap_mod("pwd-extop-conf.ldif", self.sub_dict)
Try to fix dir layout and recover missing files
2007-08-01 14:58:52 -05:00
commit before pulling new dir layout misc patches to ACLs the example DNS zone and other stuff misc fixes to the krb instance current kpasswd code
2007-08-01 14:06:45 -05:00
def __create_ds_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
ldap_principal = "ldap/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(ldap_principal)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.move_service(ldap_principal)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/dirsrv/ds.keytab")
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.create_keytab("/etc/dirsrv/ds.keytab", ldap_principal)
Add password request for admin user Set password for admin user using the Directory Mangaer account and the mozldapldappaswd binary to get and SSL connection Fix some timeout problems with deploying keytabs Fix ipa_pwd_extop to actuallt correctly detect an SSL connection Do not ask for the user to use for the directory unless 'dirsrv' is an existing user which may clash, create it silently
2007-08-31 17:40:01 -05:00
Add support for systemd environments and use it to support Fedora 16 https://fedorahosted.org/freeipa/ticket/1192
2011-10-10 07:25:15 -05:00
update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
On 10/4/07, Rob Crittenden <rcritten@redhat.com> wrote: > William Jon McCann wrote: > > Hi, > > > > After playing with the install (repeatedly) I ended up with a lot of > > duplicate values in: > > /etc/sysconfig/dirsrv > > /etc/sysconfig/ipa-kpasswd > > > > Here is a patch that should fix this. It modifies the file "in-place" > > and removes lines that matching the key (or commented key) and then > > appends the new key=value. > > > > Jon > > Cool, I've wanted to fix this for a while (and recently aborted a switch > from open with "a" to "w"). > > What happens if the file doesn't exist yet? Do we need to wrap the > fileinput loop in either a try/except or just look to see if the file > exists first (my vote)? > > Something like: > > def update_key_val_in_file(filename, key, val): > if os.path.exists(filename): > pattern = "^[\s#]*%s\s*=" % re.escape(key) > p = re.compile(pattern) > for line in fileinput.input(filename, inplace=1): > if not p.search(line): > sys.stdout.write(line) > fileinput.close() > f = open(filename, "a") > f.write("%s=%s\n" % (key, val)) > f.close() Good point. In genera,l I prefer doing a try because it is a little less racy but in this case it doesn't make a difference. Updated patch attached. Thanks, Jon
0000-12-31 18:09:24 -05:50
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
pent = pwd.getpwnam(dsinstance.DS_USER)
Fix copy&paste error, its not the conf files we need access to, we need to access the generated keytabs
2007-08-30 14:31:27 -05:00
os.chown("/etc/dirsrv/ds.keytab", pent.pw_uid, pent.pw_gid)
set preauth on kadmin/changepw otherwise the kpasswd can't acquire a ticket
2007-08-08 21:19:03 -05:00
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
def __create_host_keytab(self):
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
host_principal = "host/" + self.fqdn + "@" + self.realm
installutils.kadmin_addprinc(host_principal)
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file("/etc/krb5.keytab")
Refactor keytab creation There's a few places where we spawn of kadmin to add/modify principals and create keytabs. Refactor all that code into installutils. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2007-12-18 12:03:34 -06:00
installutils.create_keytab("/etc/krb5.keytab", host_principal)
Add host keytab creation for masters
2007-12-13 15:44:57 -06:00
# Make sure access is strictly reserved to root only for now
os.chown("/etc/krb5.keytab", 0, 0)
os.chmod("/etc/krb5.keytab", 0600)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
self.move_service_to_host(host_principal)
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
def __setup_pkinit(self):
if self.self_signed_ca:
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
ca_db = certs.CertDB(self.realm,
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
subject_base=self.subject_base)
else:
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
ca_db = certs.CertDB(self.realm, host_name=self.fqdn,
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
subject_base=self.subject_base)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if self.pkcs12_info:
ca_db.install_pem_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
"/var/kerberos/krb5kdc/kdc.pem")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
else:
if self.self_signed_ca:
ca_db.create_kdc_cert("KDC-Cert", self.fqdn,
"/var/kerberos/krb5kdc")
else:
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
raise RuntimeError("PKI not supported yet\n")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
shutil.copyfile("/etc/ipa/ca.crt", "/var/kerberos/krb5kdc/cacert.pem")
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
2010-11-02 17:02:59 -05:00
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"
princ_realm = "%s@%s" % (princ, self.realm)
# Create the special anonymous principal
installutils.kadmin_addprinc(princ_realm)
krbinstance: use helper function to get realm suffix
2011-06-09 11:42:03 -05:00
dn = "krbprincipalname=%s,%s" % (princ_realm, self.get_realm_suffix())
Allow ipa-dns-install to install with just admin credentials Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
2011-01-05 06:46:30 -06:00
self.admin_conn.inactivateEntry(dn, False)
anon-pkinit: add well known principal leave it disabled for now we can change this default once we will have some restriction on what services this principal can get tickets for.
2010-11-02 17:02:59 -05:00
Use GSSAPI for replication Uses a temporary simple replication agreement over SSL to init the tree. Then once all principals have been created switches replication to GSSAPI. Fixes: https://fedorahosted.org/freeipa/ticket/690
2011-01-11 09:27:48 -06:00
def __convert_to_gssapi_replication(self):
repl = replication.ReplicationManager(self.realm,
self.fqdn,
self.dm_password)
repl.convert_to_gssapi_replication(self.master_fqdn,
r_binddn="cn=Directory Manager",
r_bindpw=self.dm_password)
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
def uninstall(self):
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
Re-factor the ipa_webgui and ipa_kpasswd instance code The ipa_webgui and ipa_kpasswd instance code is identical and I want to add another similar instance down the line, so re-factor the code into a service.SimpleServiceInstance class. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-22 05:58:06 -06:00
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
running = self.restore_state("running")
enabled = self.restore_state("enabled")
Generate /etc/httpd/conf.d/ipa.conf from a template so the realm can be set during installation
2007-08-06 09:51:23 -05:00
Make sure all services are stopped during uninstall. We were just shutting down the KDC if it had been started prior to IPA installation. We need to stop it in all cases. And we should restart nscd as it may have made an LDAP connection. 440322
2008-05-13 15:29:01 -05:00
try:
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
self.stop()
Make sure all services are stopped during uninstall. We were just shutting down the KDC if it had been started prior to IPA installation. We need to stop it in all cases. And we should restart nscd as it may have made an LDAP connection. 440322
2008-05-13 15:29:01 -05:00
except:
pass
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
install: We do not need a ldap password anymore Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't need a bind password anymore. Fixes: https://fedorahosted.org/freeipa/ticket/1743
2011-08-31 10:39:53 -05:00
for f in ["/var/kerberos/krb5kdc/kdc.conf", "/etc/krb5.conf"]:
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
try:
self.fstore.restore_file(f)
except ValueError, error:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug(error)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
pass
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
if not enabled is None and not enabled:
Convert server install code to platform-independent access to system services https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 02:47:13 -05:00
self.disable()
Add ipa-server-install --uninstall Add a --uninstall option to ipa-server-install which tries to restore the system to the way it was before ipa-server-install was run using the state backed up through sysrestore.py. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-11 05:57:36 -06:00
if not running is None and running:
self.start()
Make the installer/uninstaller more aware of its state We have had a state file for quite some time that is used to return the system to its pre-install state. We can use that to determine what has been configured. This patch: - uses the state file to determine if dogtag was installed - prevents someone from trying to re-install an installed server - displays some output when uninstalling - re-arranges the ipa_kpasswd installation so the state is properly saved - removes pkiuser if it was added by the installer - fetches and installs the CA on both masters and clients
2010-05-03 14:21:51 -05:00
self.kpasswd = KpasswdInstance()
self.kpasswd.uninstall()
Reference in New Issue Copy Permalink